Compliance
How ConsentStack handles GDPR, 18 US state laws, and privacy regulations across 65+ jurisdictions automatically.
ConsentStack comes with 32 privacy regulations built in, covering 68 jurisdictions worldwide — from GDPR across all 32 EU/EEA countries to 18 US state privacy laws, plus Brazil, Canada, Japan, India, Singapore, Australia, and federal regulations like HIPAA and COPPA. It detects where your visitors are and automatically applies the correct consent rules for their location.
GDPR (European Union, EEA, UK & Switzerland)
The General Data Protection Regulation is the world's most well-known privacy law, and one of the strictest. It requires websites to obtain prior opt-in consent before running any non-essential tracking — meaning scripts like analytics and marketing pixels stay blocked until a visitor actively says yes.
GDPR also requires granular, per-category consent (visitors must be able to accept analytics but reject marketing, for example), a clearly visible reject button, the right to withdraw consent at any time, and documented proof that consent was collected.
ConsentStack satisfies all of this automatically. Visitors in GDPR regions see an opt-in banner with per-category toggles, a prominent "Reject All" button, and a re-entry button so they can change their mind later. Every consent decision is logged with a timestamp for your audit trail.
This applies to visitors from all 32 covered countries: Austria, Belgium, Bulgaria, Croatia, Cyprus, Czechia, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland, and the United Kingdom.
US State Privacy Laws
The US doesn't have a single federal privacy law. Instead, 18 states have enacted their own. Each has slightly different thresholds and requirements.
The key difference from GDPR: most US state laws use an opt-out model rather than opt-in. Visitors can use your site normally, but must have a clear way to opt out of data sales, targeted advertising, and profiling. California is the notable exception — CPRA requires opt-in consent for certain data types, making it the strictest US state law.
ConsentStack covers all 18 states:
| State | Law | Consent Model | Effective Date |
|---|---|---|---|
| California | CPRA | Opt-in | Jan 2023 |
| Virginia | VCDPA | Opt-out | Jan 2023 |
| Connecticut | CTDPA | Opt-out | Jul 2023 |
| Colorado | CPA | Opt-out | Jul 2023 |
| Utah | UCPA | Opt-out | Dec 2023 |
| Texas | TDPSA | Opt-out | Jul 2024 |
| Oregon | OCPA | Opt-out | Jul 2024 |
| Montana | MCDPA | Opt-out | Oct 2024 |
| Nebraska | NDPA | Opt-out | Jan 2025 |
| Iowa | ICDPA | Opt-out | Jan 2025 |
| New Jersey | NJDPA | Opt-out | Jan 2025 |
| Tennessee | TIPA | Opt-out | Jul 2025 |
| Minnesota | MNCDPA | Opt-out | Jul 2025 |
| Maryland | MODPA | Opt-out | Oct 2025 |
| Rhode Island | RIDTPPA | Opt-out | Jan 2026 |
| Kentucky | KCDPA | Opt-out | Jan 2026 |
| Indiana | INCDPA | Opt-out | — |
| New Hampshire | NHPA | Opt-out | — |
When a visitor arrives from a covered US state, the banner automatically adapts to the correct consent model. You don't need to track which states have passed laws or what each one requires — ConsentStack stays current and applies the right rules.
Other Major Regulations
Beyond GDPR and US state laws, ConsentStack includes regulations from around the world:
| Regulation | Jurisdiction | Consent Model |
|---|---|---|
| LGPD | Brazil | Opt-in |
| PIPEDA | Canada (excl. Quebec) | Opt-out |
| Law 25 | Quebec, Canada | Opt-in |
| APPI | Japan | Opt-out |
| DPDPA | India | Opt-in |
| PDPA | Singapore | Opt-out |
| APP | Australia | Opt-out |
| UK DPA | United Kingdom | Opt-in |
PIPEDA covers 12 Canadian provinces and territories, while Quebec's Law 25 applies separately with stricter opt-in requirements aligned with GDPR.
US Federal Regulations
ConsentStack also includes four US federal regulations that apply based on industry rather than geography:
| Regulation | Sector | Consent Model |
|---|---|---|
| HIPAA | Healthcare | Opt-in |
| COPPA | Children's privacy (under 13) | Opt-in |
| GLBA | Financial services | Opt-out |
| FISMA | Federal agencies | Opt-in |
These are available in the regulation library for organizations in regulated industries who need to layer sector-specific requirements on top of geographic consent rules.
Default Region
Not every country has a specific privacy law. For visitors from countries without one, ConsentStack shows a notice-only banner. This informs visitors about your use of cookies and tracking without requiring them to take action. It's a respectful, transparent approach that keeps your site compliant by default.
Geo-Detection
ConsentStack detects visitor location at the network edge using IP-based geolocation. No GPS, no third-party tracking services — just fast, private location detection that happens before the page loads.
If you prefer to show the same experience to all visitors regardless of location, you can disable geo-detection in your config. When disabled, every visitor sees your default region's consent model.
Proof of Consent
Privacy regulations don't just require you to collect consent — they require you to prove you collected it. If a regulator or auditor asks, you need records showing what each visitor consented to, when, and what version of your consent configuration was active at the time.
ConsentStack logs every consent decision automatically. Each log entry includes the visitor's anonymized ID (cryptographically hashed — no personal data stored), their consent choices per category, the timestamp, and the config version.
You can review consent activity in the Activity & Insights section of your dashboard. Data retention varies by plan — check your plan details for specifics.
What's Next
- Getting started — add ConsentStack to your site in under five minutes
- Banner & Preferences — customize what visitors see
- Dashboard overview — manage sites, review logs, and configure consent