What is the EU cookie law?
The EU cookie law is the commonly used term to refer to the ePrivacy Directive (ePD). It originated in 2009 and requires European member states to incorporate its guidelines into their national laws. Together with the General Data Protection Regulation (GDPR), the ePrivacy Directive has some of the strictest data privacy requirements and sets of users’ rights in the world.
If companies are using consent as their legal basis for data processing, the EU cookie law requires websites to obtain consent from visitors before storing or retrieving any information on their devices. This is done through the use of tracking cookies or similar tracking technologies. The law aims to protect online privacy by making consumers aware of how their information is collected and used online, and giving them a choice to allow it or not.
The law mandates that websites must inform visitors about the cookies they use and obtain explicit consent before setting and storing any non-essential cookies. This can be done via a cookie banner and detailed cookie policy, which highlights the purpose of each cookie and data use, and enables visitors to easily change or withdraw their consent at any point.
To achieve GDPR and ePD cookie compliance, websites commonly use a consent management platform (CMP). The best CMPs can scan for all cookies and trackers in use on a website, block them until consent is given, provide the required information and consent options to users, automatically update the consent banner’s and cookie notice or privacy policy’s information, and securely store consent records.
Scan your website for free to check cookies on your website and generate a detailed cookie audit report in minutes.
The Digital Markets Act (DMA)
The Digital Markets Act, or DMA, was introduced by the European Commission, and enforcement began on March 6, 2024. The DMA law is meant to protect the data privacy of users online and help ensure fair competition with dominant platforms in digital markets among companies doing business in the EU.
The DMA imposes strict new requirements on major tech platforms designated as “gatekeepers” regarding processing of personal data, including use of cookies and requirements for user consent for online tracking and targeted advertising in the EU.
In essence, the DMA requires major tech platforms like Google and Meta to get users’ explicit and valid consent before combining their personal data across different services and websites to track them for targeted advertising purposes. Importantly, for these companies to comply, their millions of customers and partners must also comply. So Google, for example, has already handed down new requirements for obtaining and signaling valid consent to Google services to retain access to them and maintain online revenue.
This puts much more control in the hands of users over how their data is accessed and combined for ad targeting by the biggest “gatekeeper” platforms operating in the EU.
US cookie laws
There is no comprehensive federal cookie law in the United States, but a number of states have enacted their own privacy laws that regulate the use of cookies and online tracking technologies. Here’s an overview of the relevant state cookie laws.
To date, these are the state-level data privacy laws in effect in the US, or that were passed prior to 2024 and that will come into effect by 2026:
- California Consumer Privacy Act (CCPA)
- California Privacy Rights Act (CPRA) (amends and expands the CCPA)
- Colorado Privacy Act (CPA)
- Connecticut Data Privacy Act (CTDPA)
- Delaware Personal Data Privacy Act (DPDPA)
- Florida Digital Bill of Rights (FDBR)
- Indiana Consumer Data Protection Act (Indiana CDPA)
- Iowa Consumer Data Protection Act (ICDPA)
- Montana Consumer Data Privacy Act (MTCDPA)
- Nevada Privacy of Information Collected on the Internet from Consumers Act (NPICICA)
- New Hampshire Privacy Act (NHPA)
- New Jersey Data Privacy Act (NJDPA)
- Oregon Consumer Privacy Act (OCPA)
- Tennessee Information Privacy Act (TIPA)
- Texas Data Privacy and Security Act (TDPSA)
- Utah Consumer Privacy Act (UCPA)
- Virginia Consumer Data Protection Act (VCDPA)
Some of the laws, like in Florida, Texas, or Nevada, are not considered comprehensive like the other states’ laws, as they have more narrow scope or specific provisions, or target specific groups, like very large tech companies. Kentucky, Maryland, Minnesota, and Nebraska have laws that have also been passed in early 2024 and signed by the states’ governors.
In the US, all current data privacy laws use an opt-out model for consent. Companies do not have to obtain prior user consent to use cookies on their websites to collect personal data, for example. Users do, however, have the right to opt out of data processing for specific purposes, e.g. sharing, sale, targeted advertising, or profiling.
