What Privacy actually requires
The AICPA Trust Services Criteria for Privacy define the controls that demonstrate personal information is collected, used, retained, disclosed, and disposed of in conformity with the entity's privacy commitments and the Generally Accepted Privacy Principles (GAPP). The criterion is published as part of the AICPA TSP Section 100 framework available at aicpa.org and covers ten domain areas: notice and choice (transparent disclosure to data subjects about data collection), consent (explicit consent for collection and use), collection limitation (collecting only necessary data), use limitation (using data only for disclosed purposes), retention limitation (deleting data when no longer needed), access (data subject rights to access, correct, and delete their data), disclosure to third parties (controlled sharing with vendors and partners), security for privacy (controls supporting privacy specifically), quality (data accuracy and currency), and monitoring and enforcement (ongoing oversight of privacy programme effectiveness).
Privacy is the heaviest single-criterion lift in the AICPA TSC catalog because the GAPP control set is broad, the controls are bespoke to the SaaS's privacy practices, and the audit testing requires the auditor to verify that the SaaS's stated privacy commitments are operationally implemented across all ten GAPP domains. The control set is layered on top of the Security Common Criteria; a Privacy scope means the auditor tests Common Criteria plus all ten Privacy domains during the same engagement.
Realistic add-on cost across vendors
The audit fee add-on for Privacy is materially higher than for other optional criteria. Boutique firms typically add $10,000 to $16,000 to the SOC 2 Type 2 with Security only fee. Mid-tier firms typically add $16,000 to $25,000. Big 4 firms add proportionally more, often into the $30,000 to $50,000 range for SaaS with complex privacy practices (multi-jurisdiction operations, multiple consumer data sources, large data subject volumes). Beyond the audit fee, expect $8,000 to $30,000 in additional readiness work to formalise the privacy programme (data subject rights workflow, consent management, data retention schedules, vendor privacy assessments, breach notification procedures, privacy impact assessments, etc.) and $6,000 to $20,000 in additional internal staff time.
Total Privacy scope-in cost is typically $25,000 to $75,000 across the first year, the highest of any optional Trust Services Criterion. Year-2 and beyond drops to $15,000 to $40,000 as the privacy programme is operational. The cost is editorially defensible only when the SaaS's customer base or regulatory environment specifically requires Privacy TSC verification.
When to scope Privacy in
Privacy scope is editorially defensible when the SaaS handles personal information under privacy regulations (GDPR, CCPA/CPRA, PIPEDA, LGPD, or similar) and the customer base specifically asks for third-party-attested privacy verification. The clearest scope-in scenarios include: healthcare SaaS handling protected health information where privacy controls are part of the customer's HIPAA compliance posture; AdTech and MarTech platforms handling consumer behavioural data where privacy controls are part of GDPR and CCPA compliance; edutech handling student personal data where privacy controls intersect with FERPA, COPPA, and state student privacy laws; B2C SaaS with EU or California user bases where GDPR and CCPA compliance is a procurement question; HR SaaS handling employee personal data at scale where privacy controls are part of vendor risk management for the employer.
The other case for scoping Privacy in is when the SaaS is selling to procurement teams that explicitly require Privacy TSC in vendor risk reviews. This is increasingly common in EU-headquartered customer bases (where GDPR sensitivity is high) and in California-headquartered customer bases (where CCPA/CPRA is the analog). Procurement teams use the SOC 2 Privacy TSC as the third-party verification that the vendor has implemented controls supporting the customer's own GDPR or CCPA compliance posture.
When to skip Privacy and use ISO 27701 instead
For SaaS already pursuing or planning ISO 27001, adding ISO 27701 alongside is often more economic than adding Privacy TSC to SOC 2. ISO 27701 is the privacy-management extension to ISO 27001 and provides a parallel third-party-attested privacy verification. The ISO 27701 audit work piggybacks on the existing ISO 27001 audit infrastructure (same auditor, same evidence flow, same control documentation) which materially reduces marginal cost. The combined ISO 27001 plus ISO 27701 audit fee is typically lower than the equivalent SOC 2 plus Privacy TSC audit fee for the same scope.
For SaaS pursuing SOC 2 only without ISO 27001 in scope, Privacy TSC is the more natural choice because the audit firm and the GRC platform are already engaged for SOC 2. Adding Privacy TSC to the existing SOC 2 engagement is operationally simpler than adding a separate ISO 27701 programme.
When to skip Privacy entirely
SaaS without personal information processing or with very limited PII (only employee accounts, no customer personal data) can typically skip Privacy. The criterion does not provide additional procurement signal for SaaS where the customer is not relying on the SaaS to handle their own customers' personal data. B2B SaaS that processes only company-level data (financial information, operational metrics, vendor relationships) without consumer or employee personal data falls into this category.
Adding Privacy scope without the customer-facing demand for it is over-spend in the $25,000 to $75,000 range across the first year. The right scoping for typical commercial B2B SaaS without personal data processing is Security plus Availability plus Confidentiality, with Privacy as a later-stage addition only if the customer base or regulatory environment shifts to require it.
Specific controls to implement or formalise
The control set that satisfies Privacy TSC requirements maps to the GAPP domains. Document the following: privacy notice posted on customer-facing properties with clear disclosure of data collection, use, sharing, and retention practices; consent management workflow with documented consent capture and withdrawal procedures (cookie banners are necessary but not sufficient; consent tracking infrastructure is required); data subject rights workflow supporting access, correction, deletion, and portability requests with documented timeline targets (GDPR requires 30 days; CCPA requires 45 days); data retention schedule with explicit retention rules per data type and documented deletion procedures with verification; vendor privacy assessment procedures including review of vendor privacy practices before sharing personal data, and ongoing monitoring; breach notification procedures aligned with GDPR (72-hour notification to supervisory authority), CCPA (notification to California Attorney General for breaches affecting 500+ California residents), and other applicable jurisdictions; privacy impact assessments for new product features that materially change data handling; privacy programme governance including a designated privacy officer or DPO where required and ongoing privacy training. The privacy programme work is the heaviest part of the readiness effort.
How Privacy fits with the other optional criteria
Privacy is rarely scoped in isolation. SaaS that adds Privacy typically already has Availability and Confidentiality in scope. The combined three-criteria scope plus Privacy can push the audit fee add-on into the $25,000 to $50,000 range above the Security baseline. Processing Integrity may also be in scope for processing-critical SaaS that handles personal data, particularly in healthcare and fintech verticals where the combined four-criteria scope is editorially defensible.
For SaaS in regulated verticals (healthcare with HIPAA, fintech with PCI DSS, AdTech with industry-specific frameworks), Privacy TSC is typically scoped alongside the regulatory framework rather than as a substitute. The healthcare SaaS and fintech SaaS cost pages cover these vertical-specific scoping decisions in more depth.