Where does the data come from?

Primary regulator decisions (DPA rulings, court judgments), official regulator guidance pages, and statutory text — not vendor blogs, marketing pages, or compliance vendor whitepapers. Each verdict, fine amount, or classification on the site cites or links to its primary source. We name the source on the page; if you can't see one, it's an editorial inference, flagged as such.

How often is each page reviewed?

Every page carries a `Last reviewed` date. The editorial target is monthly review for Tier 1 jurisdictions (Germany, France, Italy, Ireland, Spain, UK, California) and the four largest statutes (GDPR, UK GDPR, CCPA/CPRA, LGPD); quarterly for Tier 2; semi-annually for Tier 3. Cadence is the editorial target rather than an observed history — the corpus has only existed since 2026-05, so the `Last reviewed` date on each individual page is the operative ground truth. Atlas archives carry a derived `Updated` date showing the most recent review across the corpus.

What does 'editorial reading' actually mean?

It means we read the statute and the regulator's published guidance, then summarise our reading of what they say — not what compliance vendors say they say. When the regulator's position is contested, evolving, or sectoral, we flag it as conditional. When statute is silent, we say so. We never invent a regulator's position or attribute claims to specific officials beyond what they have publicly stated.

How do I report an inaccuracy?

Every page has a 'Report an inaccuracy' link in the colophon that pre-fills the contact form with the page slug. Send the citation that contradicts what we've published — primary source preferred. We aim to acknowledge submissions within 5 business days; complex corrections requiring primary-source verification may take longer. Material corrections are logged with the next review date and reviewer initials.

Methodology — How We Source, Score, and Review

Q: Is SetupAnalytics legal advice?

No. The site is editorial reference — a structured summary of public regulator guidance, statutory text, and court rulings. Reading, copying, citing, or adapting any page does not establish a lawyer-client relationship with the editor or any reviewer. SetupAnalytics expressly disclaims any warranty of accuracy, completeness, currency, fitness for a particular purpose, or non-infringement, to the maximum extent permitted by applicable law. For any specific deployment, transfer, contract, breach, regulator interaction, or contemplated reliance on a regulator's published position, consult qualified counsel admitted in the relevant jurisdiction.

1 · What this site is — and what it isn't

SetupAnalytics is an editorial atlas: a structured summary of public regulator guidance, statutory text, court rulings, and Google's published technical specifications, organised so that an analytics engineer, SEO operator, or privacy lead can navigate from question to answer without wading through marketing material.

It is not a substitute for legal advice. Reading, copying, citing, or adapting any page on this site does not create or imply a lawyer-client relationship with the editor or any reviewer. SetupAnalytics expressly disclaims any warranty of accuracy, completeness, currency, fitness for a particular purpose, or non-infringement, to the maximum extent permitted by applicable law. Editorial reading is provided "as is". For any specific deployment, contract, transfer, breach, regulator interaction, or contemplated reliance on a regulator's published position, consult qualified counsel admitted in the relevant jurisdiction.

It is not a compliance product. We don't sell SaaS, sell certifications, run a vendor marketplace, or take affiliate revenue. The site exists because the editor needed a reference that didn't exist; publishing it free is cheaper than maintaining a private one.

2 · Sourcing standards

Verdicts come from primary sources. In order of precedence:

Statutory text. The act itself — GDPR, CCPA, LGPD, etc. — read from official publishers (eur-lex.europa.eu, leginfo.legislature.ca.gov, planalto.gov.br, etc.).
Regulator decisions. Published DPA rulings (CNIL, Garante, AEPD, ICO, DPC, etc.) and court judgments (CJEU, national supreme courts, US state courts).
Regulator guidance. Official guidance pages, opinions, and consultation documents from the regulator's own portal.
Company technical specifications. For Google Consent Mode v2, IAB TCF, and similar policy-protocol artefacts: the vendor's own published specification.

What we don't cite as primary source: vendor blogs, compliance-SaaS marketing pages, secondary aggregators, or LLM summaries. If a site only cites those, the verdict is editorial inference and we flag it as such.

