Start a project
Work eventabee Guides Regional privacy notes

Regional privacy notes

GDPR, UK GDPR, and US state laws — a plain-English field guide.

Updated

Operational

eventabee’s defaults are set to reasonable, current regulatory practice. This guide exists so you understand why those defaults exist — and what to adjust if your brand’s circumstances differ. This is not legal advice.

European Economic Area (EEA), UK, Switzerland

Mode: opt-in (default).

  • GDPR (EU) and UK GDPR require affirmative consent before any non-essential data processing.
  • Consent must be freely given, specific, informed, and unambiguous.
  • Cookie walls (no access without consent) are generally not permitted.
  • Visitors must be able to withdraw consent as easily as they gave it — eventabee’s “Cookie preferences” link handles this.

California (CCPA / CPRA)

Mode: opt-out (default).

  • Under the CPRA (in effect since Jan 2023), businesses must let California residents opt out of “sale” and “sharing” of personal information. Targeted advertising typically counts as sharing.
  • Global Privacy Control (GPC) signals must be honored — eventabee respects GPC automatically.
  • “Do Not Sell or Share My Personal Information” link is required; the banner provides this.

Other US states with opt-out laws

As of April 2026, the following states have opt-out consumer privacy laws in effect:

  • California (CPRA)
  • Colorado (CPA)
  • Connecticut (CTDPA)
  • Virginia (VCDPA)
  • Utah (UCPA)
  • Texas (TDPSA)
  • Oregon (OCPA)
  • Montana (MCDPA)
  • Iowa (ICDPA)
  • Indiana (INCDPA)
  • Tennessee (TIPA)
  • Delaware (DPDPA)
  • New Jersey (NJDPA)
  • New Hampshire (NHPA)
  • Kentucky (KCDPA)
  • Minnesota (MCDPA)
  • Maryland (MODPA)
  • Rhode Island (RIDTPA)
  • Nebraska (NDPA)

eventabee applies opt-out mode to all of these by default. Several more states have laws taking effect in 2026–2027; we update the mapping as effective dates arrive.

Rest of world

Mode: implied consent (default).

Many countries have less prescriptive rules, and implied consent (disclosure + the ability to opt out) is accepted. If you serve a specific country with stricter rules (Brazil LGPD, Canada PIPEDA, Singapore PDPA, Japan APPI), we recommend switching that region to opt-out or opt-in.

Data Subject Requests (DSRs)

When a visitor asks for access or deletion of their data:

  • eventabee exposes a per-visitor purge endpoint in the dashboard at Privacy → Purge visitor.
  • You provide the visitor ID or their email (if a customer). The endpoint removes events tied to that identity from the event store and issues erasure requests to destinations that support them (Meta, Google, and others expose erasure APIs).
  • Shopify also has its own GDPR webhooks (customers/data_request, customers/redact, shop/redact). eventabee handles these automatically on your behalf — incoming customers/redact triggers a purge.

See also