Jurisdiction ยท COUNTRY ยท EE
๐ช๐ช Estonia
EU member state. AKI (Andmekaitse Inspektsioon). Most pragmatic Nordic regulator; strong digital-government context. Local act: Isikuandmete kaitse seadus.
What a typical site must do
| Requirement | Value | Confidence | Reviewed |
|---|---|---|---|
| analytics_exempt_cookieless | yes | high | 2026-05-05 |
| banner_required | yes | high | 2026-05-05 |
| breach_notification_hours | 72 | high | 2026-05-05 |
| consent_mode_v2_relevant | yes | high | 2026-05-05 |
| consent_model | opt_in | high | 2026-05-05 |
| cookie_policy_required | yes | high | 2026-05-05 |
| dpf_transfers_acceptable | conditional | medium | 2026-05-05 |
| dpo_required | yes_large_scale | high | 2026-05-05 |
| dsr_response_days | 30 | high | 2026-05-05 |
| enforcement_strictness | pragmatic | high | 2026-05-05 |
| iab_tcf_required | recommended | medium | 2026-05-05 |
| language_required | local | high | 2026-05-05 |
| pre_consent_pings_allowed | no | medium | 2026-05-05 |
| privacy_policy_required | yes | high | 2026-05-05 |
| reject_layer1 | yes_required | high | 2026-05-05 |
| ropa_required | yes_250+ | high | 2026-05-05 |
Editorial notes
Tool compliance matrix
Default-config verdict per analytics/CMP tool against this jurisdiction.
| Vendor | Status | Rationale |
|---|---|---|
| Addingwell | green | EU-only datacenters strong for FR/DE compliance; per-event pricing scales steeply at high traffic. |
| Cookiebot | green | Danish-based, EU-hosted. Auto-blocks third-party scripts pre-consent โ verify your manual scripts also gate. |
| Iubenda | green | Italian-based, EU-hosted. Free tier limits 5k pageviews/mo; granular per-vendor controls require paid plan. |
| Klaro | green | Open-source, self-hosted. No managed updates โ site owner maintains vendor list. |
| OneTrust | green | GDPR + CCPA + multi-region templates available. Common config error: GDPR/CCPA mode mismatch โ verify per-region defaults. |
| Stape | green | EU server containers handle the routing โ but server-side tagging does NOT auto-fix consent. CMP must still gate browser-side pings. |
| Usercentrics | green | German-based, EU-hosted. v3 SDK required for Consent Mode v2; TCF flow can over-collect for non-AdTech sites. |
| Adobe Analytics | yellow | Visitor ID cookie + cross-suite stitching with Experience Platform. DPIA strongly recommended; configure ECID + IP obfuscation. |
| Amplitude | yellow | EU residency available on paid plans; default cloud is US. Persistent user IDs require config + DPA + DPF chain. |
| PostHog | yellow | EU cloud helps but session recording + autocapture default to PII collection. Disable autocapture and recordings or self-host for green. |
| Server-side GTM (Google Cloud) | yellow | "EU server" โ EU data โ clients still transmit to Google ad backends downstream. Use only for Google-ecosystem first-party-routing. |
| Heap | red | Auto-capture grabs every click and form value โ broad PII risk under GDPR Art 5(1)(c) data minimization. |
| LinkedIn Insight Tag | red | Loads pre-consent if naively placed; cross-device matching broad. Block until consent + IAB TCF string set. |
| Meta Pixel | red | Schrems II concerns persist; advanced matching hashes PII but does not fix EUโUS transfer problem. |
| TikTok Pixel | red | PRC-parent ownership flagged by Italian Garante and EDPB; transfers to China contested. Consent + risk acknowledgement required. |