A Canadian founder ships a SaaS product, registers a Wyoming or Delaware LLC, and discovers that four different privacy regimes can hit the same product on the same day. CCPA covers California consumers. CPRA tightens CCPA. PIPEDA governs how the Canadian-resident operator handles personal data. Quebec Law 25, in force since September 2024, runs ahead of PIPEDA on consent and breach reporting. And if a single EU customer signs up, GDPR slides in too. Most privacy-policy templates online treat these in isolation. The real Canadian-owned SaaS needs all of them at once. This post is the four-law overlap, what to actually publish, and where the fines really land.
30-second answer
If your Canadian-owned US LLC operates a SaaS that touches California consumers, your privacy policy must satisfy CCPA/CPRA disclosure rules even if your LLC has zero California office. The CCPA threshold is $25M in gross revenue, or buying/selling personal info of 100,000+ California consumers/households, or earning 50%+ revenue from selling/sharing personal info — meeting any one triggers the full regime. PIPEDA applies federally to your operations as a Canadian resident. Quebec Law 25 layers on top if any user resides in Quebec, with stricter consent and a 25M CAD or 4% global revenue penalty cap. And GDPR auto-attaches the moment one EU user creates an account. The privacy policy you publish has to read like a single document but cover all four regimes' specific disclosures. Penalties stack across jurisdictions; running afoul of one usually means you're already out of compliance with the others.
Which laws apply to a Canadian-owned US SaaS
Walk through the four major regimes and the conditions that pull each one in.
| Law | Jurisdiction | Triggers application | Headline fine cap |
|---|---|---|---|
| CCPA + CPRA | California | $25M revenue, OR 100K+ CA consumers/households, OR 50%+ from selling/sharing PI | $7,500 per intentional violation, plus private right of action for breaches |
| PIPEDA | Canada (federal) | Any Canadian-based commercial activity | $100K CAD per offense |
| Quebec Law 25 | Quebec | Any user located in Quebec | 25M CAD or 4% of global revenue, whichever is greater |
| GDPR | EU/EEA | Offering goods/services to EU residents, or monitoring EU behavior | 20M EUR or 4% of global annual turnover |
A Canadian SaaS founder rarely escapes the first three. CCPA gates only at the $25M / 100K user / 50% revenue thresholds, but the practical advice from privacy counsel is to publish a CCPA-compliant policy from day one because (a) those thresholds creep up faster than expected and (b) state-by-state US privacy laws (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Texas TDPSA, Utah UCPA) are converging on similar disclosure standards.
The privacy policy disclosure checklist
A Canadian-owned SaaS LLC's privacy policy has to cover these sections to satisfy all four regimes. Skip a section, lose protection in that jurisdiction.
- Identity and contact: legal name of the LLC, registered address, plus a privacy contact email (e.g. privacy@yoursaas.com)
- Categories of personal information collected: name, email, IP, device fingerprint, payment data, behavioral analytics — list each
- Sources of personal information: directly from user, third-party data brokers, public records, partners
- Purposes for collection: each purpose tied to a category (e.g. "email collected to authenticate accounts and send transactional notifications")
- Categories of recipients: payment processors (Stripe), email providers (Postmark/SendGrid), cloud (AWS/GCP), analytics (PostHog/Mixpanel) — each named with role
- Sale and sharing disclosures: explicit "we do/do not sell or share for cross-context behavioral advertising" (CCPA-specific, but Quebec Law 25 also requires)
- Retention period: how long each category is kept (e.g. account data: until deletion request + 90 days; logs: 180 days; backups: 365 days)
- Cross-border transfer: where data is processed (US, Canadian, EU regions) and the safeguards (SCCs for EU, contract terms for Canada)
- User rights: access, correction, deletion, portability, opt-out of sale/sharing, right to limit sensitive PI use (CPRA), right to explanation of automated decision (Quebec Law 25)
- How to exercise rights: webform URL, response time SLA (CCPA: 45 days, GDPR: 1 month, Quebec Law 25: 30 days)
- Cookies and tracking: disclosure of analytics, ad pixels, consent banner trigger conditions
- Children: under 13 (US COPPA), under 16 (GDPR), under 14 (Quebec Law 25 explicit consent)
- Updates and notice: how changes are communicated, effective date
- Authorized agent procedure: CCPA-mandated method for rights requests submitted on behalf of consumers
The 14-section structure is what privacy counsel for SaaS companies has converged on as the minimum. Each section maps to one or more of the four laws. Skipping section 9's CPRA-specific "right to limit sensitive PI use" is a common mistake — sensitive PI under CPRA includes geolocation, race, religious beliefs, and biometrics, and SaaS that captures any of those needs the limit-use opt-out.
