18 jurisdictions · reviewed June 2026 · no legalese
Privacy law changes at every border. Your checklist should too.
GDPR by Law maps what each country actually requires — cookie consent, DPO thresholds, breach deadlines, fines — in language written for people who ship software, not for lawyers.
The registry, side by side
The five facts founders ask about most, across every jurisdiction we track. Click any row for the full entry.
| Jurisdiction | Cookie consent | DPO | DPA required | Breach deadline | Max fine |
|---|---|---|---|---|---|
| Australia | Opt-out / notice | recommended | No | 30 days to assess; notify ASAP | The greater of AUD 50,000,000, 3× the benefit obtained, or 30% of adjusted turnover in the breach period |
| Austria | Opt-in | conditional | Yes | 72 hours | €20,000,000 or 4% of global annual revenue, whichever is higher |
| Belgium | Opt-in | conditional | Yes | 72 hours | €20,000,000 or 4% of global annual revenue, whichever is higher |
| California (USA) | Opt-out / notice | not required | Yes | Without unreasonable delay | $2,500 per violation, $7,500 per intentional violation or violation involving minors — per consumer, uncapped in aggregate |
| Canada | Opt-out / notice | mandatory | Yes | As soon as feasible | PIPEDA: up to CAD 100,000 per knowing violation of specific provisions. Quebec Law 25: up to CAD 25M or 4% of worldwide turnover |
| Denmark | Opt-in | conditional | Yes | 72 hours | €20,000,000 or 4% of global annual revenue, whichever is higher — imposed via criminal courts |
| Finland | Opt-in | conditional | Yes | 72 hours | €20,000,000 or 4% of global annual revenue, whichever is higher — imposed by a three-member sanctions board |
| France | Opt-in | conditional | Yes | 72 hours | €20,000,000 or 4% of global annual revenue, whichever is higher |
| Germany | Opt-in | conditional | Yes | 72 hours | €20,000,000 or 4% of global annual revenue, whichever is higher |
| Ireland | Opt-in | conditional | Yes | 72 hours | €20,000,000 or 4% of global annual revenue, whichever is higher |
| Italy | Opt-in | conditional | Yes | 72 hours | €20,000,000 or 4% of global annual revenue, whichever is higher |
| Netherlands | Opt-in | conditional | Yes | 72 hours | €20,000,000 or 4% of global annual revenue, whichever is higher |
| Poland | Opt-in | conditional | Yes | 72 hours | €20,000,000 or 4% of global annual revenue, whichever is higher |
| Portugal | Opt-in | conditional | Yes | 72 hours | €20,000,000 or 4% of global annual revenue, whichever is higher |
| Spain | Opt-in | conditional | Yes | 72 hours | €20,000,000 or 4% of global annual revenue, whichever is higher |
| Sweden | Opt-in | conditional | Yes | 72 hours | €20,000,000 or 4% of global annual revenue, whichever is higher |
| United Kingdom | Opt-in | conditional | Yes | 72 hours | £17,500,000 or 4% of global annual revenue, whichever is higher |
| Virginia (USA) | Opt-out / notice | not required | Yes | Without unreasonable delay | $7,500 per violation after an uncured 30-day cure period |
Start where you stand
The first four moves that matter, by role. Do these before buying any tool.
Founder
“I run a small online business”
- 01 Publish a privacy policy naming what you collect and why
- 02 Add a cookie banner with a real reject button for EU/UK traffic
- 03 Sign DPAs with your hosting, analytics, and email vendors
- 04 Write a one-page breach runbook — the 72-hour clock is real
SaaS builder
“I ship a product with user accounts”
- 01 Build data export (JSON/CSV) — it satisfies access and portability at once
- 02 Build account deletion that reaches backups and processors
- 03 Offer a DPA to your own customers; they will ask within weeks
- 04 Map which vendors move data outside the EU and note the transfer basis
Agency
“I build sites and campaigns for clients”
- 01 Default every client build to a consent management platform
- 02 Block marketing tags until consent — regulators scan for this
- 03 Keep a per-client record of processors and consent configurations
- 04 Check each client market below: cookie rules differ by country
Guides & case studies
All posts →-
16 June 2026
The GDPR Compliance Checklist for SaaS Founders (Build Order Included)
Fourteen tasks, ordered by risk-per-hour: what to build first, what to document, and what can wait until you have customers asking. Written for founders doing compliance without a lawyer.
-
9 June 2026
Meta Was Fined €1.2 Billion for Data Transfers. Here Is What It Means for Your US Vendors
The largest GDPR fine in history was not about a breach or dark patterns — it was about where data physically flows. A case study in transfer compliance for teams using US SaaS tools.
-
2 June 2026
Why Your Shopify Store Needs a DPA (and Where to Get One in 10 Minutes)
Every app in your Shopify stack processes customer data on your behalf — which makes you legally responsible for it. Here is what a Data Processing Agreement covers and how to close the gap fast.
Free download
Get the privacy audit checklist
A one-page privacy audit checklist covering the requirements that regulators actually fine for — cookie consent, breach runbooks, DPAs, and data subject request handling. We email occasional updates when the law changes; unsubscribe anytime.
No spam. Unsubscribe anytime — we practice what we document.