Cookie Law: A Complete Guide to Global Regulations and Compliance Requirements

What Is the Cookie Law?

Cookie law is a collective term for data protection regulations that require websites to obtain user consent before placing cookies on visitors' devices. The most significant examples are the EU's ePrivacy Directive (often called the EU Cookie Law), the GDPR, and U.S. state laws like the CCPA.

While the phrase originated in the EU, similar obligations have since emerged at the state level in the U.S., meaning the question of what constitutes cookie law, and who it applies to, increasingly depends on where your visitors are located.

What Is the EU Cookie Law?

The EU cookie law refers primarily to the ePrivacy Directive (ePD), which originated in 2009 and requires European Member States to incorporate its provisions into their national legislation. Read alongside the General Data Protection Regulation (GDPR), the ePD represents one of the world's most stringent frameworks for online privacy, establishing firm requirements around consent, transparency, and individual rights.

Where websites rely on consent as their legal basis for data processing, the ePD requires that visitors actively agree before any information is stored on or retrieved from their devices. This applies to tracking cookies and comparable technologies. The overarching aim is to make visitors aware of how their data is collected and used, and to give them a meaningful choice about whether to allow it.

In practice, this means websites must inform visitors about the cookies in use and obtain their consent before setting any non-essential cookies. This is typically delivered through a consent banner and a detailed cookie policy, both of which should clearly explain the purpose of each cookie, how data is used, and how visitors can withdraw or modify their consent at any time.

What Is the ePrivacy Regulation and When Will It Come Into Force?

For several years, the ePrivacy Regulation was widely anticipated as the successor to the ePrivacy Directive. It represented a purpose-built EU regulation that would have replaced the existing patchwork of national implementations with a single, directly applicable set of rules governing cookies, electronic communications, and online tracking across all Member States.

First proposed by the European Commission in 2017, the draft regulation went through years of negotiation without reaching agreement. The Commission formally approved the withdrawal on July 16, 2025, having signalled its intention to do so in the February 2025 Work Programme.

The ePrivacy Directive therefore remains the applicable EU framework for cookie consent, operating alongside the GDPR as it has since 2018. Websites with EU visitors should disregard any references to the ePrivacy Regulation in older guidance. It is no longer a pending development to prepare for.

What Are the U.S. Cookie Laws?

The United States does not have a single federal equivalent to the EU cookie law. Instead, cookie and tracking-related obligations arise from a growing body of state-level privacy regulations, including the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), and comprehensive privacy laws now enacted in more than 20 states.

Unlike the EU's consent-first model, most U.S. privacy laws operate on an opt-out and notice basis: websites are generally permitted to collect and use personal data, but must inform visitors of that practice and provide clear mechanisms to opt out of activities such as the sale or sharing of personal data, targeted advertising, and profiling. Prior consent is required under many U.S. laws for sensitive data categories and for data belonging to minors.

For websites operating across both jurisdictions, this creates a layered compliance picture. A consent management platform (CMP) can help manage these obligations in a single workflow by scanning for cookies and trackers, presenting the appropriate consent or opt-out experience based on visitor location, maintaining an auditable record of consent, and keeping notice content updated as laws evolve.

The Digital Markets Act (DMA)

The Digital Markets Act, or DMA, was introduced by the European Commission, and enforcement began on March 6, 2024. The DMA law is meant to protect the data privacy of users online and help ensure fair competition with dominant platforms in digital markets among companies doing business in the EU.

The DMA imposes strict new requirements on major tech platforms designated as "gatekeepers" regarding processing of personal data, including use of cookies and requirements for user consent for online tracking and targeted advertising in the EU.

In essence, the DMA requires major tech platforms like Google and Meta to get users' explicit and valid consent before combining their personal data across different services and websites to track them for targeted advertising purposes. Importantly, for these companies to comply, their millions of customers and partners must also comply. So Google, for example, has already handed down new requirements for obtaining and signaling valid consent to Google services to retain access to them and maintain online revenue. 

This puts much more control in the hands of users over how their data is accessed and combined for ad targeting by the biggest "gatekeeper" platforms operating in the EU.

