+27 global regulations
in a single dashboard.

General Data Protection Regulation

The world's most influential privacy framework. It regulates the processing of personal data of EU residents with extraterritorial reach. It defines valid consent (Art. 4.11 and 7), data subject rights and the obligation to document every consent.

• Prior, freely given, specific, informed and unambiguous consent
• Granularity by purpose category
• As easy to withdraw as to grant
• Record of proof of consent
• No pre-checks or dark patterns

ePrivacy Directive

The cookie-specific directive. Art. 5.3 requires prior consent to store or read non-essential cookies. It complements the GDPR and is technically the rule that triggers the cookie banner.

• Prior consent before storing cookies (opt-in)
• Exemption: session, authentication and security cookies
• No exemption: analytics, advertising and social media
• Local Storage and fingerprinting also covered

UK GDPR & Data Protection Act 2018

Post-Brexit, the UK adopted its own GDPR with the DPA 2018. Practically identical to the GDPR in consent requirements. The ICO explicitly prohibits cookie walls and dark patterns.

• Same consent standards as the GDPR
• ICO requires a clear, balanced banner
• Explicit prohibition of cookie walls
• Mandatory consent record

Ley de Servicios de la Sociedad de la Información

The Spanish transposition of the ePrivacy Directive. The AEPD has published detailed guidance on cookie implementation, the prohibition of cookie walls and the “positive action” standard for consent.

• Prior, informed consent for non-exempt cookies
• Granular configuration panel
• Access without accepting optional cookies
• Third-party information in the banner

Ley Estatutaria 1581 de 2012

Colombia's habeas data law. It regulates the processing of personal data and applies to any company that processes data of Colombian citizens. It requires the data subject's prior, express and informed authorization.

• Prior, express and informed authorization
• Specific processing purpose
• ARCO rights guaranteed
• Published data processing policy

Decreto Único Reglamentario 1074 de 2015

Compiles and regulates Law 1581/2012. It defines the concrete responsibilities of controllers and processors in Colombia, including response deadlines for requests and security measures.

• Mandatory privacy notice before collecting data
• 15 business days to respond to rights requests
• Technical and organizational security measures
• International transfers only to countries with an adequate level

Lei Geral de Proteção de Dados

Brazil's GDPR. It regulates the processing of data of individuals in Brazilian territory with extraterritorial reach. It defines 10 legal bases for processing. Consent must be freely given, informed and unambiguous.

• Freely given, informed and unambiguous consent
• Purpose, duration and third parties disclosed
• Right to withdraw consent easily
• DPIA for high-risk processing

Ley 25.326 de Protección de Datos Personales

One of LATAM's first privacy laws, recognized by the EU as adequate. A legislative reform aligning it with the GDPR is underway. It requires consent and registration of databases with the AAIP.

• Prior consent before processing
• Information about the controller and purpose
• ARCO rights guaranteed
• Database registration with the AAIP

Ley Federal de Protección de Datos Personales

Regulates the processing of personal data by private parties in Mexico. It requires a Privacy Notice with specific information before collecting data. It applies to any company that processes data of Mexicans.

• Privacy Notice before collection
• Sensitive data requires express, written consent
• ARCO rights within 20 business days
• Simplified notice in the banner

California Privacy Rights Act

An evolution of the CCPA. It adds new rights, creates the CPPA as an independent authority and introduces the concept of “sharing” data for advertising. GPC must be honored as an opt-out of sale and sharing.

• Automatically honor Global Privacy Control (GPC)
• Opt-out of sale and sharing of data
• “Do Not Sell or Share” link required
• Opt-in for those under 16

Virginia Consumer Data Protection Act

The first comprehensive privacy law in the eastern US. Similar to the GDPR in structure. It applies to companies that process data of 100,000+ Virginians. Opt-out of processing for targeted advertising.

• Opt-out of targeted advertising and data sale
• Consent for sensitive data
• DPIA for high-risk processing
• Clear privacy notice

Colorado Privacy Act

Colorado's law with an emphasis on universal opt-out mechanisms. It requires honoring universal opt-out signals (GPC mandatory since July 2024). Impact assessments for high-risk activities.

• GPC mandatory as an opt-out signal
• Opt-out of targeted advertising and sale
• Opt-in for sensitive data
• DPIA required for targeted advertising

Connecticut Data Privacy Act

In force since July 2023. It requires honoring universal opt-out signals. It includes the right to correct inaccurate data. It applies to companies that process data of 100,000+ residents.

