Editorial reading as of 2026-05-07 — not legal advice. GDPR-style omnibus laws are not cookie laws. Most regimes here address data subject access in some form, but a clear opt-in posture for non-essential cookies sits primarily in the EU/UK ePrivacy stack (the ePrivacy Directive plus its national implementations such as PECR) read alongside GDPR/UK GDPR consent standards. Outside Europe, Quebec's Law 25 reads as the only North American statute requiring affirmative opt-in for tracking technologies, and South Korea's PIPC has consistently treated identifiable / behavioural cookies as personal information requiring prior, specific consent under PIPA. Several other regimes regulate cookies indirectly via general consent principles, deemed-consent constructs (e.g. Singapore PDPA), or sector-specific telecoms statutes (e.g. Switzerland's FMG Art. 45c, which uses a transparency / opt-out model) rather than a dedicated cookie opt-in rule. Conflating GDPR-style omnibus rules with cookie rules is the most expensive consent-banner mistake we see in compliance reviews.
Reference
Privacy laws governing analytics & cookies
Sixteen privacy regimes that materially shape how websites collect, store, and process visitor data — sourced from statutory text, regulator guidance, and court rulings. Use the matrix to compare attributes; jump to /countries/ for enforcement posture by jurisdiction.
Region 0
Era 0
Scope 0
Penalty 0
Covers topic 0
Atlas index
Sortable · select 2–3 laws to compare side-by-side · click row to open
| Select | Authority | Topics covered | |||||
|---|---|---|---|---|---|---|---|
| ePrivacy ePrivacy Directive 2002/58/EC (as amended) | EU / EEA | 2002 pre-2010 | — | 30 jurs | EU | Cookie opt-in | |
| GDPR General Data Protection Regulation (EU 2016/679) | EU / EEA | 2018 2010s | €20M / 4% turnover | 30 jurs | EU | Cookie opt-inDSARErasure+4 | |
| APPI Act on the Protection of Personal Information (法律第57号 1988, last amended 2022) | Asia-Pacific | 2003 pre-2010 | 1% turnover | 1 jur | JP | DSARDPOTransfers+1 | |
| DPDPA Digital Personal Data Protection Act 2023 | Asia-Pacific | 2023 2020+ | — | 1 jur | IN | DSARErasureDPO+3 | |
| Law 25 An Act to modernize legislative provisions as regards the protection of personal information (Quebec) | Americas (N) | 2022 2020+ | 4% turnover | 1 jur | QC | Cookie opt-inDSARErasure+3 | |
| LGPD Brazilian General Data Protection Law (Lei 13.709/2018) | Americas (S) | 2020 2020+ | 2% turnover | 1 jur | BR | DSARErasureDPO+2 | |
| nFADP Swiss Federal Act on Data Protection (revised, 2023) | Switzerland | 2023 2020+ | CHF 250K (individual) | 1 jur | CH | DSARErasureDPO+2 | |
| PDPA SG Personal Data Protection Act 2012 (No. 26 of 2012) | Asia-Pacific | 2014 2010s | 10% turnover | 1 jur | SG | DSARErasureDPO+2 | |
| PECR Privacy and Electronic Communications (EC Directive) Regulations 2003 | UK | 2003 pre-2010 | £17.5M / 4% turnover | 1 jur | UK | Cookie opt-inBreach 72h | |
| PIPA KR Personal Information Protection Act (개인정보 보호법, 2011, last amended 2023) | Asia-Pacific | 2011 2010s | 3% turnover | 1 jur | KR | Cookie opt-inDSARErasure+4 | |
| PIPEDA PIPEDA (S.C. 2000, c. 5) — Canada | Americas (N) | 2001 pre-2010 | CAD $100K (max) | 1 jur | CA | DSARTransfersBreach 72h | |
| Privacy Act AU Privacy Act 1988 (Cth) + Australian Privacy Principles (APPs) | Asia-Pacific | 1988 pre-2010 | 30% turnover | 1 jur | AU | DSARTransfersBreach 72h | |
| UK GDPR UK General Data Protection Regulation + Data Protection Act 2018 | UK | 2021 2020+ | €20M / 4% turnover | 1 jur | UK | Cookie opt-inDSARErasure+4 | |
| CCPA/CPRA California Consumer Privacy Act (2018) as amended by California Privacy Rights Act (2020) | Americas (N) | 2020 2020+ | $2.5K–$7.5K / violation | 1 jur | CPPA | DSARErasureChildren+1 | |
| TDPSA Texas Data Privacy and Security Act (Tex. Bus. & Com. Code Ch. 541) | Americas (N) | 2024 2020+ | $7.5K / violation | 1 jur | TX | DSARErasureChildren+1 | |
