Skip to content

Where do Consent laws apply?

Countries or regions which have data privacy laws continue to grow every year, however, as of last writing, processing of personal data requires consent in the following countries and regions:

  • EEA (European Economic Area): includes European Union countries, as well as Iceland, Liechtenstein and Norway.
  • United Kingdom
  • United States of America (USA): California, Colorado, Connecticut, Utah and Virginia
  • Canada and Quebec
  • South Africa
  • Brazil
  • India
  • China

In short, for most organizations doing business on the internet, it is likely that you operate in at least one location where consent must be collected and managed on behalf of visitors and customers. What is meant by lawful basis for processing? In the world of data privacy compliance, an organization must have a reason, or lawful grounds for processing personal data.

The reasons, or grounds for which you can process personal data vary for laws around the world, however, common bases for processing data include:

  • Consent: the individual has given clear consent for processing their personal data
  • Contract: the processing of data is necessary for a contract you have with the individual
  • Legal obligation: the processing of data is necessary for you to comply with the law
  • Vital interest: the processing of data is necessary to protect someone’s life
  • Public task : the processing of data is necessary for you to complete a function in the public interest
  • Legitimate interest: the processing of data is necessary and expected in the provision of your service; meaning something an individual would reasonably expect your product or service to perform and necessary to provide your service

For the purpose of this guide, we’ll only delve further into consent and legitimate interest.