Each state sets its own compliance thresholds, based on the number of residents whose data is processed annually, company revenue, percentage of company revenue derived from the sale of data, and other factors.
Learn about Cookiebot CMP’s powerful features to simplify your privacy compliance
UK cookie law
Because it is no longer part of the EU and thus not covered by European cookie laws, the UK implemented its own regulations that include cookie rules, known as the Privacy and Electronic Communications Regulations (PECR). It’s the UK version of the ePrivacy Directive, but is in effect as a regulation, not just a directive, unlike the ePD.
Similar to the ePD, the PECR regulates consent requirements for setting cookies and follows the same guidelines as underlined in the GDPR. Websites must inform users about cookie use and obtain their consent before setting any non-essential cookies. Consent must be freely given, specific, informed, and unambiguous, typically via an opt-in cookie banner. Only strictly necessary cookies for core site functionality are exempt from consent requirements.
The PECR also requires explicit user consent for electronic marketing like emails and texts.
Brazil’s cookie law
Short for Lei Geral de Proteção de Dados Pessoais, the LGPD has been referred to as the Brazilian GDPR.
The LGPD is very similar to the EU’s GDPR in many regards, as it was heavily inspired by the GDPR’s core principles and requirements. However, there are some key nuances and differences between the two laws.
For example, their definitions of personal data differ. The LGPD’s version is a lot broader. In addition, the LGPD recognizes ten legal bases for processing data compared to the six of the GDPR. The LGPD is also less detailed in its requirements around data protection impact assessments.
China’s cookie law
The Personal Information Protection Law (PIPL) went into effect in China in November 2021. The law provides guidelines on the lawful processing of personal information, including through the use of cookies.
The PIPL defines personal information as any information related to identified or identifiable individuals, except for anonymized data, which is fairly standard. The data collected using cookies are considered personal information. This means companies must get explicit consent from users before using cookies to collect their personal data. Companies have to clearly explain to users what data is being collected, for what purpose, and how long it will be kept.
Additionally, there are very specific conditions under which you are allowed to move personal data outside the country’s borders.
The PIPL also requires companies to implement appropriate security measures to protect personal data collected through cookies based on how sensitive the information is. It has even stricter rules for protecting very sensitive data like biometrics, financial information, and data about minors under 14 years old.
South Africa’s cookie law
South Africa’s cookie law falls under the Protection of Personal Information Act (POPIA), which predates the GDPR.
Cookies are considered personal information under POPIA since they can be used to identify individuals online. As such, websites operating in South Africa or handling personal data of South African individuals must comply with POPIA’s requirements when using cookies.
This means that consent is required before using most cookies, as they are considered personal information under POPIA. Websites must obtain explicit, informed consent from users through a cookie consent notice or banner. The consent notice should clearly explain what data is collected by the cookies and for what purposes. It must give users a choice to accept or reject non-essential cookies. In addition, websites need a comprehensive cookie policy linked from the consent notice, detailing the types of cookies used and their purposes.
Cross-border transfers of personal data, including from cookie use, are restricted unless certain conditions like user consent or approved transfer mechanisms are met.
Who needs to comply with these cookie laws?
Organizations with websites or mobile apps that collect personal data using cookies or similar technologies must follow the relevant cookie laws. Many privacy regulations are extraterritorial, meant to protect the privacy of residents of the region where the law was passed.
Even if your organization isn’t physically located in a region, it must comply with that region’s cookie laws if it collects personal data from users who reside there. These rules tend to apply across industries and company sizes if personal data is being processed. It’s important to consult with qualified legal counsel to familiarize yourself with the requirements for your company regarding cookie use, consent, and more.
Although specific compliance requirements vary depending on certain factors, best practices remain the same: companies must obtain and securely store valid user consent to use cookies to process personal data.
How to comply with cookie laws?
No matter the location of your company, there are certain steps you can take to become cookie-compliant.
- Conduct a cookie audit: Identify all cookies and trackers in use on your website to know what cookies are set on users’ devices. Categorize cookies as essential (strictly necessary) or non-essential, as well as their purposes, e.g. marketing or analytics. Determine which cookies collect personal data, who the providers are, what the data is used for, and who will have access to it.