CCPA + CPRA specifics
CCPA (in force since 2020) and CPRA (an amendment in force since 2023) are usually treated together. A few CPRA-specific items that catch Canadian-owned SaaS off guard.
- Sensitive personal information is a new CPRA category. SaaS apps that collect geolocation, government IDs, biometric identifiers, racial/ethnic data, or health data must offer a "right to limit use" beyond the general opt-out.
- Global Privacy Control (GPC) signals must be honored. If a user's browser sends a GPC header, the SaaS treats it as an opt-out of sale/sharing, regardless of whether the user clicked the explicit opt-out link.
- Service provider vs contractor vs third party distinctions matter. A vendor that processes data only on your behalf (Stripe processing payments) is a "service provider" — sharing with them is not "selling." Cross-contextual ad networks (Google Ads, Meta Ads pixel) often fall into "third party" — sharing data with them is "sharing" under CCPA and triggers opt-out rights.
- Authorized agent rules require accepting requests submitted by an attorney or agent on the consumer's behalf, with proof of authorization.
CCPA enforcement is split between the California Privacy Protection Agency (CPPA) and the California Attorney General. Recent enforcement actions have ranged from low six figures (small SaaS) to $1.55M (Sephora, 2022) for selling without disclosure.
PIPEDA: the Canadian baseline
PIPEDA (Personal Information Protection and Electronic Documents Act) is the federal Canadian law. As a Canadian resident running a SaaS, your operations fall under PIPEDA regardless of LLC domicile.
- Consent must be meaningful — not buried in a 30-page ToS
- Purpose of collection must be specified before or at the time of collection
- Data subjects have access and correction rights
- Breach notification is mandatory: notify the Office of the Privacy Commissioner of Canada (OPC) "as soon as feasible" if real risk of significant harm
- Records of breaches must be kept for 24 months
The OPC has historically pursued voluntary compliance over fines, but PIPEDA reform (Bill C-27, the Consumer Privacy Protection Act) is in flight and would raise penalty caps to $10M CAD or 3% of global revenue. Watch this space — the bill may pass before your next privacy policy update.
Quebec Law 25: the strictest of the four
Quebec Law 25 (formally "An Act to modernize legislative provisions as regards the protection of personal information") came fully into force on September 22, 2024. It is now the most stringent privacy law in North America. Differences that matter for Canadian-owned SaaS.
- Express consent is required for most processing — opt-in, not opt-out, for almost everything
- Privacy Officer (PO) designation must be published. The default PO is the highest-ranking director, unless someone else is named
- Privacy Impact Assessment (PIA) required before new collection activities and any cross-border data transfer
- Breach notification to the Commission d'accès à l'information (CAI) is required for any breach causing "serious risk of harm," with similar duty to affected users
- Right to explanation of automated decisions — if you use an algorithm to deny service, the user can demand the logic
- Right to data portability — users can demand a structured, technically usable copy of their data
- Penalty cap is the highest in North America at 25M CAD or 4% of global revenue, whichever is greater
Quebec Law 25's penalty cap is the practical reason Canadian-owned SaaS needs a Quebec-aware privacy policy. CCPA caps at $7,500 per violation; Quebec Law 25 caps at $25M CAD per offense. A single Quebec user creating an account triggers application, and the policy must list the Privacy Officer's contact in addition to the general privacy contact.
GDPR overlay (when EU users sign up)
The moment one EU user creates an account, GDPR applies. The four-law privacy policy already covers most GDPR requirements, but a few items are GDPR-specific.
- Lawful basis for processing: consent, contract, legitimate interest, legal obligation, vital interest, public interest. State which basis for each purpose
- Data Protection Officer (DPO) is required for systematic, large-scale monitoring (most SaaS doesn't hit this; consult counsel if user count > 250 or behavioral monitoring is core)
- Standard Contractual Clauses (SCCs) for cross-border transfers from EU to US/Canada — your DPA with sub-processors must include the 2021-revised SCCs
- Breach notification to the lead supervisory authority within 72 hours of awareness
- Data Subject Access Request (DSAR) must be handled within 30 days, optionally extended once by 60 days
A Canadian-owned SaaS LLC running on AWS US-East with no EU users still has an exposure: if even one EU resident signs up to evaluate the product, GDPR attaches. Rather than try to gate EU sign-ups, most SaaS publishes a GDPR-compliant policy and signs SCC-based DPAs with all sub-processors regardless of region.
DPA clauses your sub-processors need to sign
A Canadian-owned SaaS depends on a stack of sub-processors: AWS or GCP for hosting, Stripe for payments, Postmark or SendGrid for email, PostHog or Mixpanel for analytics, Sentry for error logs. Each is processing personal information on your behalf, and each needs a Data Processing Agreement (DPA) with five core clauses.
