PrivacyProof · SaaS

GDPR privacy & cookie consent for SaaS

GDPR + the cookie rules require a clear privacy policy, lawful opt-in for non-essential cookies, and a way for people to exercise their data rights. Check yours in 60 seconds.

In force EU rules SaaS

What GDPR privacy & cookie consent means for SaaS businesses

SaaS businesses sit at the centre of the newer rules: you process personal data at scale, bill on recurring plans, send product and marketing email, and increasingly ship AI features — each its own compliance surface.

🏷️ For SaaS businesses: As a controller/processor at scale, GDPR is table stakes — a lawful basis, a real privacy policy, and working data-subject rights.

Does this apply to you?

This rule applies to SaaS businesses who collect personal data from visitors in the EU or UK. Collect data from EU/UK visitors? Check your privacy policy, cookie consent, and data-rights handling. Not sure? The free checker tells you in about a minute — no signup.

The checklist

You need to be able to answer "yes" to each of these — the points SaaS businesses most often get caught on:

Do you have a published privacy policy?
Non-essential cookies (analytics/ads) load…
Can visitors reject cookies as easily as accept?
Is there a route to access/delete/correct data?
Do you state a lawful basis for processing?
Do you disclose third parties / processors?
Is there a privacy contact (and EU/UK rep if needed)?

What's at stake

⚠️ Exposure: up to €20M or 4% of global turnover (Art. 83) · Status: In force.

Compare the penalty for every rule →

Common questions

How does gDPR privacy & cookie consent affect SaaS businesses?

As a controller/processor at scale, GDPR is table stakes — a lawful basis, a real privacy policy, and working data-subject rights.

Do I need a cookie consent banner?

If you serve EU/UK visitors and use any non-essential cookies (analytics, advertising), yes — they must load only after the visitor opts in, with a Reject option as easy as Accept.

What must a GDPR privacy policy include?

What data you collect, why, the lawful basis, who you share it with, how long you keep it, international transfers, and how to exercise data rights — in plain language, available at collection.

What are the GDPR fines?

Up to €20 million or 4% of global annual turnover, whichever is higher — plus regulator orders and reputational damage.

The source

RuleGoose checks this against the EU GDPR (Reg. (EU) 2016/679), UK GDPR + ePrivacy/cookie rules. Read it yourself: EUR-Lex — Regulation (EU) 2016/679 →

Check your GDPR privacy & cookie consent compliance — free.
Answer a few questions, see exactly where you're exposed, and draft the fix. No signup, runs in your browser. Run the PrivacyProof checker →

or get one RuleGoose Score across every rule a SaaS business has to meet.

The full picture for SaaS

GDPR privacy & cookie consent is one of several rules a SaaS business has to meet. See the full SaaS compliance checklist →, or read the platform-neutral GDPR privacy & cookie consent guide.

Same rule, other industries

GDPR privacy & cookie consent for cosmetics & beauty → GDPR privacy & cookie consent for supplements & wellness → GDPR privacy & cookie consent for fashion & apparel → GDPR privacy & cookie consent for consumer electronics → GDPR privacy & cookie consent for food & beverage →

Informational only, not legal advice, and not affiliated with the EU. Last reviewed 2026-06-30.