Cookie consent requirements are certainly most prominent in the European Union. However, many non-EU countries have rules that could apply to your business.
In some cases, these may not be explicitly titled as "cookie rules" but could still cover cookies.
Here's what you need to know about rules that require or address cookie consent outside of the EU.
Our Free Cookie Consent lets you create and customize your Cookie Consent in less than two minutes. Just follow these 5 simple steps:
- To start click on Free Cookie Consent on our website:
- First, choose your consent preference: GDPR + ePrivacy or just ePrivacy:
- On step 2 start with customizing your Cookie Consent banner with your website name, banner notice type and color palette:
- Then choose your default language and other preferences:
- You can group your JavaScript automatically using our builder page. Pass your JavaScript through here and we will include the necessary cookie consent level:
- Finished! Copy your Cookie Consent code and add it to one of your website pages before the closing of the
</body>tag: - If you need more help on How to integrate your Free Cookie Consent on your website, you can find more guidance here:
- 1. What Types of Rules Cover Cookie Consent?
- 2. European Union Rules Overview
- 2.1. General Data Protection Regulation (GDPR)
- 2.2. The ePrivacy Directive
- 3. Cookie Consent Rules in Other Countries
- 3.1. Cookie Consent Rules in the United Kingdom
- 3.2. Cookie Consent Rules in the United States
- 3.2.1. Federal Laws
- 3.2.2. State Laws
- 3.2.2.1. California Consumer Privacy Act and California Privacy Rights Act (CCPA/CPRA)
- 3.2.2.2. Colorado Privacy Act
- 3.2.2.3. Connecticut Data Privacy Act
- 3.2.2.4. Utah Consumer Privacy Act (CPA)
- 3.2.2.5. Virginia's Consumer Data Protection Act (CDPA)
- 3.3. Cookie Consent Rules in Canada
- 3.4. Cookie Consent Rules in Australia
- 3.4.1. Direct Marketing
- 3.5. Cookie Consent Rules in Brazil
- 3.6. Cookie Consent Rules in South Africa
- 4. Summary
What Types of Rules Cover Cookie Consent?
Getting consent to issue cookies can fall under two different types of law.
The first is laws that specifically address cookies, and the second is more general data privacy rules. These often cover personal data and define this as data relating to an identifiable individual.
The data you gather through cookies may appear to be anonymous but could identify an individual when combined with other cookies or data.
For example, you may collect three types of data:
- Cookie data showing a user's interests or browsing activity
- Cookie data showing a user's login details so they don't have to log in on future visits
- Customer account data showing the user's name and address
If the customer account and login details are linked, and the two cookies are placed on the same computer, it becomes possible to connect the interests and browsing activity to the identifiable customer. This means both the cookies would fall under the scope of privacy rules.
Many data privacy rules only let you process personal data in specific circumstances, which commonly include having user consent. Issuing and using cookies inherently involves collecting and using data. This means that many privacy laws have the indirect effect that you'll need user consent to issue a cookie.
How explicit this consent must be, and whether you can treat the user as consenting unless they specifically opt out, will depend on the relevant law.
European Union Rules Overview
Before we explore cookie consent outside of the European Union, let's quickly recap the EU rules. This is important as you may still be affected even if your business is based outside of the EU. Two sets of rules cover cookies in the EU.
General Data Protection Regulation (GDPR)
The GDPR applies if you, the data subject (the person the data is about) or the data processing itself is in a European Union country.
Broadly, the GDPR says processing personal data is only lawful in specific circumstances. One of these is that you have user consent.
Another lawful reason for processing is "legitimate interests." This applies if the data use is necessary to achieve the aims of your business and if these interests don't outweigh the person's data rights.
Some cookies may fall into this category, for example those which are necessary for core site functions such as a virtual shopping cart or making sure people only vote once in an online poll.
The ePrivacy Directive
The second set of rules covering cookies in the EU is the 2002 Privacy and Electronic Communications Directive, commonly known as the ePrivacy Directive. This sets out specific rules on certain aspects of online activity. It only applies where the user is in an EU country.
Most notably, the only cookies you can issue without consent are those classed as "strictly necessary." For any other cookies you need consent, which must be based on "clear and comprehensive information."
Because these rules are in the form of a directive, each country had to build them into its own national laws. This means the precise details have evolved and been clarified over time by regulator and court decisions. Some key decisions regarding consent include the following:
- Consent must be active and you cannot rely on opt-outs
- You cannot use a "cookie wall" where you block access to the site unless the user consents to cookies, other than strictly necessary ones
- Simply scrolling down a page or browsing a site cannot be treated as a sign of consent
- You cannot use pre-ticked checkboxes or toggles set to "consent" by default
At the time of writing, the European Union is considering a new regulation to replace the ePrivacy Directive, known as the ePrivacy Regulation. Because the new rules would be a regulation (rather than directive), they would take immediate legal effect once passed. Individual countries wouldn't have to pass new laws.
