All Blog Posts

A guide to global cookie laws and how to comply

If your company operates globally and processes personal data, you need to be aware of global cookie laws and how they impact your data collection process. Here’s what you need to know about cookie laws around the world.

Updated June 11, 2024.

Cookies are an easily forgotten but critical consideration when talking about online privacy. These small text files are saved on users’ devices to enable different features and functions to work correctly. They also collect data to provide organizations with insights into a person’s demographics, interests, and online activity.

Generally, cookies are innocuous but necessary for a website’s core functions, though there are several kinds of cookies for various purposes. They can store substantial amounts of data that may be used to identify users without their consent and target people with advertisements.

Because cookies can collect personal information, companies must be aware of data privacy laws relevant to them (i.e. in effect where their customers or users reside), and ensure their compliance with legal and regulatory standards regarding their use. So here’s what you need to know about major cookie consent laws around the world.

The EU cookie law is the commonly used term to refer to the ePrivacy Directive (ePD). It originated in 2009 and requires European member states to incorporate its guidelines into their national laws. Together with the General Data Protection Regulation (GDPR), the ePrivacy Directive has some of the strictest data privacy requirements and sets of users’ rights in the world.

If companies are using consent as their legal basis for data processing, the EU cookie law requires websites to obtain consent from visitors before storing or retrieving any information on their devices. This is done through the use of tracking cookies or similar tracking technologies. The law aims to protect online privacy by making consumers aware of how their information is collected and used online, and giving them a choice to allow it or not.

The law mandates that websites must inform visitors about the cookies they use and obtain explicit consent before setting and storing any non-essential cookies. This can be done via a cookie banner and detailed cookie policy, which highlights the purpose of each cookie and data use, and enables visitors to easily change or withdraw their consent at any point.

To achieve GDPR and ePD cookie compliance, websites commonly use a consent management platform (CMP). The best CMPs can scan for all cookies and trackers in use on a website, block them until consent is given, provide the required information and consent options to users, automatically update the consent banner’s and cookie notice or privacy policy’s information, and securely store consent records.

Scan your website for free to check cookies on your website and generate a detailed cookie audit report in minutes.

Scan for free

The Digital Markets Act (DMA)

The Digital Markets Act, or DMA, was introduced by the European Commission, and enforcement began on March 6, 2024. The DMA law is meant to protect the data privacy of users online and help ensure fair competition with dominant platforms in digital markets among companies doing business in the EU.

The DMA imposes strict new requirements on major tech platforms designated as “gatekeepers” regarding processing of personal data, including use of cookies and requirements for user consent for online tracking and targeted advertising in the EU.

In essence, the DMA requires major tech platforms like Google and Meta to get users’ explicit and valid consent before combining their personal data across different services and websites to track them for targeted advertising purposes. Importantly, for these companies to comply, their millions of customers and partners must also comply. So Google, for example, has already handed down new requirements for obtaining and signaling valid consent to Google services to retain access to them and maintain online revenue. 

This puts much more control in the hands of users over how their data is accessed and combined for ad targeting by the biggest “gatekeeper” platforms operating in the EU.

There is no comprehensive federal cookie law in the United States, but a number of states have enacted their own privacy laws that regulate the use of cookies and online tracking technologies. Here’s an overview of the relevant state cookie laws.

To date, these are the state-level data privacy laws in effect in the US, or that were passed prior to 2024 and that will come into effect by 2026:

Some of the laws, like in Florida, Texas, or Nevada, are not considered comprehensive like the other states’ laws, as they have more narrow scope or specific provisions, or target specific groups, like very large tech companies. Kentucky, Maryland, Minnesota, and Nebraska have laws that have also been passed in early 2024 and signed by the states’ governors.

In the US, all current data privacy laws use an opt-out model for consent. Companies do not have to obtain prior user consent to use cookies on their websites to collect personal data, for example. Users do, however, have the right to opt out of data processing for specific purposes, e.g. sharing, sale, targeted advertising, or profiling.

Each state sets its own compliance thresholds, based on the number of residents whose data is processed annually, company revenue, percentage of company revenue derived from the sale of data, and other factors.

Learn about Cookiebot CMP’s powerful features to simplify your privacy compliance

Learn more

Because it is no longer part of the EU and thus not covered by European cookie laws, the UK implemented its own regulations that include cookie rules, known as the Privacy and Electronic Communications Regulations (PECR). It’s the UK version of the ePrivacy Directive, but is in effect as a regulation, not just a directive, unlike the ePD.

Similar to the ePD, the PECR regulates consent requirements for setting cookies and follows the same guidelines as underlined in the GDPR. Websites must inform users about cookie use and obtain their consent before setting any non-essential cookies. Consent must be freely given, specific, informed, and unambiguous, typically via an opt-in cookie banner. Only strictly necessary cookies for core site functionality are exempt from consent requirements.

The PECR also requires explicit user consent for electronic marketing like emails and texts.

Short for Lei Geral de Proteção de Dados Pessoais, the LGPD has been referred to as the Brazilian GDPR.

The LGPD is very similar to the EU’s GDPR in many regards, as it was heavily inspired by the GDPR’s core principles and requirements. However, there are some key nuances and differences between the two laws.

For example, their definitions of personal data differ. The LGPD’s version is a lot broader. In addition, the LGPD recognizes ten legal bases for processing data compared to the six of the GDPR. The LGPD is also less detailed in its requirements around data protection impact assessments.

