Skip to content
GDPR by Law

18 jurisdictions · reviewed June 2026 · no legalese

Privacy law changes at every border. Your checklist should too.

GDPR by Law maps what each country actually requires — cookie consent, DPO thresholds, breach deadlines, fines — in language written for people who ship software, not for lawyers.

The registry, side by side

The five facts founders ask about most, across every jurisdiction we track. Click any row for the full entry.

Jurisdiction Cookie consent DPO DPA required Breach deadline Max fine
Australia Opt-out / notice recommended No 30 days to assess; notify ASAP The greater of AUD 50,000,000, 3× the benefit obtained, or 30% of adjusted turnover in the breach period
Austria Opt-in conditional Yes 72 hours €20,000,000 or 4% of global annual revenue, whichever is higher
Belgium Opt-in conditional Yes 72 hours €20,000,000 or 4% of global annual revenue, whichever is higher
California (USA) Opt-out / notice not required Yes Without unreasonable delay $2,500 per violation, $7,500 per intentional violation or violation involving minors — per consumer, uncapped in aggregate
Canada Opt-out / notice mandatory Yes As soon as feasible PIPEDA: up to CAD 100,000 per knowing violation of specific provisions. Quebec Law 25: up to CAD 25M or 4% of worldwide turnover
Denmark Opt-in conditional Yes 72 hours €20,000,000 or 4% of global annual revenue, whichever is higher — imposed via criminal courts
Finland Opt-in conditional Yes 72 hours €20,000,000 or 4% of global annual revenue, whichever is higher — imposed by a three-member sanctions board
France Opt-in conditional Yes 72 hours €20,000,000 or 4% of global annual revenue, whichever is higher
Germany Opt-in conditional Yes 72 hours €20,000,000 or 4% of global annual revenue, whichever is higher
Ireland Opt-in conditional Yes 72 hours €20,000,000 or 4% of global annual revenue, whichever is higher
Italy Opt-in conditional Yes 72 hours €20,000,000 or 4% of global annual revenue, whichever is higher
Netherlands Opt-in conditional Yes 72 hours €20,000,000 or 4% of global annual revenue, whichever is higher
Poland Opt-in conditional Yes 72 hours €20,000,000 or 4% of global annual revenue, whichever is higher
Portugal Opt-in conditional Yes 72 hours €20,000,000 or 4% of global annual revenue, whichever is higher
Spain Opt-in conditional Yes 72 hours €20,000,000 or 4% of global annual revenue, whichever is higher
Sweden Opt-in conditional Yes 72 hours €20,000,000 or 4% of global annual revenue, whichever is higher
United Kingdom Opt-in conditional Yes 72 hours £17,500,000 or 4% of global annual revenue, whichever is higher
Virginia (USA) Opt-out / notice not required Yes Without unreasonable delay $7,500 per violation after an uncured 30-day cure period

Start where you stand

The first four moves that matter, by role. Do these before buying any tool.

Founder

“I run a small online business”

  1. 01 Publish a privacy policy naming what you collect and why
  2. 02 Add a cookie banner with a real reject button for EU/UK traffic
  3. 03 Sign DPAs with your hosting, analytics, and email vendors
  4. 04 Write a one-page breach runbook — the 72-hour clock is real

SaaS builder

“I ship a product with user accounts”

  1. 01 Build data export (JSON/CSV) — it satisfies access and portability at once
  2. 02 Build account deletion that reaches backups and processors
  3. 03 Offer a DPA to your own customers; they will ask within weeks
  4. 04 Map which vendors move data outside the EU and note the transfer basis

Agency

“I build sites and campaigns for clients”

  1. 01 Default every client build to a consent management platform
  2. 02 Block marketing tags until consent — regulators scan for this
  3. 03 Keep a per-client record of processors and consent configurations
  4. 04 Check each client market below: cookie rules differ by country

Guides & case studies

All posts →

Free download

Get the privacy audit checklist

A one-page privacy audit checklist covering the requirements that regulators actually fine for — cookie consent, breach runbooks, DPAs, and data subject request handling. We email occasional updates when the law changes; unsubscribe anytime.

No spam. Unsubscribe anytime — we practice what we document.