It's still possible the new directive will not be passed by the EU, or that its measures change. However, the key proposed changes agreed include:
- Sites could offer users a choice between paying to access part or all of a site, or getting free access in return for consenting to non-essential cookies. This wouldn't be allowed in most public authority/public service sites.
- You can take indications of consent from browser settings, for example if a user has given blanket consent through a "whitelist" of sites.
Cookie Consent Rules in Other Countries
Cookie Consent Rules in the United Kingdom
Although the United Kingdom has left the European Union, the terms of its departure mean many rules apply in the country until (and unless) it actively changes its national laws. This means that:
- The rules of the ePrivacy Directive still apply. They are formally known as the UK's "Privacy and Electronic Communications Regulations."
- The rules of the GDPR still apply. They are formally known as the "UK General Data Protection Regulation"
- The proposed ePrivacy Regulation would not take effect in the UK.
Cookie Consent Rules in the United States
Federal Laws
The U.S. does not have any federal laws covering cookies relating to adults. However, cookies do fall under the scope of the Children's Online Privacy Protection Act (COPPA). It applies if your website is aimed at people aged under 13. It also applies if you know that people aged under 13 use your site.
If COPPA applies you must:
- Have a clear Privacy Policy detailing how you collect and use personal information about children. (Learn how to create a COPPA-compliant Privacy Policy.)
- Get parental or guardian consent to use personal information about children (and verify the parent or guardian's identity.
The definition of personal information includes "persistent identifiers," meaning cookies. The only exception is if the cookie itself doesn't contain any other personal information and you use it only for "support for the internal operations" of your website.
These points combine to mean that if COPPA applies to your website, there's no practical way to lawfully use most cookies, including tracking cookies.
Here's how Paramount uses its Privacy Policy to explain when it does and does not use cookies on sites aimed at children:
State Laws
Five states have notable data privacy laws either in effect or taking effect by the end of 2023. They mainly apply to businesses that process personal data about a lot of people in a state or make most of their revenue from data sales. In some cases, they also apply to businesses with very high revenues.
None of the laws require opt-in consent to use cookies. Some require opt-out consent in some cases. The laws also say you must inform users about personal data processing, including through cookies, though this can be through a Privacy Policy.
Here are some specific points from the individual laws:
California Consumer Privacy Act and California Privacy Rights Act (CCPA/CPRA)
Under the CCPA/CPRA, You must let users opt out of you selling personal data or tell you to limit your use of sensitive data, including that collected through cookies. You must have a dedicated page for exercising these rights and link to it from your home page.
Colorado Privacy Act
You must let users opt out of you selling personal data or using it for targeted advertising or profiling.
Connecticut Data Privacy Act
You must list the purpose or purposes for which you process data. This could be in your Privacy Policy.
You must let users opt out of you selling personal data (including that collected through cookies) or using it for targeted advertising. You must have a dedicated page for exercising these rights and link to it from your home page.
Utah Consumer Privacy Act (CPA)
You must list the purpose or purposes for which you process data. This could be in your Privacy Policy.
- You must specifically tell users if you sell their personal or use it for targeted advertising.
- You must specifically tell users before collecting sensitive personal data and give them an opportunity to opt out of processing.
Virginia's Consumer Data Protection Act (CDPA)
Under the CDPA, You must give a purpose for collecting data and only use it for this purpose. This could mean detailing different types of cookies that you use.
You must let users opt out of you selling personal data or using it for targeted advertising or profiling.
Cookie Consent Rules in Canada
Most businesses in Canada are covered by the Personal Information Protection and Electronic Documents Act (PIPEDA) unless they are already covered by a local or industry-specific law with similar effects. Among the key measures of PIPEDA are that processing personal data usually requires the knowledge and consent of the data subject.
The Office of the Privacy Commissioner of Canada has issued guidance on how PIPEDA applies with cookies relating to online behavioral advertising:
- Cookies can count as personal information when they can be connected with other data to identify an individual. Tracking cookies will usually meet this threshold.
- Opt-out consent could be valid for these cookies as long as you make users aware of them, ideally before you collect any information. You should use a clear message such as a banner rather than simply detail the cookies in a Privacy Policy. You cannot use opt-out consent for tracking cookies if exercising the opt-out makes a service unusable.
- Opt-in consent is required for sensitive personal information. This means you must get consent before issuing cookies.
- You shouldn't use tracking cookies on sites aimed at children as it's difficult to be sure you have meaningful consent.
CBC uses a banner that explains it uses cookies and links to further details, but does not request consent:
This is valid as it does not use sensitive personal information.
