The 2026 privacy law map for SaaS founders
The patchwork of state privacy laws hit a new milestone on January 1, and most SaaS companies are now in scope of more than they realize.
If you watched the privacy beat for the last two years, this week may feel like an arrival. As of January 1, more than twenty states have a comprehensive consumer privacy law in effect, with additions for 2026 pushing the map further than most SaaS founders have caught up to. The picture is no longer “California, plus a few others.” It is structural.
Here is what actually changed for a SaaS company on January 1.
The thresholds matter, but in a way that catches people off guard. Most state laws apply to companies that meet a certain volume of personal data processed about residents of the state, often 100,000 records or 25,000 when a portion of revenue comes from selling or sharing data. SaaS companies tend to assume they are below those thresholds because they are small, but the count is not based on customer accounts. It is based on residents whose personal data flows through the platform, including end users of customer-facing products and people in employee or contractor records that the SaaS holds on behalf of customers. The number gets to 100,000 faster than most founders expect, especially if you serve any consumer-facing customer.
The substantive obligations are more aligned across states than the headlines suggest. You owe a privacy notice that meets specific content requirements, a process for handling rights requests (access, deletion, correction, opt-out of sales and targeted advertising), data minimization in practice and not just on paper, contracts with each of your subprocessors that meet the controller-to-processor language each state requires, and a documented assessment when you do anything that qualifies as profiling or high-risk processing. The states differ at the margins. The core is now boring and largely the same.
The one practical implication for SaaS leadership at this point in the year is to look at your privacy notice, your data processing agreement, and your subprocessor list, and confirm that those three documents exist, are current, and accurately describe what your product actually does. Most enterprise customers are now sending vendor questionnaires that ask for these directly. Two years ago, “we follow CCPA-style requirements” was a defensible answer. In 2026 it is not, because the scope of what is asked of you depends on which states your customers’ end users live in, not which state you are headquartered in.
The trend line is clear. Privacy compliance for SaaS is no longer about whether you fall under a regime. It is about which provisions of which regime apply to which data flow, and being able to answer that question on demand.