Skip to content

Free public utility · No paywall · Sources cited

Analytics privacy compliance,
mapped across 36 countries and 16 laws.

A reference site for cookies, consent, and analytics rules.
Click a country, read a law, copy a template. All sourced. All free.

Open the map → Browse the laws
36 countries · 16 laws · 8 topics · 15 templates · 27 vendors · 720 verdicts

By country

Pick a jurisdiction. Get applicable laws, banner rules, vendor verdicts, recent enforcement.

36 jurisdictions →

By law

Read a regulation in plain English with scope, consent baseline, DSR, transfers, enforcement.

16 laws →

By topic

Solve a problem: cookie banner, Consent Mode v2, DSAR, international transfers, cookieless analytics.

8 topics →

Templates

Copy ready-made banner texts, privacy policies, DSR replies, Consent Mode init snippets.

15 templates →

Map

Start with where you operate

Full map + filters →

Color-coded by enforcement intensity. Click any dot to open the country page — applicable laws, regulator, recent fines, vendor verdicts.

Japan · moderate South Korea · aggressive Czech Republic · pragmatic Hungary · moderate Poland · moderate Romania · moderate Mexico · moderate California · moderate Canada · moderate Texas · moderate Virginia · moderate Denmark · moderate Estonia · pragmatic Finland · pragmatic Norway · moderate Sweden · moderate Australia · moderate Argentina · moderate Brazil · moderate Colombia · moderate Singapore · moderate India · moderate Greece · moderate Italy · aggressive Portugal · moderate Slovenia · pragmatic Spain · moderate Austria · aggressive Belgium · moderate France · aggressive Germany · aggressive Ireland · aggressive Netherlands · moderate Switzerland · moderate United Kingdom · moderate
Enforcement  Aggressive  Moderate  Pragmatic

Browse · 36 jurisdictions

Browse by country

See all 36 →
🇩🇪Germany
DE · Western Europe
🇫🇷France
FR · Western Europe
🇬🇧United Kingdom
UK · Western Europe
🇮🇹Italy
IT · Southern Europe
🇪🇸Spain
ES · Southern Europe
🇺🇸California
US-CA · Northern America
🇧🇷Brazil
BR · South America
🇮🇳India
IN · Southern Asia

Reference · 16 laws

Browse by law

See all 16 →
EU REGULATION · 2018-05-25
GDPR
EU Regulation 2016/679. Applies in 27 EU member states + 3 EEA states. Effective since 25 May 2018. Maximum fine: €20M or…
20 jurisdictions · max €20.0M
US STATE · 2020-01-01
CCPA/CPRA
California state law. Applies to businesses with revenue ≥$25M OR 100k+ CA consumers OR ≥50% revenue from selling personal data. CPRA added…
1 jurisdictions
NATIONAL · 2021-01-01
UK GDPR
Post-Brexit UK clone of EU GDPR with minor divergences. Enforced by ICO. UK Data Protection and Digital Information Bill amendments pending.
1 jurisdictions · max €20.0M
NATIONAL · 2020-09-18
LGPD
Brazilian federal privacy law modeled after GDPR. Enforced by ANPD. Maximum fine: 2% of Brazilian revenue, capped at R$50M per infraction.
1 jurisdictions
EU DIRECTIVE · 2002-07-31
ePrivacy
EU Directive on cookies, terminal-device access, electronic communications privacy. Implemented nationally — TTDSG (DE), CNIL guidelines (FR), PECR (UK). Article 5(3) is…
20 jurisdictions
NATIONAL · 2001-01-01
PIPEDA
Canadian federal privacy law for commercial sector. Provinces with substantially similar laws (Quebec, Alberta, BC) take precedence. Enforced by OPC.
1 jurisdictions
NATIONAL · 2023-08-11
DPDPA
Indian federal privacy law (rules pending notification). Establishes Data Protection Board. Maximum penalty: ₹250 crore (~€28M) per default. Opt-in consent baseline; carve-outs…
1 jurisdictions
US STATE · 2023-01-01
VCDPA
Virginia state privacy law. Applies to controllers processing data of ≥100k VA consumers OR ≥25k consumers + 50% revenue from sale. Opt-out…
1 jurisdictions

Solve a problem

Browse by topic

All 8 →

Eight topics that come up in almost every analytics setup. Each page is jurisdiction-aware and links to the source rule.