| VCDPA Virginia Consumer Data Protection Act (Va. Code §59.1-575 et seq.) | Americas (N) | 2023 2020+ | $7.5K / violation | 1 jur | VA | DSARErasureChildren+1 |
Where it bites
Topic coverage at a glance · Yes Conditional No
Notes from the desk
Editorial reading as of 2026-05-06 — not legal advice. The Conditional column is doing real work. Take PIPEDA's accountability principle as the canonical example: it requires every organisation to designate an individual accountable for compliance (Schedule 1, Principle 4.1.1), so on a 'is there a DPO?' yes/no test it ticks the box — but the statute does not articulate the statutory powers, formal training mandates, or independence guarantees that GDPR Articles 37–39 spell out for the DPO role. We mark it Conditional rather than Yes for that reason. Treat Conditional as: you still need the function; the legal scaffolding is thinner — and qualified counsel should map it to your facts.
Editorial reading as of 2026-05-05 — not legal advice. US state privacy laws share lineage but functionally diverge. CCPA, VCDPA, and TDPSA differ on right-of-correction scope and on private right of action (which, broadly, sits with CCPA only and even then is narrow — confined to certain breach scenarios). Universal opt-out / Global Privacy Control recognition is also moving across states (California, Colorado, Connecticut, New Jersey and Oregon have adopted explicit recognition through varying mechanisms; Virginia and Texas postures continue to evolve). The matrix flattens these dimensions into shared chips — open each state's page, and confirm with counsel admitted in the jurisdiction, before drafting policy text.
How we classify · Methodology
Statute vs enforcement. This page surfaces what the law says — coverage, scope, penalties, statutory rights and topics. For what regulators actually do in each market — recent fines, sectoral sweeps, agency posture — see /countries/.
Penalty cell (headline figures only). "€20M / 4% turnover" = the higher of an absolute cap or a percentage of global turnover, in the GDPR / UK GDPR mould. "% turnover" alone = a revenue-only cap (LGPD, the Australian regime, etc.). "$ / violation" = per-incident statutory amounts (some US state laws). "Statute silent" = the penalty is set by sectoral or general administrative law rather than the privacy act itself. These are headline maxima, not expected outcomes — actual fines depend on regulator practice, mitigating factors, and procedural posture; see /countries/ for enforcement signal.
Topic chips (editorial reading as of 2026-05-05; not legal advice). A "Yes" indicates the topic is addressed in statutory text or a tightly-coupled implementing statute. "Conditional / narrower" indicates the topic is addressed but is sectoral, voluntary, threshold-gated, or interpreted via general principles rather than dedicated provisions. "Not addressed by this statute" means the privacy act in question is silent on the topic — general data-protection principles, sectoral statutes, or constitutional protections may still apply, and a tightly-coupled statute (e.g. an ePrivacy implementation, a telecoms act, or a children's privacy act) may regulate the same conduct. Always read in conjunction with the per-law page and qualified counsel.
Freshness. Each law was reviewed against current regulator guidance on or around 2026-05-05. An amber pill marks any law whose review has slipped past 180 days.
Full methodology → · Countries (enforcement posture) → · Changelog →
Editorial research, not legal advice. SetupAnalytics is a free, ad-free public utility maintained by independent editors. Topic-coverage classifications, penalty figures, and notes on this page are a general orientation drawn from public statutory text and regulator guidance as of 2026-05-05; they do not establish a lawyer-client relationship, are not warranted for accuracy or currency, and must not be relied on for specific facts. Consult qualified counsel admitted in the relevant jurisdiction for any deployment, cross-border transfer, contract, or compliance decision. Report an inaccuracy →