Cookie Consent Rules in Australia
Australia's Privacy Act applies to most government agencies, organizations with a turnover of more than $3 million AUD, and organizations in certain categories such as health services and credit and reporting. It doesn't usually apply to organizations operating outside of Australia.
Broadly the law says you only require consent to collect personal information classed as sensitive. This covers characteristics such as racial origin, health, political or religious views and sexual orientation among others.
However, you must inform users about all data collection, even when you don't require their consent. This can be in a Privacy Policy rather than a banner.
In other words:
- If a cookie collects sensitive personal information, you'll need a cookie banner or similar measure to get consent.
- If a cookie only collects ordinary personal information, a cookie banner is not legally required, though could still be useful as information.
Direct Marketing
You must have explicit consent to use sensitive personal information (including that gathered through cookies) for direct marketing.
You can use ordinary personal information (including that gathered through cookies) for direct marketing as long as the individual provided the data and has chosen not to use an opt-out mechanism.
Cookie Consent Rules in Brazil
Most use of personal data in Brazil falls under the scope of the Lei Geral de Proteção de Dados Pessoais (LGPD). This applies when the data subject, the data collection or the data processing is in Brazil, or if the data processing relates to offering goods or services in Brazil. This means the LGPD can apply to businesses outside the country.
The LGPD's main principles and measures are very similar to those of Europe's GDPR, most notably that processing is only lawful in specific circumstances, including that you have consent or the processing is necessary for legitimate interests.
In practice, you can only use cookies without prior consent when those cookies are "strictly necessary," for example to make the site functional.
For any other cookies, you'll need informed consent. This will normally involve a cookie banner that details what the cookies do and lets the user clearly indicate their choice to give or decline consent.
CAIXA uses a cookie banner and consent menu. It is set to only have consent for "required" cookies by default:
This means the user must actively give consent before it issue other cookies such as those used for tracking.
Cookie Consent Rules in South Africa
Privacy in South Africa is covered by the Protection of Personal Information (POPI) Act. It generally applies to personal information about somebody in South Africa (regardless of the processor's location) or by an organization in South Africa (regardless of the data subject's location.)
Some of the key principles of the POPI Act are:
- You must get prior consent to process personal data
- You must give a specific purpose for processing the data
- You must only collect the minimum amount of data to serve this purpose
- You cannot process the data for another purpose without fresh consent
The enforcement of the POPI Act began many years after the law was passed and some interpretations of the law are still developing. The way it practically applies to cookies has yet to be tested by rulings or challenged in court.
At the moment the safest interpretation is:
- Any cookies other than strictly necessary/functional ones require consent
- You must give a clear explanation of what data you'll collect and how you'll use it
- The safest way to comply with this is a clear cookie banner that lets users easily give or refuse consent for different types of cookie
Summary
Let's recap what you need to know about cookie consent outside the EU.
Cookie consent can be covered by laws that specifically mention cookies and by some more general data privacy laws. That's because data gathered through cookies can be combined with other information to identify an individual.
Cookie consent laws usually don't cover "strictly necessary" cookies that are required for the site to work properly and provide core functions.
The most prominent cookie consent laws are in the European Union, notably through GDPR and ePrivacy Directive. These can both affect businesses in other countries. The GDPR and ePrivacy Directive are both mirrored in national laws in the United Kingdom.
The U.S. federal COPPA law means you must have parental consent for cookies if your site is aimed at under 13s or you know under 13s use it. Because you must verify the parent or guardian's identity, it's usually impractical to use non-essential cookies on such sites.
- Five states (California, Colorado, Connecticut, Utah and Virginia) have data privacy laws. The precise details vary, but you usually need to inform users about your cookies. Depending on the state, you must have consent to sell data collected through cookies or use it for targeted advertising or profiling. However, this consent can work on an opt-out basis meaning you can assume consent until the user tells you otherwise.
- Canada's PIPEDA means you can use opt-out consent for most cookies but should tell users before you issue the cookie. You must use opt-in consent for sensitive personal data so must not issue cookies that collect such data until you have the user's consent.
- Australia's federal Privacy Act requires opt-in consent (for example, through a cookie banner) to collect sensitive data, plus specific consent to use this sensitive data for marketing. For non-sensitive personal data you don't need consent but must tell the user. This can be through a Privacy Policy.
- Brazil's LGPD effectively requires informed consent to collect personal data, including through cookies. This means a cookie banner or similar measure. The legitimate interests justification, which doesn't require consent, will normally only cover "strictly necessary" cookies.
- South Africa's POPI Act requires consent and a specific purpose to collect personal data. Enforcement and interpretations of the law are still evolving. For now the safest reading of the law is that you need a cookie banner or similar measure, breaking down by specific types of cookie.