🪟   TOPIC
Cookie banner requirements
When you need a banner, what it must say, what it must not pre-tick.
🔁   TOPIC
Google Consent Mode v2
Google's signaling for EEA traffic — what it does and doesn't fix.
🪶   TOPIC
Analytics without cookies
Cookieless tools and the legal carve-outs that skip the banner.
📄   TOPIC
Privacy policy requirements
Required disclosures by jurisdiction with a universal core.
🍪   TOPIC
Cookie policy requirements
When a separate cookie notice is mandatory and what to include.
🪪   TOPIC
Data Subject Access Requests (DSAR)
Data Subject Access Requests — timelines and the 8 GDPR rights.
🌐   TOPIC
International data transfers
Schrems II, DPF, SCCs — what works where in 2026.
✅   TOPIC
Google certified CMP requirement
Google's certified-CMP requirement for EEA/UK/CH ad serving.

Free for any use

Templates you can copy

All 15 →

Plain-language banners, modular policies, DSR replies, Consent Mode init snippets, DPIA skeletons. Annotated with the rule each one satisfies.

🪟   5 ITEMS
Cookie banners
Plain-language and IAB-compatible banner text per jurisdiction.
📄   3 ITEMS
Privacy policies
Modular privacy notices for EU, US multi-state, and LGPD.
🍪   2 ITEMS
Cookie policies
Standalone cookie disclosures with the per-cookie inventory pattern.
✉️   2 ITEMS
DSR replies
Response templates for Article 15 access, deletion, refusal.
⚙️   2 ITEMS
Consent Mode v2
Default-deny init snippets for EU/EEA and multi-region setups.
🔍   1 ITEM
DPIA skeletons
Article 35-style structure for analytics tool deployment.

Compare

Side by side, two or three at a time

Same rows on each side. Outliers highlighted. No editorial verdict — just the rules next to each other.

COMPARE · 2 entities
Germany  vs  France
Two strictest EU regulators (CNIL vs DSK) side by side.
COMPARE · 2 entities
GDPR  vs  CCPA / CPRA
Opt-in EU baseline against opt-out California — same rows.
COMPARE · 3 entities
California  vs  Virginia  vs  Texas
Three biggest US-state opt-out laws on one screen.

FAQ

Common questions

Is this site free?
Yes. Free forever. No paywalls, no ads, no email gate, no Pro tier. Funded by the operator as a contribution to the field.
Is Google Analytics legal in the EU?
Conditionally. With Consent Mode v2, IP anonymization, a signed DPA, and a reject-all banner, GA4 sits in the yellow zone in most EU member states. A server-side EU proxy moves it to green. Always pair with a Google-certified CMP for ad serving.
Do I need a cookie banner in California?
No mandatory banner under CCPA/CPRA. You need a clear "Do Not Sell or Share My Personal Information" link, recognition of the Global Privacy Control signal, and a privacy notice at point of collection.
What is the difference between GDPR and CCPA?
GDPR is opt-in for non-essential cookies and applies to any organization processing data of EU residents. CCPA is opt-out for sale and sharing, applies to California consumers, and has a much narrower applicability threshold.
What is Consent Mode v2?
A JavaScript layer between Google tags and the browser that adjusts data collection by consent state. Required for Google Ads serving to EEA, UK, and Switzerland traffic since March 2024. It is not a CMP and does not by itself satisfy ePrivacy consent rules.
Where does this data come from?
Primary regulator sources — statutes, supervisory-authority guidance, and published decisions. Each entry is reviewed quarterly with a visible last_reviewed timestamp. Methodology is published openly. No affiliates, no sponsorships, no conflicts of interest.

Methodology

Why this is credible

Every entry cites the primary regulator source — the statute, the supervisory authority's guidance, or the published decision. The catalog is reviewed quarterly and every page carries a visible last_reviewed date.

No ads. No affiliates. No sponsored placements. No vendor pays to appear or to change a verdict. The conflicts-of-interest policy is one sentence long because there are no conflicts to disclose.

This is editorial research, not legal advice. For binding interpretation in your jurisdiction, consult a qualified DPO or attorney admitted there.

Read the full methodology →