Market entry
Users, customers, ads, app stores, marketplaces, and local sales can create local regulatory scope.
Outbound scope
EU company, global users: what else can apply?
Incorporation in the EU does not end the analysis. Other countries can attach rules when you target their users, collect local data, sell into their market, use local infrastructure, or enter regulated sectors.
Baseline first
An EU-established company still starts with EU obligations. This page is the second layer for countries outside Europe, not a replacement for EU compliance.
Review EU scope firstData location
Personal data, sensitive data, children's data, and cross-border transfers are the fastest global triggers.
Sector overlay
Health, finance, children, AI, connected products, and critical services add rules on top of general privacy law.
Country and region trigger map
Filter by product risk, then scan the local trigger, first authority, and how often this appears for EU SaaS teams.
North America
2 marketsUnited States
Outbound market
Official guidance
Trigger
US users, customers, patients, children, financial customers, consumer data, or state privacy thresholds.
Watch first
FTC privacy/security enforcement, COPPA, GLBA Safeguards, HIPAA where healthcare data is involved, CCPA/CPRA and other state privacy laws.
Canada
Outbound market
Official guidance
Trigger
Commercial activity involving Canadian individuals, electronic marketing, or Canadian customer data.
Watch first
PIPEDA, provincial privacy laws where applicable, and CASL for commercial electronic messages and installation of computer programs.
UK / Commonwealth
3 marketsUnited Kingdom
Outbound market
Official guidance
Trigger
UK users, UK monitoring/targeting, UK cookies, online services, or consumer connected products sold into the UK.
Watch first
UK GDPR, Data Protection Act, PECR cookies/marketing, Online Safety Act duties, and UK PSTI connected-product security.
Australia
Outbound market
Official authority
Trigger
Carrying on business in Australia, Australian customers, Australian personal information, or covered consumer/data products.
Watch first
Privacy Act and Australian Privacy Principles, notifiable data breaches, direct marketing, and sector-specific consumer data rules.
New Zealand
Outbound market
Official guidance
Trigger
New Zealand users, personal information held by agencies, overseas disclosure, or local customer/support operations.
Watch first
Privacy Act 2020 information privacy principles, access/correction rights, overseas disclosure, privacy breach notification, and sector codes.
Latin America
2 marketsBrazil
Outbound market
Official authority
Trigger
Processing personal data in Brazil, offering goods or services to people in Brazil, or processing data collected in Brazil.
Watch first
LGPD controller/processor duties, legal basis, data subject rights, international transfer rules, security incidents, and ANPD guidance.
Mexico
Outbound market
Official authority
Trigger
Collecting Mexican personal data, contracting with Mexican customers, running local campaigns, or transferring personal data involving Mexico.
Watch first
LFPDPPP privacy notices, ARCO rights, consent, sensitive data, processor terms, and transfer rules.
APAC
5 marketsIndia
Outbound market
Official authority
Trigger
Digital personal data connected to individuals in India or offering goods/services to data principals in India.
Watch first
Digital Personal Data Protection Act implementation, consent/notice, data fiduciary duties, children, breach notices, and transfer rules.
Singapore
Outbound market
Official authority
Trigger
Collecting, using, or disclosing personal data in Singapore, sending marketing, or running regional customer operations.
Watch first
PDPA consent, notification, purpose limitation, protection, retention, transfer limitation, breach notification, and DNC rules.
Japan
Outbound market
Official authority
Trigger
Handling personal information of people in Japan, operating Japanese services, or transferring personal data across borders.
Watch first
APPI personal information handling duties, data subject rights, security controls, third-party transfers, and cross-border transfer notices.
China
Outbound market
Official legal text
Trigger
Providing products or services to individuals in China, analyzing behavior of individuals in China, or handling important data.
Watch first
PIPL personal information rules, cross-border transfer mechanisms, consent, localization/security assessment questions, and cybersecurity rules.
South Korea
Outbound market
Official authority
Trigger
Handling personal information in Korean services, targeting people in Korea, or using Korean vendors and processors.
Watch first
PIPA consent/notice, pseudonymized information, breach reporting, cross-border transfer requirements, AI privacy guidance, and PIPC decisions.
Africa
1 marketSouth Africa
Outbound market
Official authority
Trigger
Processing personal information in South Africa, targeting South African customers, direct marketing, or using local operators.
Watch first
POPIA lawful processing conditions, information officer duties, direct marketing rules, security safeguards, and data-subject rights.
Sector overlays
Health products
A wellness app can become healthcare compliance work when it touches providers, insurers, patients, regulated health records, or medical-device claims.
HIPAA, FDA, UK MHRA, EU MDR, local health privacy rules.
Financial products
Payments, lending, investment, insurance, crypto, customer-information systems, and bank vendor work can trigger financial-sector security and conduct rules.
GLBA Safeguards, SEC/FINRA, FCA, DORA customer flow-downs, MAS, ASIC.
Children and teens
Child-directed products, age-aware design, education tools, and teen social features often trigger stricter consent, profiling, advertising, and safety duties.
COPPA, UK Children's Code, state age-appropriate design laws, platform safety rules.
AI and automated decisions
The EU AI Act is only one layer. Non-EU AI rules can attach through consumer protection, privacy, employment, credit, health, safety, and sector regulators.
FTC AI enforcement, US state AI rules, Canada AIDA watch, China algorithm rules.
Connected products
Hardware, firmware, mobile companion apps, update channels, and cloud features can trigger product security and product-liability rules outside the EU.
UK PSTI, US IoT security procurement rules, Australia cyber guidance, Japan product safety.
This page is an orientation map, not legal advice. A real launch review should check local thresholds, sector classification, processor/controller roles, consumer terms, tax/permanent-establishment questions, sanctions/export controls, and app-store or marketplace rules.