SaaS Compliance Checklist to Keep Your Corporate House in Order: Sales Tax, Privacy

Navigate the complex landscape of US SaaS startup compliance requirements, from state sales tax nexus to federal data privacy rules, in one clear guide.

Glencoyne Editorial Team

The Glencoyne Editorial Team is composed of former finance operators who have managed multi-million-dollar budgets at high-growth startups, including companies backed by Y Combinator. With experience reporting directly to founders and boards in both the UK and the US, we have led finance functions through fundraising rounds, licensing agreements, and periods of rapid scaling.

Need clarity on your startup’s finances? Contact Glencoyne.

Foundational Compliance: Maintaining Corporate "Good Standing"

Before tackling complex topics like tax or privacy, you must first ensure your company is set up to do business legally. This begins with maintaining corporate “good standing” in your state of incorporation. For most tech startups, this means Delaware, the most common state for incorporation. Being in good standing simply means you are up to date on all required state-level administrative filings and fees. It is a fundamental benchmark of corporate health that investors and partners will check during due diligence.

The most critical recurring deadline is for the Delaware Annual Report and franchise tax payment, due March 1st. Missing this can cause your company to fall out of good standing, which may block you from raising capital, securing a loan, or legally enforcing contracts. For a founder managing everything from product development to QuickBooks, this is a non-negotiable compliance task to put on the calendar. This task is a foundational part of your company's operational health.

Navigating State Sales Tax for Software Companies

Once your corporate house is in order, the next challenge is typically sales tax. The question of when and where to collect sales tax from customers became significantly more complex for online businesses after the Supreme Court's 2018 decision in South Dakota v. Wayfair. This ruling established the principle of "economic nexus," which allows states to require businesses to collect sales tax based on their economic activity, even without a physical presence.

Understanding Economic Nexus Thresholds

Economic nexus is usually triggered by crossing specific revenue or transaction thresholds within a state. While rules vary, two common triggers have emerged:

A revenue threshold, typically $100,000 in sales into a state within a 12-month period.
A transaction threshold, often 200 separate transactions into a state within a 12-month period.

For a B2B SaaS company with high-value contracts, the revenue threshold is the primary concern. For a B2C or prosumer SaaS with low monthly subscription fees, the transaction count can often be the first trigger you hit.

SaaS Tax Requirements by State

Meeting a nexus threshold only gives you the obligation to comply with a state’s rules; it does not automatically mean your service is taxable. The next step is to determine the taxability of SaaS in that specific state, which creates a complex map of SaaS tax requirements by state. The rules vary significantly. For example, states that generally tax SaaS include New York, Pennsylvania, and Washington. In these states, once you establish economic nexus, you must register, collect, and remit sales tax. Conversely, states like California and Illinois currently do not tax standalone SaaS. In these jurisdictions, even if you meet the sales threshold, you have no obligation to collect sales tax on your software subscription revenue.

A practical approach for founders is to monitor sales and transaction data from systems like Stripe on a state-by-state basis. As you approach a threshold, you can then research that state's specific rules on SaaS taxability to determine if action is required. Proactive monitoring is key to managing state sales tax for software companies.

Meeting US Data Privacy Rules for SaaS Companies

While sales tax is a financial obligation, data privacy compliance is about protecting user rights. The US lacks a single federal privacy law like Europe’s GDPR, resulting in a growing number of state-level laws that create new US data privacy rules for SaaS companies. Your obligations here are based on thresholds related to the number of users you have in a particular state.

Key State Laws and Thresholds

The most prominent state privacy laws have similar but distinct requirements. The main ones to watch are:

California (CCPA/CPRA): The California Consumer Privacy Act applies to businesses with over $25M in annual revenue OR that handle the personal data of over 100,000 California residents.
Virginia (VCDPA): The Virginia Consumer Data Protection Act applies to businesses that control or process personal data for more than 25,000 Virginia consumers.
Colorado (CPA): The Colorado Privacy Act applies to businesses that control or process personal data for more than 25,000 Colorado consumers.

Fulfilling Data Subject Access Requests (DSARs)

These laws grant consumers specific rights, such as the right to access and delete the personal information a company holds about them. Fulfilling these requests, known as Data Subject Access Requests (DSARs), is a core compliance activity. The reality for most early-stage startups is more pragmatic than building complex, automated systems. A scenario we repeatedly see is a user emailing support to request their data. Fulfilling this manually involves querying your production database and third-party tools like your CRM, compiling the information into a readable format like a CSV file, and delivering it securely within the legally mandated timeframe.

Beyond DSARs, some states have specific website requirements. For instance, the CCPA requires a clear 'Do Not Sell My Information' link, giving users a way to opt out of the sale of their data. As new privacy laws emerge in states like Utah and Connecticut, the first step for any founder is to understand what customer data you collect and where it is stored.

A Phased Approach to SaaS Compliance

Navigating US SaaS startup compliance requirements is an ongoing process, not a one-time project. For founders without a dedicated compliance team, the key is to build scalable habits and systems. Priorities shift based on your stage. A pre-seed company’s main concern is maintaining corporate good standing, while a Series A company should have mature processes for sales tax and DSARs.

Here are a few concrete compliance tips for SaaS founders:

Calendar Critical Dates: Start by putting the March 1st Delaware Annual Report and franchise tax deadline on your calendar. This is the easiest win.
Establish a Monitoring Cadence: Once a month, run a report from your payment processor to track sales and transaction volume per state. A simple spreadsheet is enough to start. This helps you anticipate when you might trigger economic nexus.
Map Your Customer Data: Before you can comply with privacy laws, you need to know what personal data you collect and where it lives. This initial data mapping exercise is foundational for handling future DSARs.
Review and Update Website Policies: Ensure you have a clear, accurate privacy policy. If you determine you meet the threshold for the CCPA, work with legal counsel to add the required “Do Not Sell My Information” link.

By focusing on these foundational areas, you can build a solid base for growth, ensuring that compliance enables, rather than hinders, your success. For a year-round roadmap, continue at the Compliance Checklist hub.

This content shares general information to help you think through finance topics. It isn’t accounting or tax advice and it doesn’t take your circumstances into account. Please speak to a professional adviser before acting. While we aim to be accurate, Glencoyne isn’t responsible for decisions made based on this material.

Or Learn more