Regulation Matching: 10 Company Scenarios

You've learned the rules for when PCI DSS, HIPAA, GDPR, and CCPA/CPRA apply. Now apply them. Below are ten company scenarios -- each one describes a real-world business situation. Your job is to identify which regulations apply based on what the company does, what data it handles, and who it serves.

This is the core analytical skill of regulatory scoping: reading a business context and mapping it to legal obligations. Get this wrong in practice and you either waste months complying with regulations that don't apply, or miss obligations that do -- and find out during an enforcement action.

Multiple regulations can apply

Some companies are subject to multiple regulations. Choose the answer that captures ALL applicable regulations.

Scenario 1

Quick check

A US-only e-commerce company sells clothing online. They process credit card payments exclusively through Stripe Checkout -- customers enter card details in Stripe's hosted payment page, and the company's servers never see raw card numbers. They have no health data, no EU customers, and annual revenue under $10M. Which regulation applies?

PCI DSS (full scope -- they accept card payments)

Minimal PCI scope (SAQ A eligible)

CCPA/CPRA (they collect personal data from online shoppers)

No regulations apply -- Stripe handles everything

Scenario 2

Quick check

A US health-tech SaaS company stores patient appointment records, lab results, and prescription data for 200 medical clinics. The clinics are the healthcare providers; the SaaS company processes protected health information on their behalf. Which regulation applies?

HIPAA (Business Associate)

HIPAA (Covered Entity)

GDPR (health data is a special category)

SOC 2 Type II

Scenario 3

Quick check

A US-based SaaS company has operated exclusively in the domestic market for three years. They just signed their first customer in France and will begin processing personal data (names, email addresses, usage analytics) of EU residents. No health data or card processing is involved. Which regulation applies?

No new regulations -- US privacy laws cover international customers

GDPR

GDPR + HIPAA (EU health data protections)

EU-US Data Privacy Framework only

Scenario 4

Quick check

A health-tech startup based in Boston builds a patient portal. The app stores medical records (diagnoses, treatment plans) and processes credit card payments for telehealth consultations through their own payment form -- card numbers pass through their API before being sent to a processor. They've just launched in Germany and the UK. Which regulations apply?

HIPAA + PCI DSS

HIPAA + GDPR

HIPAA + GDPR + PCI DSS

GDPR + PCI DSS (HIPAA is US-only and they expanded to EU)

Scenario 5

Quick check

A California-based analytics company collects behavioral data from website visitors on behalf of its clients. The company has $30M in annual revenue and processes data on approximately 100,000 consumers. They don't handle health data, don't process payments directly, and operate exclusively in the US. Which regulation applies?

GDPR (behavioral data is personal data under EU law)

No specific regulation -- analytics data isn't regulated

CCPA/CPRA

CCPA/CPRA + HIPAA (behavioral data could include health indicators)

Scenario 6

Quick check

A US-only B2B SaaS company provides project management tools to 50 enterprise customers. They don't handle health data, don't process credit card payments (they invoice via ACH), and have no EU customers. Annual revenue is $8M. Which regulation applies?

CCPA/CPRA (they process personal data of employees at their customer companies)

PCI DSS (ACH transfers are financial transactions)

No specific regulation (but likely SOC 2 contractually required)

HIPAA (employee wellness data in project management tools)

Scenario 7

Quick check

An EU-based fintech startup in Berlin processes credit card payments for merchants across Europe and has recently expanded to serve US merchants as well. They store card numbers in their own infrastructure for recurring billing. No health data is involved. Which regulations apply?

PCI DSS only (payment regulations are global)

GDPR only (EU-based company)

PCI DSS + GDPR

PCI DSS + GDPR + CCPA/CPRA

Scenario 8

Quick check

A large US health insurance company (a HIPAA covered entity) provides health plans to members across 12 states, including California. They have 500,000 California members. Beyond health plan data, they also collect marketing preferences, website analytics, and app usage data from members. Which regulations apply?

HIPAA only (health insurers are exempt from state privacy laws)

HIPAA + CCPA/CPRA

CCPA/CPRA only (state law supersedes federal for California residents)

HIPAA + CCPA/CPRA + GDPR

Scenario 9

Quick check

A Canadian SaaS company based in Toronto provides HR management software. They recently signed customers in France and the Netherlands and will process employee personal data (names, salaries, performance reviews) for those EU-based organizations. They don't handle health data or payment card data. Which regulations apply?

GDPR only (it supersedes Canadian privacy law for EU data)

PIPEDA only (Canadian law covers all their operations)

GDPR + PIPEDA

GDPR + CCPA/CPRA (salary data is sensitive)

Scenario 10

Quick check

A US-based IoT company manufactures smart locks for apartment buildings. Their product uses fingerprint scanners to authenticate residents, and the company stores fingerprint templates on their cloud servers. They have a large deployment in Chicago with 15,000 Illinois residents enrolled. No health data or payment processing is involved. Which regulation applies?

CCPA/CPRA (biometric data is sensitive personal information)

HIPAA (biometric data is a PHI identifier)

BIPA (Illinois Biometric Information Privacy Act)

No specific regulation -- biometric data isn't covered by US law

Key Takeaways

If you scored well on these scenarios, you've internalized the core logic of regulatory scoping. Three patterns to remember:

Regulations stack. Real companies rarely face just one regulation. Health data plus payment data plus EU customers means HIPAA plus PCI DSS plus GDPR -- simultaneously.
The trigger is in the data and the jurisdiction. It's not about what industry you're in or how big you are. It's about what data you touch, whose data it is, and where those people are located.
State and international laws add layers. The "Big Four" (PCI DSS, HIPAA, GDPR, CCPA) are the starting point, not the finish line. BIPA, PIPEDA, and dozens of other laws apply based on specific data types and jurisdictions. A GRC Engineer who only checks four regulations is missing the picture.

The next lesson moves from identifying regulations to mapping them against compliance frameworks -- the voluntary standards (SOC 2, ISO 27001, NIST CSF) that your customers and auditors will demand alongside these legal requirements.