Jurisdictions

Every visitor's region is detected at page load via Geo-IP. SmartConsent then selects the strictest regulation that applies and renders a banner that satisfies it. When multiple regulations apply (e.g. a UK visitor covered by UK GDPR + PECR), strictest-wins resolves the conflict.

• Applies to: All UK visitors. UK GDPR sits alongside PECR, which covers cookie-specific rules.
• Consent model: Opt-in. Consent must be given before non-essential cookies are set.
• Button equality: Accept and Reject must be equally prominent (ICO guidance).
• Expiry: SmartConsent applies a 13-month re-prompt by default, in line with ICO best-practice guidance.
• Enforcement: Information Commissioner's Office (ICO). Fines up to £17.5M or 4% of global turnover (whichever is higher).
• Record of consent: Required. Use webhookUrl to persist signed records.

• Applies to: All 27 EU member states plus Norway, Iceland, and Liechtenstein (EEA). Switzerland's FADP operates on similar principles and is handled by the same profile.
• Consent model: Opt-in. No pre-ticked boxes. No implied consent.
• Button equality: Accept and Reject must be equally prominent (CNIL + EDPB guidance).
• Expiry: Consent expires after 12 months. SmartConsent re-prompts automatically.
• Enforcement: National DPAs (CNIL in France, BfDI in Germany, DPC in Ireland, etc.). Fines up to €20M or 4% of global turnover.
• Record of consent: Required (GDPR Article 7). Use webhookUrl to persist signed records.

• Applies to: All personal data processing in India, effective 2025.
• Consent model: Opt-in. Explicit, informed, specific consent required.
• Notice: Banner must link to a privacy notice in the visitor's chosen language.
• Children: Tracking of under-18s is prohibited without verifiable parental consent.
• Enforcement: Data Protection Board of India. Fines up to ₹250 crore per contravention.

• Applies to: Brazilian residents.
• Consent model: Opt-in. One of several legal bases — SmartConsent defaults to consent for analytics/marketing.
• Granularity: Visitor must be able to consent to specific purposes independently.
• Enforcement: Autoridade Nacional de Proteção de Dados (ANPD). Fines up to 2% of Brazilian revenue, capped at R$50M per infraction.

• Applies to: All processing of personal information in South Africa.
• Consent model: Opt-in, with narrow legitimate-interest carve-outs.
• Notice: Purpose must be specific, explicit, and legitimate.
• Enforcement: Information Regulator. Fines up to R10M per contravention, plus criminal liability for operators.

• Applies to: PIPEDA covers federally regulated businesses across Canada. Quebec's Law 25 applies in addition to any organisation processing Quebec residents' data.
• Consent model: PIPEDA — opt-out for most cookies, opt-in for sensitive data. Law 25 (Quebec) — opt-in across the board, closer to GDPR.
• Enforcement: Office of the Privacy Commissioner (federal). Commission d'accès à l'information (Quebec).
• Fines: Law 25 imposes penalties up to C$25M or 4% of global turnover, whichever is higher.

• Applies to: Organisations processing personal data of individuals in Singapore.
• Consent model: Opt-in. Consent must be informed and freely given.
• Do Not Call register: Marketing cookies interact with Singapore's DNC regime — SmartConsent honours user signals automatically.
• Enforcement: Personal Data Protection Commission (PDPC). Fines up to S$1,000,000 per breach, or 10% of annual turnover for organisations above S$10M revenue.

• Applies to: Processing of personal data of individuals in Thailand.
• Consent model: Opt-in. GDPR-style — clear, separate, withdrawable at any time.
• Notice: Banner must disclose purposes, data controller identity, and retention period.
• Enforcement: Personal Data Protection Committee (PDPC). Administrative fines up to ฿5,000,000 plus potential criminal liability.

• Applies to: California residents. Threshold-based — see CPPA guidance for applicability to your business.
• Consent model: Opt-out. Cookies may be set by default, but visitors must be able to opt out easily.
• Sale & Share: 'Do Not Sell or Share My Personal Information' link required.
• GPC: navigator.globalPrivacyControl is honoured as a valid opt-out signal.
• Enforcement: California Privacy Protection Agency (CPPA) + Attorney General. Fines up to $7,500 per intentional violation, $2,500 per unintentional.

Beyond California, 19+ US states have passed or enacted comprehensive privacy laws since 2020. SmartConsent detects the visitor's state from Geo-IP and applies the correct profile. All honour opt-out signals including the Global Privacy Control (GPC) header.

• VCDPA — Virginia. Opt-out. GPC honoured.
• CPA — Colorado. Opt-out. GPC honoured.
• CTDPA — Connecticut. Opt-out. GPC honoured.
• UCPA — Utah. Opt-out. Narrower scope than its peers.
• TDPSA — Texas (effective 2024). Opt-out. GPC honoured.
• OCPA — Oregon (effective 2024). Opt-out. GPC honoured.
• DPDPA — Delaware (effective 2025). Opt-out. Sensitive-data opt-in.
• MCDPA — Montana (effective 2024). Opt-out. GPC honoured.

• Applies to: Visitors whose jurisdiction cannot be determined, or who sit outside every covered regulation.
• Consent model: Opt-in. SmartConsent defaults to GDPR-equivalent behaviour — the strictest common denominator.
• Rationale: Failing safe. If Geo-IP misdetects a visitor's country, defaulting to opt-in keeps you compliant in every jurisdiction we cover.