3 · Review cadence + tier classification

Every page carries a Last reviewed date. Atlas archives surface a derived Updated date that is the most recent review across the corpus. The cadences below are the editorial target, not yet an observed history: the published corpus is the first complete review pass (2026-05-04 onward). Cadence becomes verifiable as the corpus ages — until then the Last reviewed date on each page is the operative ground truth.

Tier	What's in it	Target cadence
Tier 1	Germany, France, Italy, Ireland, Spain, UK, California; GDPR, UK GDPR, CCPA/CPRA, LGPD	Monthly
Tier 2	Other EEA states, Switzerland, Brazil, Japan, Korea, Singapore, India, Australia, Canada, Quebec; ePrivacy, PECR, PIPEDA, Swiss FADP, APPI, PIPA, PDPA SG, DPDPA, AU Privacy Act, Quebec Law 25	Quarterly
Tier 3	US state laws (VCDPA, TDPSA, plus emerging states); other Tier C jurisdictions on roadmap	Semi-annually, plus on material change
Out-of-cycle	Any jurisdiction where a material decision lands (regulator fine, court ruling, statute amendment)	Within 14 days of publication

4 · How the four atlases relate to each other

The site has a deliberate split. Each atlas answers a different question:

/laws/ — what does the statute say? Scope, penalty cap, primary regulator, topic coverage. Statutory text is the ground truth.
/countries/ — what do regulators actually do? Enforcement posture, recent decisions, GA4 status, vendor restrictions per market.
/topics/ — what does the operational work look like? Cookie banner rollout, DSAR triage, transfer review — task-shaped.
/templates/ — what concrete artefacts do you start from? Drop-in banner copy, privacy policies, DSR replies, Consent Mode snippets, DPIA scaffolds.

Cross-links between atlases are bidirectional. Every law on /laws/ links to the countries that have enforced it. Every country on /countries/ links to the laws applicable there. Every topic on /topics/ links to applicable laws and most-affected jurisdictions. Every template on /templates/ is scoped to a primary law and an optional jurisdiction.

5 · Topic-coverage taxonomy (Yes / Conditional / No)

The "Where it bites" mini-matrix on /laws/ and the topic chips on each law page classify topic coverage as one of three values:

Mark	What it means
Yes	The topic is squarely in the statutory text with a recognised mechanism. A counsel reading the act would identify a clear provision governing the topic.
Conditional / weaker	Coverage exists but is narrow, sectoral, threshold-gated, or interpreted via general principles rather than dedicated provisions. The topic is regulated, but the legal scaffolding is thinner than the gold standard.
Not addressed by this statute	The statute is silent on this topic. General data-protection principles may still apply via the broader regime; the specific topic is not separately codified.

Worked example: PIPEDA carries Conditional for DPO. Schedule 1, Principle 4.1 requires that an organization designate an individual or individuals accountable for compliance, with sub-clause 4.1.1 confirming that accountability rests with the designated individual(s) even when day-to-day processing is delegated. GDPR Articles 37–39 spell out the same role but with statutory designation triggers, defined tasks, independence guarantees, and a prohibition on dismissal or penalisation for performing the role (Art 38(3)). Both regimes recognise an accountable privacy lead; GDPR's version is the same function on heavier statutory scaffolding.

6 · Enforcement posture (per jurisdiction)

Posture	Threshold
Active	At least one regulator decision or court ruling specifically tied to analytics, cookies, or CMP issues in the last 24 months, with sectoral sweeps or six-figure fines.
Moderate	Clear regulator guidance and warning letters but no recent decisions of public note in the analytics/cookie space.
No public record	The regulator is active and funded; no enforcement publicly tied to analytics, cookies, or CMP issues in the last 24 months. Not "doesn't enforce" — the public record on these specific topics is silent.
Not classified	Insufficient primary-source evidence to confidently place the jurisdiction in one of the above brackets.

"No public record" is deliberately not "Quiet". The earlier label invited the misreading "this DPA never enforces"; the current label says only what the public record contains.

