What This Template Is For
Every market has its own regulatory requirements. Privacy laws, data residency rules, tax obligations, accessibility standards, and industry regulations vary by country and sometimes by state or province. Missing a requirement does not just mean a poor user experience. It can mean fines, forced market exit, or legal liability.
This template helps product managers track compliance requirements across all the regions where their product operates. It covers data privacy, data residency, tax and billing, accessibility, consumer protection, content regulation, and industry-specific rules. It is not a legal document. It is a tracking tool that ensures no requirement falls through the cracks between product, engineering, legal, and finance teams.
Use this alongside the localization strategy template when planning market entry. For privacy-specific requirements in the EU, the GDPR compliance template goes deeper on that regulation. For country-specific launch planning, see the country launch template.
How to Use This Template
- Copy the template and add a row for each region where your product is available or planned.
- Work with your legal team to fill in the regulatory requirements per region.
- Assign an owner for each compliance area (privacy, tax, accessibility, etc.).
- Track implementation status and review quarterly.
- Update whenever a new regulation takes effect or an existing one changes.
- Use this as a checklist before launching in a new market.
The Template
Compliance Overview Dashboard
| Region | Privacy | Data Residency | Tax/Billing | Accessibility | Consumer Protection | Industry-Specific | Overall Status |
|---|---|---|---|---|---|---|---|
| EU (GDPR) | |||||||
| United States | |||||||
| United Kingdom | |||||||
| Brazil | |||||||
| Japan | |||||||
| Canada | |||||||
| Australia | |||||||
| India | |||||||
| [Add region] |
Status key: Not applicable / Not started / In progress / Compliant / Needs review
Data Privacy Regulations
| Region | Regulation | Key Requirements | Consent Model | DPA Required | Breach Notification | Status | Owner |
|---|---|---|---|---|---|---|---|
| EU | GDPR | Lawful basis, data minimization, right to erasure, DPO | Opt-in | Yes | 72 hours | ||
| US (California) | CCPA/CPRA | Right to know, right to delete, opt-out of sale | Opt-out | No | "Without unreasonable delay" | ||
| US (other states) | Various | Virginia VCDPA, Colorado CPA, Connecticut CTDPA | Varies | Varies | Varies | ||
| Brazil | LGPD | Consent or legitimate interest, data subject rights | Opt-in | Yes | "Reasonable time" | ||
| Japan | APPI | Consent for transfer, notification of purpose | Opt-in | No | Promptly | ||
| Canada | PIPEDA | Meaningful consent, reasonable purpose | Opt-in | No | "As soon as feasible" | ||
| UK | UK GDPR | Similar to EU GDPR post-Brexit | Opt-in | Yes | 72 hours | ||
| India | DPDPA | Consent, purpose limitation, data fiduciary | Opt-in | No | "Without delay" |
- ☐ Privacy policy updated for each applicable regulation
- ☐ Cookie consent mechanism configured per region
- ☐ Data subject request process implemented (access, deletion, portability)
- ☐ Data processing agreements signed with all processors
- ☐ Data Protection Officer appointed (if required)
- ☐ Privacy impact assessment completed for high-risk processing
Data Residency Requirements
| Region | Residency Required? | Data Types Affected | Hosting Location | Status |
|---|---|---|---|---|
| EU | Soft (transfer mechanisms) | Personal data | ||
| Russia | Hard (must store locally) | Personal data of Russian citizens | ||
| China | Hard (must store locally) | Personal data, "important data" | ||
| India | Soft (mirror copy) | Sensitive personal data | ||
| Australia | No (but transfer rules) | Health data has restrictions | ||
| Brazil | No (but transfer rules) | Personal data via LGPD |
- ☐ Data flow mapping completed (where data originates, where it is processed, where it is stored)
- ☐ Transfer mechanisms in place for cross-border data flows (SCCs, BCRs, adequacy decisions)
- ☐ Infrastructure configured to keep data in required regions
- ☐ Subprocessor list maintained and updated
Tax and Billing Compliance
| Region | Tax Type | Rate(s) | Collection Required? | Invoice Requirements | Registration Status |
|---|---|---|---|---|---|
| EU | VAT | 17-27% (varies by country) | Yes (if over threshold or using OSS) | VAT number, country-specific format | |
| US | Sales tax | 0-10% (varies by state) | Yes (if nexus established) | State-specific rules | |
| UK | VAT | 20% | Yes (if >GBP 85K revenue) | VAT number, GBP amounts | |
| Canada | GST/HST | 5-15% (varies by province) | Yes | GST/HST number | |
| Australia | GST | 10% | Yes (if >AUD 75K) | ABN, tax invoice format | |
| Japan | Consumption tax | 10% | Yes | Invoice system (2023+) | |
| Brazil | ISS/ICMS/PIS/COFINS | Complex | Yes | NF-e (electronic invoice) | |
| India | GST | 18% (digital services) | Yes | GSTIN, e-invoicing |
