Is SetupAnalytics legal advice?

No. The site is editorial reference — a structured summary of public regulator guidance, statutory text, and court rulings. Reading any page does not establish a lawyer-client relationship. Consult qualified counsel admitted in the relevant jurisdiction for any specific deployment.

Yes — free forever. No paywall, no advertising, no affiliate revenue, no SaaS or Pro tier, no email gate on substantive pages.

How is the data sourced?

Primary sources only: statutory text, regulator decisions, court judgments, and vendor technical specifications (for protocol artefacts like Consent Mode v2). Vendor blogs and compliance-SaaS marketing pages are not cited as primary.

How often is the site updated?

Tier 1 jurisdictions (Germany, France, Italy, Ireland, Spain, UK, California) and the four largest statutes (GDPR, UK GDPR, CCPA/CPRA, LGPD) are reviewed monthly. Tier 2 quarterly. Tier 3 semi-annually. Material decisions reviewed within 14 days.

How do I report an inaccuracy?

Every page has a "Report an inaccuracy" link in the colophon that pre-fills the contact form with the page slug. Send the citation that contradicts what we have published — primary source preferred. We aim to acknowledge submissions within 5 business days.

Reference

Analytics privacy compliance, mapped across 36 countries and 16 laws.

A reference for cookies, consent, analytics, and cross-border transfers — sourced from primary regulator decisions and statutory text. Free, ad-free, no SaaS, no email gate.

Editorial research — not legal advice

Browse the atlas

Countries 36

Jurisdiction posture & banner rules

Where regulators have actually enforced — fines, sweeps, GA4 status by market.

Laws 16

Plain-English regulation reference

Scope, max penalty, regulators, topic coverage. GDPR, CCPA, LGPD, APPI and 12 more.

Topics 8

Task-shaped how-to articles

Cookie banners, DSAR, transfers, Consent Mode v2 — what to do when it lands on your desk.

Templates 15

Drop-in starting points

Cookie banner copy, privacy policies, DSAR replies, Consent Mode snippets, DPIA scaffolds.

Featured reference

What a cookie banner needs across 5 regulators

Eight elements regulators have written about, with the per-statute requirement matrix below. Open the topic page →

#	Element	CNIL	TTDSG	Garante	PECR	CCPA
1	Title / opening sentence Plain-language statement that the site uses cookies and similar technologies.
2	Purpose & body text Why cookies are set, who controls them, and how the user can change choices.
3	Cookie categories breakdown Strictly necessary / Analytics / Marketing / Personalisation, distinguished.
4	Privacy policy link Direct link to the privacy notice covering processing details.
5	Cookie policy / per-cookie list Per-cookie inventory (name, purpose, lifespan, provider).
6	Reject all (1 click) Reject must be reachable on the first layer with equal visual prominence to Accept.
7	Granular settings / preferences Per-category opt-in toggles before any non-essential tag fires.
8	Accept all (1 click) Affirmative consent action — clear, unambiguous, before any tag fires.

Start here

Pick a lane

Three doors to the same atlas, sized to what's about to land on your desk.

Analytics engineer

Implementing or auditing tags, banners, Consent Mode.

Privacy / compliance lead

Writing procedures, responding to requests, drafting policies.

Founder / due diligence

Understanding scope, posture, vendor verdicts before a deal closes.

Side-by-side

Featured comparisons

Germany vs France

Two strictest EU regulators side by side — DSK vs CNIL on banner enforcement and analytics rulings.

Open comparison →

GDPR vs CCPA

Opt-in EU baseline against opt-out California — same rights table, different mechanisms.

Open comparison →

CA vs VA vs TX

Three biggest US-state opt-out laws on one screen — where they share lineage and where they diverge.

Open comparison →

No advertising
No third-party analytics
No affiliate revenue
No SaaS or paywall
Self-hosted fonts
Sources cited inline

How we source, classify, and review every page →

Editorial

Notes from the desk

M.K. · 7 May 2026

Editorial reading as of 2026-05-07 — not legal advice. GDPR-style omnibus laws are not cookie laws. Most regimes here address data subject access in some form, but a clear opt-in posture for non-essential cookies sits primarily in the EU/UK ePrivacy stack (the ePrivacy Directive plus its national implementations such as PECR) read alongside GDPR/UK GDPR consent standards. Outside Europe, Quebec's Law 25 reads as the only North American statute requiring affirmative opt-in for tracking technologies, and South Korea's PIPC has consistently treated identifiable / behavioural cookies as personal information requiring prior, specific consent under PIPA. Several other regimes regulate cookies indirectly via general consent principles, deemed-consent constructs (e.g. Singapore PDPA), or sector-specific telecoms statutes (e.g. Switzerland's FMG Art. 45c, which uses a transparency / opt-out model) rather than a dedicated cookie opt-in rule. Conflating GDPR-style omnibus rules with cookie rules is the most expensive consent-banner mistake we see in compliance reviews.

M.K. · 7 May 2026

Editorial reading as of 2026-05-07 — not legal advice. Two of the topics on this page are not statutory in origin. Google Consent Mode v2 and the Certified-CMP requirement operate as Google contractual policy obligations layered on top of GDPR / ePrivacy consent — the underlying consent regime is statutory, but the Google signal protocol and CMP-certification step are not themselves written into the law. They do not replace statutory consent, and dropping the Google ad stack does not make a statutory opt-in obligation go away. We surface them as topics because they regularly come up in compliance reviews.

M.K. · 6 May 2026

Editorial reading as of 2026-05-06 — not legal advice. The Conditional column is doing real work. Take PIPEDA's accountability principle as the canonical example: it requires every organisation to designate an individual accountable for compliance (Schedule 1, Principle 4.1.1), so on a 'is there a DPO?' yes/no test it ticks the box — but the statute does not articulate the statutory powers, formal training mandates, or independence guarantees that GDPR Articles 37–39 spell out for the DPO role. We mark it Conditional rather than Yes for that reason. Treat Conditional as: you still need the function; the legal scaffolding is thinner — and qualified counsel should map it to your facts.

Editorial research, not legal advice. SetupAnalytics is a free, ad-free public utility maintained by independent editors. Pages on this site do not establish a lawyer-client relationship and are not warranted for accuracy or currency. Consult qualified counsel admitted in the relevant jurisdiction for any specific deployment, transfer, contract, breach, or regulator interaction. Report an inaccuracy →