7 · GA4 status (per jurisdiction)

Lawful — the regulator has not issued guidance restricting GA4; default lawful basis under the regime applies.
Lawful with consent — GA4 is lawful when prior, granular, opt-in consent fires before tags load; the regulator's published guidance treats consent as the operative gate.
Litigated / restricted — at least one DPA decision has restricted, fined, or otherwise narrowed GA4 deployment in this jurisdiction within the last 24 months.
Not classified — insufficient primary-source evidence to place the jurisdiction in one of the above brackets.

The post-DPF (2023-07-10) practical posture relaxed in many jurisdictions; entries reflect each DPA's most recent published position, not the 2022 transfer-mechanism wave.

8 · Vendor status overrides (per jurisdiction × vendor)

Grey — no specific regulator action against this vendor in this jurisdiction; default lawful basis applies.
Green — the regulator has published a position treating this vendor as compliant under documented conditions (e.g., AP Netherlands' exempted-tools list).
Amber — vendor is permissible under documented conditions (typically: explicit consent, configuration constraints, hosting requirements, sub-processor disclosure).
Red — vendor has been the subject of a published regulator decision restricting, fining, or prohibiting deployment in this jurisdiction within the last 24 months.

Vendor names appearing on this site (Plausible, Fathom, Pirsch, Umami, GoatCounter, Matomo, Meta Pixel, TikTok Pixel, FullStory, MS Clarity, and others) are included as editorial citations to regulator-published guidance, decisions, or public commentary. Their inclusion is reference, not endorsement, and does not represent SetupAnalytics's position on the vendor's overall compliance posture, product quality, or business practices. Eligibility under any classification depends on the specific deployment, hosting topology, configuration, and consent posture — not on the brand itself. Where a classification reflects a published regulator decision, the entry on the relevant /countries/ or /laws/ page links to the primary source.

9 · Penalty interpretation

The Max penalty cell on /laws/ uses one of five formats:

Format	Example	Meaning
Absolute € cap	`€20M / 4% turnover`	The higher of an absolute Euro cap or a percentage of global annual turnover (GDPR / UK GDPR pattern).
% of turnover	`2% turnover`	Revenue-only cap, no absolute floor (LGPD; PDPA Singapore at 10% turnover follows the same shape).
Per-violation flat	`$2.5K–$7.5K / violation`	Per-incident statutory amount (US state laws).
Criminal (individual)	`CHF 250K (individual)`	Criminal fine against a natural person, not the company (Swiss FADP).
Statute silent	`—`	The act itself does not set a penalty; sanctions follow general administrative or sectoral law.

These are headline maxima, not expected outcomes. Actual fine amounts depend on regulator practice, mitigating factors, sectoral context, and procedural posture. Cross-reference /countries/ for the enforcement posture.

10 · Cookie opt-in classification

The "Cookie opt-in" topic dot on /laws/ "Where it bites" answers a narrow question: does the statute (or a closely-coupled statute) require opt-in consent before non-essential cookies fire?

Yes — six regimes in the atlas: GDPR, UK GDPR, ePrivacy Directive (via Member-State implementation), PECR, Quebec Law 25, PIPA Korea.
Conditional — sectoral or telecoms-statute coverage rather than a dedicated cookie opt-in clause (e.g., Switzerland's revFADP itself does not mandate cookie opt-in; FMG Article 45c covers telecoms with a transparency model).
No — the statute does not require opt-in. CCPA/CPRA's model is opt-out for sale/share; APPI and most APAC regimes likewise.

11 · Conflict-of-interest policy

SetupAnalytics earns nothing from any tool, vendor, regulator, or law firm listed on the site. Specifically:

No affiliate links. No referral codes. No paid placements.
No sponsored posts. No sponsored newsletter. No sponsored anything.
No SaaS subscription, no Pro tier, no email-gated downloads on substantive pages. The only optional subscription surface is a changelog notification list; an email address provided for that purpose is used solely to deliver changelog updates and is not shared with third parties, sold, or used for behavioural profiling.
No advertising. No retargeting. No third-party analytics. No third-party fonts loaded from third-party domains. No third-party social-share widgets.
No editorial commissioning, drafting, or veto by law firms, compliance vendors, or counsel: the editor performs structured editorial review on high-risk content (see Section 13 for what kind of review is performed and what kind has not been performed). Reviewers, where credited, do not commission, draft, or veto editorial choices, and receive no payment from vendors or law firms in connection with the review.