- ☐ Tax engine or service provider selected (Stripe Tax, TaxJar, Avalara)
- ☐ Tax rates configured and updated per jurisdiction
- ☐ Invoice generation meets format requirements for each market
- ☐ Tax-inclusive vs. tax-exclusive display rules implemented per region
- ☐ Tax ID collection and validation at checkout
- ☐ Tax filing cadence documented per jurisdiction
Accessibility Requirements
| Region | Standard | Legal Basis | Applies To | Deadline | Status |
|---|---|---|---|---|---|
| EU | EN 301 549 / EAA | European Accessibility Act | All digital products | June 2025 | |
| US | WCAG 2.1 AA | ADA, Section 508 | Public-facing products | Ongoing | |
| UK | WCAG 2.1 AA | Equality Act 2010 | All digital services | Ongoing | |
| Canada | WCAG 2.0 AA | ACA, AODA (Ontario) | Federal orgs + Ontario businesses | 2025+ | |
| Japan | JIS X 8341-3 | JIPDEC guidelines | Government, encouraged for private | Ongoing |
- ☐ Accessibility audit completed against applicable standard
- ☐ Remediation plan for identified issues
- ☐ Accessibility statement published
- ☐ Screen reader testing completed for all supported locales
- ☐ Keyboard navigation verified
- ☐ Color contrast meets WCAG AA minimums
Consumer Protection
| Region | Key Requirements | Status |
|---|---|---|
| EU | 14-day cooling-off period for digital goods, clear pricing, auto-renewal disclosure | |
| US | FTC Act compliance, CAN-SPAM for emails, auto-renewal disclosure (varies by state) | |
| UK | Consumer Rights Act, 14-day cancellation right, clear pricing | |
| Australia | ACL, unfair contract terms, subscription cancellation ease | |
| Brazil | CDC, 7-day return right, Portuguese-language terms required |
- ☐ Cancellation and refund process compliant per region
- ☐ Auto-renewal terms clearly disclosed before purchase
- ☐ Pricing displayed transparently (no hidden fees)
- ☐ Terms of service and privacy policy accessible in local language where required
Content and Communication Regulations
| Region | Regulation | Scope | Status |
|---|---|---|---|
| EU | ePrivacy / GDPR | Email marketing requires opt-in | |
| US | CAN-SPAM | Commercial email must include opt-out, physical address | |
| Canada | CASL | Express consent required for commercial email | |
| Australia | Spam Act 2003 | Consent required, must include unsubscribe |
- ☐ Email marketing consent mechanism compliant per region
- ☐ Unsubscribe mechanism functional and processed within required timeframe
- ☐ Marketing emails include required sender identification
- ☐ Push notification opt-in follows platform and regional rules
Industry-Specific Regulations
If your product operates in a regulated industry, document additional requirements.
| Industry | Region | Regulation | Key Requirements | Status |
|---|---|---|---|---|
| Healthcare | US | HIPAA | BAA, encryption, access controls, audit logging | |
| Healthcare | EU | MDR + GDPR | Special category data, explicit consent | |
| Financial | US | SOC 2, PCI DSS | Security controls, payment data protection | |
| Financial | EU | PSD2, DORA | Strong authentication, operational resilience | |
| Education | US | FERPA, COPPA | Parental consent for children, student data protection | |
| [Industry] | [Region] | [Regulation] |
Compliance Review Schedule
| Compliance Area | Review Frequency | Last Review | Next Review | Owner |
|---|---|---|---|---|
| Privacy | Quarterly | Legal | ||
| Data residency | Semi-annual | Infra + Legal | ||
| Tax | Quarterly | Finance | ||
| Accessibility | Semi-annual | Design + Eng | ||
| Consumer protection | Annual | Legal | ||
| Content regulations | Annual | Marketing + Legal | ||
| Industry-specific | Quarterly | Legal + Compliance |
Filled Example: B2B SaaS Operating in US, EU, and UK
Dashboard
| Region | Privacy | Data Residency | Tax | Accessibility | Status |
|---|---|---|---|---|---|
| US | Compliant | N/A | Compliant (38 states) | In progress (WCAG 2.1 AA) | Mostly compliant |
| EU | Compliant | Compliant (EU hosting) | Compliant (OSS registered) | In progress (EAA) | Mostly compliant |
| UK | Compliant | Compliant (UK adequacy) | Compliant (VAT registered) | In progress | Mostly compliant |
Open items: Accessibility remediation (17 issues remaining, target June 2026). California age-appropriate design code assessment pending.
Key Takeaways
- Track compliance requirements per region in a single document. Scattered tracking leads to gaps
- Privacy and tax are the two areas most likely to create legal liability for SaaS products
- Review compliance status quarterly and after any regulatory change announcement
- Start the compliance assessment early in market entry planning. Regulatory blockers have the longest lead times
- This is a tracking tool, not legal advice. Always validate requirements with qualified legal counsel
About This Template
Created by: Tim Adair
Last Updated: 3/5/2026
Version: 1.0.0
License: Free for personal and commercial use