Korea's PIPC closed out the SK Telecom USIM-breach file in late August with a ₩134.5B penalty — the largest single PIPA fine against a domestic operator on record. The April 2025 disclosure had hit roughly 27 million subscriber-authentication records; the final order cites inadequate access controls, weak key encryption, and slow breach notification. We've moved South Korea from "investigation pending" to a closed entry and re-tagged the enforcement bucket. Posture remains moderate-trending-active; expect a closer look at session-replay vendors through 2026.
Reference
Privacy & analytics compliance — by jurisdiction
Updated
·
36 jurisdictions
·
last event added Poland, 2025-09
An editorial atlas of cookie-consent rules, GA4 status, applicable laws, vendor restrictions, and recent enforcement — sourced from regulator decisions, court rulings, and statutory text. Browse the matrix or filter the corpus from above.
Editorial research — not legal advice
Showing 36 of 36
Region 0
Framework 0
GA4 0
Posture 0
More filters
Consent model
Vendor restrictions
Active:
Atlas index
Sortable · select any two for side-by-side comparison · click row to open
| Select | Frameworks | Vendor risk | ||||
|---|---|---|---|---|---|---|
| Japan JP 1mo ago | APPI | Moderate | M T F C | |||
| South Korea KR 1mo ago | PIPA | Moderate | M T F C | |||
| Czech Republic CZ 1mo ago | GDPRePrivacy | No public record | M T F C | |||
| Hungary HU 1mo ago | GDPRePrivacy | Moderate | M T F C | |||
| Poland PL 1mo ago | GDPRePrivacy | Moderate | M T F C | |||
| Romania RO 1mo ago | GDPRePrivacy | Moderate | M T F C | |||
| Mexico MX 1mo ago | — | Moderate | M T F C | |||
| California US-CA 1mo ago | CCPA/CPRA | Moderate | M T F C | |||
| Canada CA 1mo ago | PIPEDA | Moderate | M T F C | |||
| Quebec CA-QC 1mo ago | Quebec Law 25PIPEDA | Moderate | M T F C | |||
| Texas US-TX 1mo ago | TDPSA | Moderate | M T F C | |||
| Virginia US-VA 1mo ago | VCDPA | Lawful | Moderate | M T F C | ||
| Denmark DK 1mo ago | GDPRePrivacy | Moderate | M T F C | |||
| Estonia EE 1mo ago | GDPRePrivacy | No public record | M T F C | |||
| Finland FI 1mo ago | GDPRePrivacy | No public record | M T F C | |||
| Norway NO 1mo ago | GDPRePrivacy | Moderate | M T F C | |||
| Sweden SE 1mo ago | GDPRePrivacy | Moderate | M T F C | |||
| Australia AU 1mo ago | AU Privacy Act | Moderate | M T F C | |||
| Argentina AR 1mo ago | — | Moderate | M T F C | |||
| Brazil BR 1mo ago | LGPD | Moderate | M T F C | |||
| Colombia CO 1mo ago | — | Moderate | M T F C | |||
| Singapore SG 1mo ago | PDPA (SG) | Moderate | M T F C | |||
| India IN 1mo ago | DPDPA | Moderate | M T F C | |||
| Greece GR 1mo ago | GDPRePrivacy | Moderate | M T F C | |||
| Italy IT 1mo ago | GDPRePrivacy | Active | M T F C | |||
| Portugal PT 1mo ago | GDPRePrivacy | Moderate | M T F C | |||
| Slovenia SI 1mo ago | GDPRePrivacy | No public record | M T F C | |||
| Spain ES 1mo ago | GDPRePrivacy | Moderate | M T F C | |||
| Austria AT 1mo ago | GDPRePrivacy | Active | M T F C | |||
| Belgium BE 1mo ago | GDPRePrivacy | Moderate | M T F C | |||
| France FR 1mo ago | GDPRePrivacy | Active | M T F C | |||
| Germany DE 1mo ago | GDPRePrivacy | Active | M T F C | |||
| Ireland IE 1mo ago | GDPRePrivacy | Active | M T F C | |||
| Netherlands NL 1mo ago | GDPRePrivacy | Moderate | M T F C | |||
| Switzerland CH 1mo ago | Swiss FADP | Lawful | Moderate | M T F C | ||
| United Kingdom UK 1mo ago | UK GDPRPECR | Moderate | M T F C |
Open geographic atlas
Posture
Active
Moderate
No public record
Not classified
Notes from the desk
Two adjacent files refreshed this week. France: CNIL's €150M SHEIN decision (1 Sept 2025) is now the largest cookie-consent fine on record, tied with Google 2021 — banner-level reject button missing on first layer, cookies persisting after refusal. Ireland: DPC × TikTok €530M (May 2025) for EEA→China transfers under SCCs without adequate supplementary measures, plus DPC × Meta €251M (Dec 2024) on the 2018 "View As" breach. Both files now carry the 2025 cycle in full. No new countries this pass — corpus stays at 36.
Two US-side updates worth pinning. California: the CPPA's ADMT, risk-assessment, and cybersecurity-audit regulations cleared the board in late September — phased compliance dates run through 2027-28. Texas: the Google CUBI matter ($1.375B) settled in May and finalized 31 October — three claims (face-grouping in Photos, Incognito tracking, geolocation-after-disable), all under pre-TDPSA CUBI + UDAP theories. The takeaway for analytics teams: state AGs are now matching EU-scale numbers without needing the privacy statute itself to do the work.
How we classify · Methodology
Active — at least one regulator decision or court ruling against analytics or cookie practices in the last 24 months, with sectoral sweeps or six-figure fines.
Moderate — clear guidance and warning letters but no recent decisions of public note.
No public record — DPA active and funded; no enforcement publicly tied to analytics, cookies, or CMP issues in the last 24 months.
Not classified — insufficient primary-source evidence.
Verdicts come from primary regulator decisions, court judgments, and statutory text — not vendor blogs. If a country's last review is older than 180 days, it carries an amber freshness pill in the matrix.
Editorial research, not legal advice. SetupAnalytics is a free, ad-free public utility maintained by independent editors. Country-level conclusions are general orientation; consult qualified counsel for any specific deployment, transfer, or contract. Report an inaccuracy →