• Honor universal opt-out signals
• Opt-out of targeted advertising and sale
• Opt-in consent for sensitive data
• No cookie walls for residents

Utah Consumer Privacy Act

Applies to companies with $25M+ in revenue that process data of 100,000+ residents. The most permissive of the state laws: opt-out only, no mandatory DPIA.

• Opt-out of targeted advertising and data sale
• Clear privacy notice
• No mandatory DPIA

Montana Consumer Data Privacy Act

In force since October 2024. It applies to companies that process data of 50,000+ Montana residents. It includes the right to correct and portability. A model similar to Virginia/Colorado.

• Opt-out of targeted advertising, sale and profiling
• Opt-in for sensitive data
• DPIA for high-risk activities
• Privacy notice with third-party information

Texas Data Privacy and Security Act

In force since July 2024 in Texas, the second most populous US state. No minimum size threshold (only excludes SMBs under $25M). One of the broadest scopes among state laws.

• Opt-out of targeted advertising, sale and profiling
• Honor recognized opt-out signals (GPC)
• Opt-in consent for sensitive data
• DPIA for high-risk activities

Personal Data Protection Act B.E. 2562

Thailand's first comprehensive data protection law, with extraterritorial reach similar to the GDPR. In force since June 2022. It requires explicit consent for non-essential cookies.

• Explicit consent before storing non-essential cookies
• Clear information about purpose and duration
• Right to withdraw consent
• Record of processing activities

Personal Data Protection Act 2012 (Amendment 2021)

Singapore's privacy law, updated in 2021. It introduces “deemed” consent for publicly available data and requires breach notification within 3 days.

• Consent for non-essential cookies
• Breach notification within 3 days to the PDPC
• Opt-out of direct marketing

Act on the Protection of Personal Information

Reformed in 2022 with breach notification obligations, restrictions on international transfers and new rights. Third-party cookies for advertising tracking require consent.

• Consent for third-party tracking with personal data
• Information about purpose of use before collecting data
• Breach notification to the PPC and data subjects

Personal Information Protection Law

China's GDPR. In force since November 2021 with extraterritorial reach. It requires separate consent for each purpose. Storage of Chinese citizens' data must be localized in China.

• Separate consent per purpose
• Mandatory opt-in for personalized advertising
• Data localization for important personal information
• Impact assessments for international transfers

Digital Personal Data Protection Act

India's new data protection law, passed in August 2023. It requires freely given, specific, informed and unambiguous consent. Penalties of up to ₹250 crore (~$30M USD).

• Explicit and unambiguous consent
• Privacy notice in plain language
• Right to withdraw consent easily
• Parental consent for those under 18

Privacy Act 1988 (Amendment 2024)

Updated in 2024 with new rights: access, portability and erasure. Analytics cookies are considered “personal information” if they can be linked to an individual.

• Consent for cookies that collect personal information
• Clear privacy policy with cookie information
• Opt-out of direct marketing
• Right to erasure for tracking data

Protection of Personal Information Act

Africa's most robust privacy law. In force since July 2021. Similar to the GDPR, it defines conditions for lawful processing and data subject rights. Processing personal information requires authorization.

• Data subject authorization for tracking cookies
• Information about the controller and purpose
• Rights of access, rectification and erasure
• Breach notification to the regulator and data subjects

Kişisel Verilerin Korunması Kanunu

Türkiye's data protection law, inspired by Directive 95/46/EC. It requires explicit consent to process personal data. KVKK guidance requires a banner with category-level granularity.

• Explicit consent before non-essential cookies
• Banner with differentiated categories
• Record of processing activities with the KVKK

Personal Data Protection Law

Saudi Arabia's first comprehensive privacy law, in force since September 2023. Extraterritorial reach. It requires consent for personal data with an emphasis on data localization.

• Consent for data processing via cookies
• Privacy notice in Arabic
• Restrictions on transfers outside Saudi Arabia

UAE Federal Data Protection Law

The UAE's first federal privacy law, in force since 2022. It applies across the federal territory. It requires a legal basis to process personal data including cookies.

• Consent or another legal basis for tracking cookies
• Accessible privacy notice
• Rights of access, rectification and erasure

Personal Information Protection and Electronic Documents Act / Law 25

PIPEDA + Quebec Law 25 (2022), which dramatically updates obligations. Law 25 requires explicit, granular consent for non-essential cookies in Quebec, with standards close to the GDPR.

• Explicit, granular consent (Law 25 Quebec)
• Notice at the start of the site before storing cookies
• GPC honored as an opt-out in Quebec
• Privacy policy in French for Quebec