12 · Dogfooding — verifiable

The site that recommends compliant analytics uses compliant analytics. You can verify this in your browser right now:

Open this page in DevTools → Network → filter by Domain.
You should see only setupanalytics.com requests.
No GA, no GTM, no Facebook Pixel, no LinkedIn, no third-party fonts, no third-party social-share scripts, no chat widgets, no analytics SDKs.

The site is fronted by Cloudflare for availability, caching, and bot protection. Cloudflare may set short-lived security cookies that are strictly necessary for service delivery (for example, to mitigate denial-of-service or to operate Cloudflare's bot-management layer); these are essential and fall outside ePrivacy / CCPA opt-in requirements. Anonymous, aggregated request counts derived from server-side logs are used for availability and capacity planning only; they are not used for behavioural profiling, cross-site tracking, or advertising. The site does not set non-essential cookies, and no consent banner is required for the topics it actually deploys; users in jurisdictions with stricter local rules should evaluate their own posture.

13 · Editorial review process

Page-level review credits appear in the reviewer field on each compliance entity. Reviews fall into two layers, and the site distinguishes them honestly:

M.K. — editor and primary reviewer. CIPP/E, CIPP/C, CIPP/A. Drafts, sources, and maintains all compliance pages, and signs off every published edit. Editorial accountability rests with the editor.
Machine-assisted legal-framing pass — high-risk content (country atlas, law atlas, vendor rationales, statutory penalty entries) is run through a structured machine-assisted review designed to surface legal-framing risk: defamation-adjacent vendor claims, unsupported absolute statements, missing primary-source citations, jurisdictional overreach, or warranty-creep wording. These passes are AI-assisted (LLM-based agents operating under editor-defined prompts) and are not a substitute for counsel admitted in any jurisdiction. They flag candidate issues; the editor decides what changes are made. Recent passes: /countries/ atlas (2026-05-06), /laws/ atlas (2026-05-07), vendor rationales (2026-05-06), 16-law data corpus (2026-05-06).
Independent counsel review — where engaged, qualified counsel admitted in the relevant jurisdiction provides written review of specific high-risk content. No content on this site has been the subject of independent counsel review at the time of writing. Where this changes, reviewer initials and the bar admission jurisdiction will be added to the relevant page's credit line, and this section will be updated accordingly.

Where a page lists a credit such as "M.K., CIPP/E + machine-assisted pass", the second token refers to the AI-assisted editorial review described above, not to attorney review. We are deliberate about this distinction because misrepresenting machine-assisted editorial review as attorney review would itself be a legal-framing error, and the site exists in part to discourage that pattern across the analytics-compliance space.

14 · Licence, corrections, and changelog

Licence

All editorial content (text, classifications, datasets, JSON archives) is published under the SetupAnalytics editorial-reference licence: free to copy, adapt, and deploy, on an "as is" basis. The licence carries no warranty of accuracy, completeness, currency, fitness for a particular purpose, or non-infringement; no representation as to the legal effect of any classification or sample; and no establishment of a lawyer-client relationship between the reader and the editor or any reviewer. Reliance on the content is at the reader's own risk. Attribution is welcomed but not required.

Reporting an inaccuracy

Every page has a "Report an inaccuracy" link in the colophon that pre-fills the contact form with the page slug. We aim to acknowledge submissions within 5 business days; complex corrections may take longer where primary-source verification is required. Material corrections are logged and reflected in the next review date.

Changelog

The /changelog/ page tracks material editorial changes — new laws added to the atlas, jurisdiction additions, classification flips, methodology updates. The Last reviewed date on each page reflects the most recent material edit.