Reference
Compliance tasks framed the way an analytics engineer or privacy lead actually meets them — banner rollout, DSAR triage, transfer review, cookieless migration. Each card cross-links to the relevant statutes (/laws/) and enforcement posture by jurisdiction (/countries/).
Pick the closest match — we'll jump to the relevant card.
Each card cross-links to the relevant laws, the most-affected jurisdictions, required artefacts, and the most recent material change.
Opt-in consent before non-essential cookies — generally expected across the EU/UK ePrivacy stack and discussed (with caveats) under several other regimes. Implementation differs by jurisdiction; check the statute and your DPA's current guidance.
Google's signal protocol (4 flags: ad_storage, ad_user_data, ad_personalization, analytics_storage) wired to your CMP. A Google policy requirement for EEA/UK/CH advertisers, not a statutory one — but it operates on top of GDPR/ePrivacy consent.
The near-universal artefact: every privacy regime tracked in this atlas calls for some form of disclosure to data subjects about who you are, what you collect, why, with whom you share, how long you keep it, and the rights available. Specific contents and form vary by statute.
Data subjects request a copy of their personal data and exercise other statutory rights. Most regimes set a defined response window; identity verification, exemptions and fee rules vary.
Most regimes permit moving personal data outside their territorial scope only through a recognised transfer mechanism — typically an adequacy decision, contractual safeguards (SCCs / equivalents), binding corporate rules, or a narrow set of derogations. Specific mechanisms and conditions vary by statute.
A per-cookie inventory and disclosure document — sometimes folded into the privacy policy, often expected as a separate page in EU/UK markets. Lists name, purpose, provider, lifespan and category for each cookie or local-storage key.
Google's contractual requirement that publishers and advertisers using Google ad products in EEA / UK / Switzerland deploy a CMP from Google's certified list — separate from any statutory consent obligation.
Cookieless / first-party-only analytics that some regulators have, in published guidance, treated as falling outside the cookie-banner trigger in narrow circumstances. Whether a given deployment qualifies depends on tool, hosting, configuration, and the specific DPA's stance — not a blanket rule.
No topics match the current filters.
Editorial reading as of 2026-05-07 — not legal advice. Two of the topics on this page are not statutory in origin. Google Consent Mode v2 and the Certified-CMP requirement operate as Google contractual policy obligations layered on top of GDPR / ePrivacy consent — the underlying consent regime is statutory, but the Google signal protocol and CMP-certification step are not themselves written into the law. They do not replace statutory consent, and dropping the Google ad stack does not make a statutory opt-in obligation go away. We surface them as topics because they regularly come up in compliance reviews.
Editorial reading as of 2026-05-06 — not legal advice. The cookieless-analytics exception is narrower than vendor marketing tends to suggest. Public guidance from the DSK (Germany) and AP (Netherlands) has discussed specific configurations — typically first-party-hosted with IP truncation — as falling outside the consent trigger; the CNIL (France) maintains a published list of measurement tools it has discussed as exempt under conditions; the Garante (Italy) has historically taken a more cautious posture. Stances evolve — verify each DPA's current published position before relying. Hosting jurisdiction can matter as much as the tool itself, particularly after the 2023 DPF and the 2024–25 Schrems-style scrutiny. Don't infer one DPA's stance onto another.
Editorial reading as of 2026-05-05 — not legal advice. DSAR response windows look uniform until you read the fine print: under the GDPR the clock typically starts from receipt and runs one calendar month, with a defined extension; the CCPA generally references a 45-day clock with an extension on notice; the LGPD references 15 days from receipt; PIPA Korea references 10 days; APPI uses 'without undue delay'. We generally see compliance teams calibrate their DSAR procedure to the strictest applicable clock for the jurisdictions they cover, rather than to a weighted average — but the right answer for any specific deployment is a question for qualified counsel.
Topics, not statutes. Editorial reading as of 2026-05-04; not legal advice. This page maps day-to-day compliance tasks (banner rollout, DSAR triage, transfer review) to the regimes that govern them — but the statutory ground truth lives on /laws/. For enforcement posture, see /countries/.
"Applies under" pills. Each card lists laws that, in our editorial reading, materially touch the topic. A tinted (yellow) pill flags partial / conditional scope — the relevant statute may engage the topic indirectly, only in certain configurations, or via a sectoral overlay. Click through for the scope discussion on the law's page; ground truth lives in the statute itself.
"Most-affected" jurisdictions. The 3–6 markets where, in our editorial reading of publicly available materials, regulators have published guidance, opened investigations, or issued decisions touching this topic. Not a comprehensive enforcement tracker; not exhaustive. Your specific facts may engage other DPAs.
"Recent change" badge. One editorially-selected material change in the last 12 months. Signed M.K. — not a legal-update feed; not a comprehensive log.
Two topics that are not statutory in origin. Google Consent Mode v2 and the Certified-CMP requirement appear here because they regularly surface in compliance reviews alongside statutory consent. They operate as Google contractual policy obligations layered on top of GDPR / ePrivacy consent — the underlying consent regime is statutory; the Google signal protocol and CMP-certification step are not themselves written into the statutes.
Full methodology → · Laws (statutory text) → · Countries (enforcement posture) → · Changelog →
Editorial research, not legal advice. SetupAnalytics is a free, ad-free public utility maintained by independent editors. These pages do not establish a lawyer-client relationship and are not warranted for accuracy or currency. Consult qualified counsel admitted in the relevant jurisdiction for any specific deployment, transfer, or contract. Report an inaccuracy →