GDPR consent for analytics, the HIPAA pixel-tracking enforcement wave, and a side-by-side of GDPR vs CCPA. Privacy is the most operationally complex compliance layer — these pieces strip it down.
The HHS Office for Civil Rights and the FTC have made tracking pixels on health apps a top enforcement priority since 2023. The math is brutal because the violations are per-affected-user — a single Meta Pixel firing on a checkout page that mentions a medication can produce a six- or seven-figure settlement. Here's the pattern, the recent cases, and what to actually check.
If you're operating a SaaS or consumer app from anywhere in the world, you probably need to comply with both GDPR and CCPA — they reach you based on customer location, not company location. The good news: the requirements overlap significantly, and a single compliance architecture can satisfy both. Here's what triggers each, what they actually require, and where they diverge.
Analytics is the single most common place EU privacy law trips up SaaS founders. The rule is simpler than it looks: if your analytics involves reading or writing to the user's device (cookies, localStorage, fingerprinting) or processing personal data, you need consent before it fires. Here's the actual law, the narrow exceptions, and what regulators have done about it.