The Personal Information Protection Law (PIPL) went into effect in China in November 2021. The law provides guidelines on the lawful processing of personal information, including through the use of cookies.

The PIPL defines personal information as any information related to identified or identifiable individuals, except for anonymized data, which is fairly standard. The data collected using cookies are considered personal information. This means companies must get explicit consent from users before using cookies to collect their personal data. Companies have to clearly explain to users what data is being collected, for what purpose, and how long it will be kept. 

Additionally, there are very specific conditions under which you are allowed to move personal data outside the country’s borders. 

The PIPL also requires companies to implement appropriate security measures to protect personal data collected through cookies based on how sensitive the information is. It has even stricter rules for protecting very sensitive data like biometrics, financial information, and data about minors under 14 years old.

South Africa’s cookie law falls under the Protection of Personal Information Act (POPIA), which predates the GDPR. 

Cookies are considered personal information under POPIA since they can be used to identify individuals online. As such, websites operating in South Africa or handling personal data of South African individuals must comply with POPIA’s requirements when using cookies.

This means that consent is required before using most cookies, as they are considered personal information under POPIA. Websites must obtain explicit, informed consent from users through a cookie consent notice or banner. The consent notice should clearly explain what data is collected by the cookies and for what purposes. It must give users a choice to accept or reject non-essential cookies. In addition, websites need a comprehensive cookie policy linked from the consent notice, detailing the types of cookies used and their purposes.

Cross-border transfers of personal data, including from cookie use, are restricted unless certain conditions like user consent or approved transfer mechanisms are met.

Organizations with websites or mobile apps that collect personal data using cookies or similar technologies must follow the relevant cookie laws. Many privacy regulations are extraterritorial, meant to protect the privacy of residents of the region where the law was passed. 

Even if your organization isn’t physically located in a region, it must comply with that region’s cookie laws if it collects personal data from users who reside there. These rules tend to apply across industries and company sizes if personal data is being processed. It’s important to consult with qualified legal counsel to familiarize yourself with the requirements for your company regarding cookie use, consent, and more.

Although specific compliance requirements vary depending on certain factors, best practices remain the same: companies must obtain and securely store valid user consent to use cookies to process personal data.

Cookie Laws Compliance

No matter the location of your company, there are certain steps you can take to become cookie-compliant

  1. Conduct a cookie audit: Identify all cookies and trackers in use on your website to know what cookies are set on users’ devices. Categorize cookies as essential (strictly necessary) or non-essential, as well as their purposes, e.g. marketing or analytics. Determine which cookies collect personal data, who the providers are, what the data is used for, and who will have access to it.
  2. Develop clear policies:
    1. Cookie policy: Create an accessible cookie policy that details the cookies used, their purposes, and their lifespan. Link this policy to your cookie banner.
    2. Privacy policy: Maintain a privacy policy explaining how users’ personal data collected via cookies is processed, their data rights, and other requirements, and link to it where consent is requested or at points of data collection.
    3. Implement a cookie banner: Use a cookie banner with clear cookie text to inform users about the cookies, their purposes, legal basis for processing where relevant, expiration periods, and third-party providers. Provide clear options for users to accept or reject each type of cookie, and avoid using cookie walls that block access until consent is given.
  3. Document and store consent records: Keep records of users’ cookie consent choices to demonstrate compliance, including both accepted and rejected cookies.
  4. Conduct regular audits: Perform periodic audits to identify any new cookies added to your site and update your policies and consent processes accordingly.
  5. Consider using Google’s Consent Mode: This can help you retain some analytics data even when cookies are rejected.

The consequences of noncompliance with cookie consent laws like the GDPR, CPRA, and other data privacy regulations can be severe and often include hefty fines.

  • Under the EU’s GDPR, fines can reach up to EUR 20 million or 4 percent of a company’s global annual revenue from the preceding year, whichever is higher. 
  • The Netherlands allows fines up to EUR 900,000 or 1-10% of annual turnover.
  • The UK is considering increasing its maximum cookie violation penalties to match GDPR levels of 4 percent of global turnover, or GBP 17.5 million.
  • Brazil’s LGPD permits fines of up to 2 percent of a company’s in-country revenue from the prior fiscal year, capped at around BRL 50 million.

Lastly, reputational damage is another consequence. News of fines and legal actions can severely damage a company’s reputation and consumer trust. Consumers are increasingly aware of privacy issues and may avoid businesses that they don’t trust with their data or privacy rights.

How Cookiebot™ can help

The first step to becoming cookie-compliant is to conduct a comprehensive website cookie audit. This involves identifying, categorizing, and documenting all cookies and tracking technologies used on your website.

Cookiebot CMP automates this process. It frequently scans your website to detect all cookies and trackers being used, automatically categorizes them based on purpose (e.g., necessary, preferences, statistics, marketing), and generates a cookie declaration report you can use to stay updated.

Experience this for yourself, try Cookiebot™ for 14 days free of charge!

Start a free trial

Frequently Asked Questions

    Stay informed

    Join our growing community of data privacy enthusiasts now. Subscribe to the Cookiebot™ newsletter and get all the latest updates right in your inbox.

    By clicking on “Subscribe” I confirm that I want to subscribe to the Cookiebot™ newsletter. I can easily cancel my Cookiebot™ newsletter subscription and revoke consent to use my data by clicking the unsubscribe link or I can write to [email protected] to make the request. Privacy policy.