Cookie Laws by Country: A Comparison Table

Google Consent Mode v2 and Cookie Law Compliance in 2026

For websites using Google services, including Google Analytics 4, Google Ads, and Google Tag Manager, cookie law compliance has a practical dimension beyond the legal. Consent signals must be communicated to Google's systems in a format they can act on. This is where Google Consent Mode becomes relevant.

Google Consent Mode is a framework that allows websites to adjust how Google tags behave based on a visitor's consent choices. When a visitor declines analytics or advertising cookies, Consent Mode signals that decision to Google's tags rather than blocking them entirely. Google can then use anonymized, cookieless modelling to preserve some measurement capability while respecting the visitor's choice.

Since March 2024, Google has required websites operating under the EU's Google EU user consent policy, which covers the EU, the UK, and the European Economic Area, to implement Google Consent Mode v2 in order to use Google Ads personalization features and maintain access to Google's advertising tools.

This requirement is tied to the DMA, under which Google, as a designated gatekeeper, must obtain valid consent before combining personal data across services for ad targeting purposes.

Consent Mode operates in two modes. Basic mode withholds all Google tags until consent is given; advanced mode fires tags immediately but in a consent-signalling state, using modelled data where consent is declined. Both require a certified consent management platform (CMP) to pass the correct consent signals.

For website owners in the EU, UK, or EEA, implementing Google Consent Mode v2 via a Google-certified CMP, such as Cookiebot CMP, is a practical step toward meeting both cookie law requirements and Google's own platform obligations in a single workflow.

Who Needs to Comply with These Cookie Laws?

Organizations with websites or mobile apps that collect personal data using cookies or similar technologies must follow the relevant cookie laws. Many privacy regulations are extraterritorial, meant to protect the privacy of residents of the region where the law was passed. 

Even if your organization isn't physically located in a region, it must comply with that region's cookie laws if it collects personal data from users who reside there. These rules tend to apply across industries and company sizes if personal data is being processed. It’s important to consult with qualified legal counsel to familiarize yourself with the requirements for your company regarding cookie use, consent, and more.

Although specific compliance requirements vary depending on certain factors, best practices remain the same: companies must obtain and securely store valid user consent to use cookies to process personal data.

Does Cookie Law Apply to My Website?

For most websites, the short answer is yes, and the determining factor is not where your business is registered, but where your visitors come from and what your website does with their data.

Cookie laws generally apply whenever a website collects personal data from visitors using cookies or similar tracking technologies. Because so many regulations are extraterritorial in scope, a business based in the U.S. may have obligations under EU law if it receives visitors from Europe, and vice versa. The relevant question is not "where am I?" but "whose data am I collecting, and under which laws are those people protected?"

The Role of Cookies and Tracking Technologies

If your website sets any cookies beyond those strictly necessary for the site to function, such as analytics cookies, advertising pixels, or social media trackers, you are likely subject to cookie law requirements in at least one jurisdiction.

Strictly necessary cookies, such as those that maintain a shopping basket or a login session, are generally exempt from consent requirements. Everything else typically requires either prior consent (under EU and UK law) or clear notice and an opt-out mechanism (under most U.S. state laws).

Even a simple website using a standard analytics tool like Google Analytics is setting non-essential cookies and collecting personal data. That is sufficient to bring it within scope of regulations like the ePD and GDPR for EU visitors, or the Privacy and Electronic Communications Regulations (PECR) for UK visitors.

Size, Revenue, and Other Thresholds

Under EU and UK law, there are no minimum size or revenue thresholds. Cookie consent obligations apply regardless of how large or small your organization is. If you have a website that receives visitors from the EU or UK and uses non-essential cookies, the rules apply.

U.S. state laws take a different approach. Most include exemptions based on the volume of personal data processed annually, total company revenue, or the percentage of revenue derived from selling personal data. However, these thresholds vary by state and can be relatively easy to exceed.

A small business that serves customers across multiple states, for example, may fall within scope of several laws simultaneously. It is worth reviewing the specific thresholds for each state where you have a meaningful number of visitors.

