How 2026 Privacy Laws Impact Your Ability to Calculate Sales Tax

Introduction

Sales tax calculation requires location data. Privacy law restricts location data collection. In 2026, these two requirements are in direct tension — and regulators on both sides are paying attention.

Getting this right is not optional. A company that collects full billing addresses without proper privacy disclosures faces GDPR fines up to 4% of global annual revenue. A company that avoids location collection to protect privacy may calculate sales tax incorrectly and face state tax assessments.

The "Location of Use" Challenge

In 2026, many states have moved from a "seller location" model to a "location of use" model for determining which tax rate applies.

What This Means in Practice

Under the old model: You charged the tax rate for your billing address.

Under the new model: You charge the tax rate for where the software is actually used.

For a small business customer, this is usually the same address. For an enterprise client with employees across 10 states, you may be required to allocate the subscription cost across each state based on the number of users in each location.

This calculation requires knowing not just the billing address but the actual usage locations — which is considerably more personal data.

What GDPR Requires

Under GDPR, collecting customer location data for tax purposes is permissible under Article 6(1)(c) — the "legal obligation" lawful basis. However, several conditions apply:

Minimum Necessary Standard

You must collect only the minimum location data necessary for tax compliance. In most cases, this means:

• Country (for VAT determination)
• State or province (for US sales tax)
• Postal code (for local rate calculation where required)

You do not need — and should not collect — precise street addresses, GPS coordinates, or IP address logs for tax purposes.

Disclosure Requirements

Your privacy policy must explicitly state:

> "We collect your billing address to calculate applicable sales tax as required by applicable law. This data is retained for [X] years as required by tax record-keeping regulations and is not used for any other purpose."

Retention Limits

Tax records must be retained for the applicable statute of limitations (typically 3–7 years depending on state). After this period, location data collected solely for tax purposes should be purged under GDPR's storage limitation principle.

What CCPA Requires

California's CCPA gives California residents rights over their personal data, including billing address information.

Key Obligations

• Right to Know: Disclose that you collect billing address data and for what purpose
• Right to Delete: Billing address data used for tax compliance is generally exempt from deletion requests to the extent required by law — but you must document this exemption
• No Sale of Data: Tax-related location data cannot be sold to third parties under any circumstances

Anonymized Data for Tax Compliance

To meet GDPR standards while maintaining accurate tax calculations, SaaS firms are increasingly adopting a city-level location model rather than storing full addresses or IP addresses.

How It Works

1. At checkout, collect billing country, state, and city

2. Map city to the applicable tax rate using a published rate table

3. Store only the tax rate applied and the city-level location — not the full address

4. For enterprise multi-state accounts, collect user count by state rather than individual user addresses

This approach satisfies the "minimum necessary" principle under GDPR while providing sufficient accuracy for sales tax calculation in the vast majority of cases.

ProfitMetric's Approach

Our Tax & Compliance Nexus Checker uses this logic — it allows you to input location data at the state level for nexus analysis without storing or transmitting any personally identifiable information. The calculation runs entirely in your browser.

The Multi-State Enterprise Problem

The hardest scenario: an enterprise customer with a company-wide SaaS license and employees distributed across 15 states.

Option 1: Charge at Billing Address

Simplest approach. Charge the tax rate for the billing address (typically headquarters). Risk: some states may audit and reallocate based on user locations.

Option 2: Collect User State Distribution

Ask the customer to provide a user count by state at contract signing. Allocate the fee proportionally. Recalculate annually.

Option 3: Billing Address as Proxy

Use billing address as a reasonable proxy and document the methodology. This is the most defensible position for most mid-market companies if full user location data is unavailable.

Action Plan

1. Update your privacy policy to explicitly cover tax-related location data collection

2. Minimize collection: Country + state + postal code is sufficient for most calculations

3. Set retention schedules: 7 years for tax records, then purge

4. Document your methodology for enterprise multi-state accounts

5. Avoid storing IP addresses for tax purposes — use billing address only