- Develop clear policies:
- Cookie policy: Create an accessible cookie policy that details the cookies used, their purposes, and their lifespan. Link this policy to your cookie banner.
- Privacy policy: Maintain a privacy policy explaining how users’ personal data collected via cookies is processed, their data rights, and other requirements, and link to it where consent is requested or at points of data collection.
- Implement a cookie banner: Use a cookie banner with clear cookie text to inform users about the cookies, their purposes, legal basis for processing where relevant, expiration periods, and third-party providers. Provide clear options for users to accept or reject each type of cookie, and avoid using cookie walls that block access until consent is given.
- Document and store consent records: Keep records of users’ cookie consent choices to demonstrate compliance, including both accepted and rejected cookies.
- Conduct regular audits: Perform periodic audits to identify any new cookies added to your site and update your policies and consent processes accordingly.
- Consider using Google’s Consent Mode: This can help you retain some analytics data even when cookies are rejected.
Penalties for noncompliance with cookie laws
The consequences of noncompliance with cookie consent laws like the GDPR, CPRA, and other data privacy regulations can be severe and often include hefty fines.
- Under the EU’s GDPR, fines can reach up to EUR 20 million or 4 percent of a company’s global annual revenue from the preceding year, whichever is higher.
- The Netherlands allows fines up to EUR 900,000 or 1-10% of annual turnover.
- The UK is considering increasing its maximum cookie violation penalties to match GDPR levels of 4 percent of global turnover, or GBP 17.5 million.
- Brazil’s LGPD permits fines of up to 2 percent of a company’s in-country revenue from the prior fiscal year, capped at around BRL 50 million.
Lastly, reputational damage is another consequence. News of fines and legal actions can severely damage a company’s reputation and consumer trust. Consumers are increasingly aware of privacy issues and may avoid businesses that they don’t trust with their data or privacy rights.
How Cookiebot™ can help
The first step to becoming cookie-compliant is to conduct a comprehensive website cookie audit. This involves identifying, categorizing, and documenting all cookies and tracking technologies used on your website.
Cookiebot CMP automates this process. It frequently scans your website to detect all cookies and trackers being used, automatically categorizes them based on purpose (e.g., necessary, preferences, statistics, marketing), and generates a cookie declaration report you can use to stay updated.
Experience this for yourself, try Cookiebot™ for 14 days free of charge!
Frequently Asked Questions
Cookie laws are regulations that govern the use of cookies and similar tracking technologies on websites and apps. They generally require websites to provide clear notice about the use of cookies and usually require obtaining user consent before setting certain types of cookies, especially those used for tracking and targeted advertising purposes.
The EU cookie regulation, officially called the ePrivacy Directive, while not yet a strict regulation, requires websites to obtain consent from visitors before placing cookies or other tracking technologies on their devices to collect personal data. It mandates that websites provide clear information about the use of cookies and offer an easy way for users to refuse or withdraw consent for non-essential cookies
The UK cookie law is the Data Protection Act 2018, which is the UK’s implementation of the EU’s GDPR and ePrivacy Directive. It requires websites to obtain informed consent from users before setting up non-essential cookies, such as those used for analytics or marketing purposes.
Yes, the EU’s GDPR and ePrivacy Directive (the “cookie law”) require websites to have a cookie policy that informs users about all the different types and categories of cookies in use on the site, including their purpose, provider, duration, and other technical details.
To comply with cookie laws, websites must provide clear and comprehensive information about the types of cookies used and obtain explicit consent from users before setting up non-essential cookies, such as those used for analytics or marketing purposes. Additionally, websites should offer users an easy way to manage their cookie preferences, including the ability to opt out or withdraw consent for specific cookie categories.
The penalties for non-compliance with cookie laws can be severe, including hefty fines imposed by data protection authorities. For example, under the EU’s GDPR, companies can face fines of up to EUR 20 million or 4 percent of their global annual turnover for violations related to cookie consent requirements.