Data privacy laws exist around the world and often directly impact how websites use cookies.
Under laws like the ePrivacy Directive (or EU Cookie Law) in Europe, state-level U.S. privacy laws, and the UK Data Privacy Act of 2018, websites must obtain consent from visitors before placing cookies on their browsers and respect their privacy rights.
In this guide, I explain EU, U.S., and UK cookie laws and provide insights into how to set up proper consent management. You can also align your site with cookie requirements using Termly’s Cookie Consent Manager.
Try Termly for Free!
Termly is a an easy-to-use solution for global cookie consent management and data privacy compliance.
We know that keeping up with complex data privacy laws can be confusing and time-consuming; that’s why we do the hard work for you!
Try our cookie consent management solution for FREE!
What Laws Impact Cookies in the EU?
Two laws make up the framework for consumer data privacy protection in Europe, impacting how websites use cookies:
- General Data Protection Regulation (GDPR): Requires websites to meet various requirements to legally collect, process, and user personal data, which includes through the deployment and use of internet cookies.
- ePrivacy Directive (EU Cookie Law): Requires websites to get consent from users before storing, using, or retrieving their personal information through internet cookies or any other tracking technology.
The EU Cookie Law was the first law that required sites to obtain prior consent from EU-based users before activating trackers and cookies to process their data. It got it’s name because it explicitly includes internet cookies within the scope of personal information.
The ePrivacy Directive and the GDPR make up what is known as the strictest privacy framework in the world.
The EU cookie law requires you to:
- Refrain from placing trackers and cookies on users’ browsers until they’ve given their consent for you to do so
- Ask users for consent to all trackers and cookies on your site
- Give users detailed information about all trackers and cookies on your site
The GDPR requires you to:
- Inform users that you want to collect their data
- Obtain explicit consent from users before deploying cookies on browsers
- Give users the ability to withdraw or opt out of consent as easily as they can opt in
Local member state governments determine the penalties for noncompliance under the EU Cookie Law, so fines and punishment may vary depending on your location.
Under the GDPR, fines depend on the severity of the. violation, but can range from 2% – 4% of your gross annual income, or up to €10 million ($12 million) – €20 million ($22 million), whichever is higher.
Fortunately, you can use Termly’s Cookie Consent Manager to easily align your website with the GDPR and EU cookie law requirements.
What Laws Impact Cookies in the U.S.?
While there is no federal cookie law in the US, several states now have laws in place impacting how businesses use and deploy internet cookies.
For example, the following states have privacy laws that are currently in effect:
- California Consumer Privacy Act (CCPA)
- Colorado Privacy Act (CPA)
- Connecticut Data Privacy Act (CTDPA)
- Delaware Personal Data Privacy Act (DPDPA)
- Florida Digital Bill of Rights (FDBR)
- Iowa Consumer Data Protection Act (Iowa CDPA)
- Montana Consumer Data Privacy Act (MCDPA)
- Nebraska Data Privacy Act (NDPA)
- New Hampshire Data Privacy Law (NHDPL)
- New Jersey Data Privacy Act (NJDPA)
- Oregon Consumer Privacy Act (OCPA)
- Utah Consumer Privacy Act (UCPA)
- Virginia Consumer Data Protection Act (VCDPA)
Like the EU cookie law, these laws regulate how you use cookies to access and gather consumers’ personal information.
Most of these U.S. state laws grant consumers some or all of the following rights:
- To know what information companies are collecting about them
- To know if companies are selling or disclosing their information and to whom
- To opt out of the sale or sharing of their personal information (or opt in if between 13 and 16 years old)
- To equal price and service, even if they decide to exercise their privacy rights
- To delete and access personal information
To align with these requirements, you need to use and regulate internet cookies in a certain ways, for example:
- State if the data you get from cookies is sold or shared with third parties
- Explain that consumers have the right to opt out from non-essential cookies
- Provide consumers with an easy way to follow through on their opt-out rights
You should also link to an easy-to-read cookie policy that users can refer to whenever they opt in or out of cookies.
Additionally, these state laws require you to respond to customer requests about the following within a timely manner:
- What information you collect through cookies and trackers
- Which parts of your site use cookies
- Whether you sell the information collected through cookies and for what purpose
- Whether there are any third-party recipients of the information you’ve collected
What Laws Impact Cookies in the UK?
In the UK, the law that impacts cookies is the Data Protection Act 2018, aka, the UK GDPR and ePrivacy Directive.
The UK laws are very similar to their European counterparts but account for the UK removal from the EU. They affect how you obtain, store, and use cookies with UK visitors.
The Data Protection Act 2018 has four sections, each of which creates a different data protection regime:
- Part one is based on the GDPR. It tailors the GDPR into domestic UK law.
- Part two extends the GDPR and modifies it to fit into UK law.
- Part three creates a new privacy regime for law enforcement.
- Part four creates a new regime for UK intelligence services.
Most of the Data Protection Act’s provisions about cookies are similar to what we see in the GDPR and the EU cookie law.
As with the GDPR and the EU cookie law, the UK’s Data Protection Act requires you to:
- Obtain consumers’ explicit consent before processing their personal data.
- Give consumers the right to correct inaccurate information about them.
- Allow them to change their minds easily at any time.
It also has similar penalties for noncompliance, with violations leading to fines of up to £17.5 million or 4% of annual global turnover.
Termly’s CMP can also help align your website with the UK Data Protection Act 2018 because it supports regional consent settings.
EU, US, and UK Cookie Laws: FAQs
To wrap up, I’ll briefly answer some frequently asked questions we gets about cookie laws.
Does the GDPR or the EU cookie law apply to US websites?
Yes, non-US cookie regulations may also apply to US websites.
For example, the General Data Protection Regulation (GDPR) applies to all businesses that market to EEA consumers. US websites who have non-US visitors may need to evaluate where their users are based to understand what cookie laws they need to follow.
Is there a cookie law in Canada?
No, Canada does not have a specific cookie law. However, they regulate cookie usage using anti-spam and privacy laws such as PIPEDA.
More about the author
Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP
Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author