- Defined data and purposes: which categories of PI flow to the sub-processor, for what purpose
- Cross-border transfer mechanism: 2021 SCCs for EU→US, transfer impact assessment, additional safeguards
- Sub-sub-processor disclosure and approval: list of further processors, advance notice of changes, right to object
- Breach notification to you: time limit (typically 24-48 hours) and required information
- Audit rights and termination: your right to audit, conditions for termination, data return/deletion at end
AWS, Stripe, Postmark, and most major US-based providers offer pre-signed DPAs that already include the 2021 SCCs. The Canadian-specific addendum (PIPEDA cross-border safeguards) is sometimes a separate document — request it explicitly from each provider.
Cross-border data transfer: where Canadian data sits
A Canadian-owned SaaS LLC that uses AWS or GCP usually defaults to a US region. PIPEDA does not bar cross-border transfer to the US, but two things follow.
- The privacy policy must disclose that data is transferred to the US and that US laws (including FBI/NSA surveillance under FISA 702) may apply
- Quebec Law 25 requires a documented assessment of the receiving jurisdiction's privacy regime as part of the PIA before transfer
Some Canadian-owned SaaS chooses Canadian regions (AWS ca-central-1, GCP northamerica-northeast1) to reduce the disclosure burden and ease Quebec Law 25 compliance. The trade-off is higher hosting cost and slightly worse latency to non-Canadian users.
Penalty exposure side by side
The reason SaaS founders care about privacy compliance is the penalty side, not the legal philosophy. A snapshot of what each regime can actually charge.
| Regime | Per-incident cap | Aggravated cap | Private right of action |
|---|---|---|---|
| CCPA/CPRA | $2,500 (unintentional), $7,500 (intentional) | No global cap | Yes — $100-$750 per breach incident |
| PIPEDA | $100K CAD per offense | None currently; reform pending | No |
| Quebec Law 25 | 25M CAD or 4% global revenue, whichever greater | Same | Yes (limited) |
| GDPR | 20M EUR or 4% global revenue, whichever greater | Same | Yes |
For a Canadian-owned SaaS doing $500K ARR, the practical exposure looks like: CCPA breach claims could pile to the millions in class action; Quebec Law 25 could fine $25M CAD on a single incident; GDPR could fine 4% of revenue. Privacy compliance is one of the few areas where the cost of getting it wrong dwarfs the cost of getting it right.
What to publish on your site
A working Canadian-owned SaaS privacy stack typically includes.
- Privacy Policy at /privacy — the 14-section document above
- Cookie Notice at /cookies — the categories of cookies, opt-in/out controls
- DPA download at /legal/dpa — pre-signed DPA template that B2B customers can countersign
- Subprocessors list at /legal/subprocessors — current list of all sub-processors with names, roles, jurisdictions
- Privacy Officer (Quebec Law 25) named on Privacy Policy with email
- Authorized Agent procedure (CCPA) linked from Privacy Policy
A Canadian-owned SaaS that ships these six pages on day one is in a stronger position to scale into B2B contracts, where enterprise customers run privacy due diligence before signing.
FAQ
Does my Canadian-owned LLC need a separate Canadian entity for PIPEDA? No. PIPEDA applies based on the operator's commercial activity, not entity domicile. A Canadian resident operating a US LLC is still subject to PIPEDA on Canadian-side operations.
Can I get away with a generic Termly or Iubenda template? For early stage and non-sensitive SaaS, generators get you ~80% of the way. They typically miss Quebec Law 25 specifics (Privacy Officer designation, automated decision rights) and CPRA's sensitive PI section. Plan to have counsel review before B2B contract negotiations begin.
Do I need to register with any privacy authority? PIPEDA and CCPA do not require registration. Quebec Law 25 requires designation (and disclosure) of a Privacy Officer but no registration. GDPR requires DPO appointment for large-scale or systematic processing — most SaaS under 5K MAU doesn't hit it.
What about Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA)? US state privacy laws are converging on similar disclosure standards. A CCPA-compliant policy with the four-law overlay above usually covers them all. Track new state laws every six months.
My SaaS uses Postmark, AWS, and Stripe. Do I need DPAs with all three? Yes. Each is a sub-processor. Postmark, AWS, and Stripe all offer pre-signed DPAs you accept by clicking through their privacy/legal portals.
Next steps
For the broader compliance stack, see our LLC for Canadians guide and the Operating Agreement deep dive. For sub-processor selection on the banking side, see Mercury vs Relay vs Wise. For the tax-side cross-border picture, see LLC CRA-IRS mismatch.