Privacy Laws
European Union
EU
General Data Protection Regulation
GDPR
The world's most comprehensive data protection regulation. Applies to any business that offers goods or services to EU residents or monitors their behavior, regardless of where the business is located. Requires lawful basis for processing, explicit consent, and grants extensive data subject rights.
Effective Date
2018-05-25
Enforcement
National Data Protection Authorities (DPAs)
Consumer Threshold
No threshold
Revenue Threshold
No threshold
Key Requirements
Lawful basis for each processing activity (consent, contract, legitimate interest, etc.)
Explicit, informed, freely-given consent for data processing
Right to access personal data (Subject Access Request)
Right to rectification of inaccurate data
Right to erasure ('right to be forgotten')
Right to data portability
Right to restrict processing
Right to object to processing
Data Protection Impact Assessments (DPIAs) for high-risk processing
Data Protection Officer (DPO) appointment when required
72-hour breach notification to supervisory authority
Privacy by design and by default
Records of processing activities (Article 30)
Cross-border data transfer safeguards (SCCs, adequacy decisions)
Clear cookie consent (opt-in, not pre-checked boxes)
Penalties
Up to 4% of annual global turnover or €20 million, whichever is greater (for most serious violations). Up to 2% or €10 million for lesser violations.
Cure Period
None (DPAs may issue warnings before fines)
E-commerce Relevance
Applies if you sell to or track EU visitors regardless of your location. Cookie consent must be opt-in (no pre-checked boxes). Consent must be as easy to withdraw as to give. Google Consent Mode v2 compliance is critical for running Google Ads in the EU.