The registry
All jurisdictions
Every entry covers the same ground: cookie consent, DPO thresholds, breach deadlines, fines, data subject rights, and the tools that handle them — so you can compare like with like.
European Union (13)
-
Austria
Austria is the home of Max Schrems and noyb — the DSB's Google Analytics ruling triggered the EU-wide transfer crisis. Expect sophisticated, activist-driven complaints here, especially about US tools and consent dark patterns.
Breach: 72 hours · Cookies: opt-in
-
Belgium
Belgium's APD reshaped adtech for the whole EU by ruling the IAB's TCF consent framework unlawful as designed. If your revenue touches programmatic advertising, Belgian decisions define your consent-string obligations.
Breach: 72 hours · Cookies: opt-in
-
Denmark
Denmark routes GDPR fines through criminal courts, so penalties are rarer but investigations are thorough — Datatilsynet banned Google Workspace in Helsingør schools over transfer risks. Documentation quality is the Danish currency of compliance.
Breach: 72 hours · Cookies: opt-in
-
Finland
Finland enforces through a collegial sanctions board and focuses on employee monitoring — its Working Life Privacy Act is the strictest workplace data law in the EU. HR tech and employer tools face Finland-specific rules.
Breach: 72 hours · Cookies: opt-in
-
France
France's CNIL is Europe's most aggressive cookie enforcer, fining Google and Meta hundreds of millions under national ePrivacy rules it can apply directly to foreign companies — no lead-authority shield. Get your banner right first.
Breach: 72 hours · Cookies: opt-in
-
Germany
Germany applies GDPR with stricter national add-ons: a DPO is mandatory from just 20 employees handling personal data, and 17 separate regulators enforce actively. Assume the strictest reading of every rule applies here.
Breach: 72 hours · Cookies: opt-in
-
Ireland
Ireland is lead authority for most US tech giants' EU operations, so DPC decisions (Meta's €1.2B transfer fine) set the rules everyone else follows. If you incorporate your EU entity here, the DPC becomes your one-stop-shop regulator.
Breach: 72 hours · Cookies: opt-in
-
Italy
Italy's Garante is the EU regulator most willing to act fast against technology itself — it temporarily banned ChatGPT in 2023 and fines telemarketing abuses heavily. AI products and outbound sales deserve extra care here.
Breach: 72 hours · Cookies: opt-in
-
Netherlands
The Dutch AP focuses on late breach notifications, unlawful cookie walls, and algorithmic harms — it fined Booking.com for reporting a breach 22 days late. Treat the 72-hour clock as a hard engineering deadline here.
Breach: 72 hours · Cookies: opt-in
-
Poland
Poland's UODO enforces the fundamentals — its landmark Morele.net fine was about weak security and its Fortum decision about unverified processors. Solid technical security and vendor oversight matter more here than paperwork polish.
Breach: 72 hours · Cookies: opt-in
-
Portugal
Portugal's CNPD is small but decisive — it issued one of the first GDPR fines ever (a hospital, in 2018) and suspended a national census over US transfer risks. Access controls and transfer paperwork get you through here.
Breach: 72 hours · Cookies: opt-in
-
Spain
Spain's AEPD issues more GDPR fines than any other EU regulator — mostly small-to-mid penalties against ordinary businesses, not big tech. Spain is where average companies actually get fined, so the basics matter most here.
Breach: 72 hours · Cookies: opt-in
-
Sweden
Sweden's IMY made data subject rights expensive to ignore — it fined Spotify SEK 58M over incomplete access-request responses. Build a real export flow, not a policy paragraph, before scaling in Sweden.
Breach: 72 hours · Cookies: opt-in
United Kingdom (1)
United States (2)
-
California (USA)
California flips the GDPR model: processing is allowed by default and users opt out rather than in — but 'sale/share' is defined so broadly that running ad pixels triggers it. The 'Do Not Sell' link is your first obligation.
Breach: Without unreasonable delay · Cookies: no banner
-
Virginia (USA)
Virginia wrote the template most other US states copied: opt-out rights, opt-in for sensitive data, mandatory data protection assessments, and a 30-day cure period. Comply here and you're close to compliant in a dozen states.
Breach: Without unreasonable delay · Cookies: no banner