If you are uncertain whether your website falls within scope of a particular law, the cautious — and increasingly common — approach is to treat all visitors as protected and implement consent or opt-out mechanisms accordingly. Consulting qualified legal counsel is advisable for any specific compliance questions.

How Do You Comply with Cookie Laws?

No matter the location of your company, there are certain steps you can take to become cookie-compliant. 

1. Conduct a cookie audit: Identify all cookies and trackers in use on your website to know what cookies are set on users' devices. Categorize cookies as essential (strictly necessary) or non-essential, as well as their purposes, e.g. marketing or analytics. Determine which cookies collect personal data, who the providers are, what the data is used for, and who will have access to it.
2. Develop clear policies:
   1. Cookie policy: Create an accessible cookie policy that details the cookies used, their purposes, and their lifespan. Link this policy to your cookie banner.
   2. Privacy policy: Maintain a privacy policy explaining how users' personal data collected via cookies is processed, their data rights, and other requirements, and link to it where consent is requested or at points of data collection.
   3. Implement a cookie banner: Use a cookie banner with clear cookie text to inform users about the cookies, their purposes, legal basis for processing where relevant, expiration periods, and third-party providers. Provide clear options for users to accept or reject each type of cookie, and avoid using cookie walls that block access until consent is given.
3. Document and store consent records: Keep records of users' cookie consent choices to demonstrate compliance, including both accepted and rejected cookies.
4. Conduct regular audits: Perform periodic audits to identify any new cookies added to your site and update your policies and consent processes accordingly.
5. Consider using Google's Consent Mode: This can help you retain some analytics data even when cookies are rejected.

Cookiebot CMP, part of Usercentrics, integrates with the IAB Europe's Transparency and Consent Framework (TCF v2.3), the industry standard for consent signalling across EU advertising.

What Are the Penalties for Breaking Cookie Law?

The consequences of noncompliance with cookie consent laws can be significant, and regulators across the EU have demonstrated a clear willingness to pursue enforcement action, from household-name technology companies down to individual retailers. Fines are the most visible consequence, but regulators can also issue orders to cease processing, compel changes to cookie banners, and impose daily penalties for continued noncompliance.

The maximum penalties for each jurisdiction are set out in the comparison table above. In practice, the fines actually imposed vary considerably depending on the scale of the violation, the number of individuals affected, and whether the organisation took steps to remediate. The examples below illustrate the range.

France (CNIL) Regulatory Action

The French data protection authority has been the most active EU regulator on cookie enforcement. In September 2025, the CNIL fined Google EUR 325 million for setting cookies on new Gmail accounts without valid consent and displaying advertising in users' inboxes without prior consent — violations affecting more than 74 million accounts.

The same enforcement sweep resulted in a EUR 150 million fine against SHEIN for similar cookie consent failures. Google has faced repeated CNIL action on cookies: earlier fines were issued in 2020 (EUR 100 million) and 2021 (EUR 150 million) for making it harder to refuse cookies than to accept them.

The Netherlands (AP) Regulatory Action

In July 2024, the Dutch Data Protection Authority fined AS Watson — the parent company of pharmacy chain Kruidvat — EUR 600,000 for setting tracking cookies on visitors to health-related pages of Kruidvat.nl without consent, enabling the construction of detailed personal profiles. The authority noted the particular sensitivity of the data involved.

A separate fine of EUR 40,000 was issued against retailer Coolblue for assuming consent by default and using pre-checked boxes, the first cookie case the AP carried through its full administrative process.

Reputational damage is a further consequence that does not appear in any penalty notice. News of regulatory action can erode consumer trust in ways that are considerably harder to quantify than a fine, and considerably harder to recover from.

How Cookiebot™ Can Help

The first step to becoming cookie-compliant is to conduct a comprehensive website cookie audit. This involves identifying, categorizing, and documenting all cookies and tracking technologies used on your website.

Cookiebot CMP by Usercentrics is the global leader in consent management with over 2.4 million websites. It automates cookie scanning, consent collection, and compliance documentation to meet the requirements of the EU cookie law, the GDPR, CCPA, and other global cookie regulations.