Cookies are tiny files that websites store on visitors’ computers. These files can serve many purposes, such as keeping users logged into a website and tracking their behavior across the internet.
Although internet cookies are usually harmless, they can also allow websites to invade their visitors’ privacy. Understandably, many governments worldwide have released new laws to regulate the use of cookies online.
For example, the European Union and the state of California have both instituted rules that require websites to clearly explain how they use cookies and give users the ability to opt out. If your organization has a website, you’re probably required to comply with these laws.
In this guide, you’ll learn what cookie compliance is, the laws that require it, the consequences for noncompliance, and techniques and tools for keeping your website completely cookie compliant.
What Is Cookie Compliance?
Cookie compliance is the process of making sure you use cookies only in ways permitted by the ePrivacy Directive (EU Cookie Law), EU General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and any other applicable privacy law.
To be cookie compliant, you need to carefully monitor how your website uses cookies and clearly inform visitors about the cookies the site intends to use.
The regulations mentioned above offer general best practices explaining how to use cookies in a privacy-compliant way. However, you have some leeway within those laws to decide how you’ll keep your website in compliance — and that’s where things can become complicated.
Which Laws Require Cookie Compliance?
The major laws and regulations that require cookie compliance are the GDPR, ePrivacy Directive, and the CCPA. However, their requirements aren’t identical, and you may need to adjust your cookie practices in order to comply with them. Below, you’ll learn what each regulation demands and what you need to do about it.
GDPR and ePrivacy Directive
The General Data Protection Regulation (GDPR) is the most comprehensive data protection legislation that any governing body has passed to this point. However, it only mentions cookies directly once, in Recital 30.
The ePrivacy Directive (EPD) was amended in 2009 and since then has become known as the “cookie law.”
The most notable effect of the cookie law was the proliferation of cookie consent popups. In addition, it supplements (and in some cases, overrides) the GDPR, addressing essential characteristics of the confidentiality of electronic communications and the broad tracking of internet users.
In combination, the GDPR and the ePrivacy Directive cover more than just cookies. However, to the average internet user, the most obvious impact of the regulations is how they affect companies that use cookies.
First, they split cookies into several categories:
- Strictly necessary cookies, or those that keep the user logged into the site or maintain the user’s shopping cart contents
- Preference or functional cookies, such as those that track preferred languages over different browsing sessions
- Statistics cookies that track how visitors use a website to improve its performance
- Marketing cookies that allow advertisers to display targeted ads
Beyond that, the regulations require websites to:
- Use nothing but strictly necessary cookies until the site acquires specific user consent to do otherwise
- Clearly explain the purpose and use of each cookie before the user can consent
- Maintain accurate records about user cookie consent
- Permit access to content regardless of cookie consent
- Provide easy cookie consent withdrawal to all users
Failing to accomplish any of these tasks means you’re failing to comply with the EU laws, whether or not you’re actually an EU-based organization.
The GDPR and ePrivacy Directive apply to businesses inside and outside the EU, UK, Norway, Island, Lichtenstein, and Switzerland. According to Article 3 of the GDPR: the GDPR applies to all businesses in the EU that process personal data.
It also applies to companies outside the EU that either:
- Offer goods or services of any kind to people in the EU
- Monitor the behavior of anyone in the EU
If you meet any of those criteria, you need to follow all the strict guidelines for EU cookie compliance or face penalties.
CCPA
The California Consumer Privacy Act went into effect in 2020, and it was significantly expanded by the California Privacy Rights Act in 2021.
Like the GDPR, these acts cover more than just cookies. However, they include significant provisions that regulate how businesses can use cookies to track California residents.
The CCPA’s requirements are relatively similar to those of the GDPR — websites must:
- Provide detailed information about what and why cookies are used and what is done with cookie data
- Make it easy for users to opt-out of cookies
- Provide an easy way for users who are minors to withdraw their consent for specific cookies
There’s one additional requirement that deviates from the GDPR:
Websites must offer a clear “Do Not Sell My Personal Information” and “Do Not Share My Personal Information” button to allow the user to prevent the sale or sharing of their personal data.
As a result, the site must create a way to track which users have opted out of data sales and data sharing.
Finally, under the CCPA, sites need to offer users an equally convenient way to withdraw their consent should they change their minds.
This means implementing an additional opt-out service that can be easily found, often by placing a link at the bottom of the page. It should allow users to opt out from the selling — or sharing — of their data through cookies by opting out of specific cookie categories, e.g., advertising cookies or analytics cookies, so they are not set on user’s devices.
As with the GDPR, the CCPA, as written, applies to all companies that target residents of the state and fulfill certain thresholds. Therefore, even if your company is not located within California, it may need to be CCPA compliant if they have any traffic from the state.
Types of Cookie Compliance
If you need to be cookie compliant, there are three methods to choose from. These cookie compliance solutions are suited to different use cases depending on the cookies involved.
Opt-out Compliance
With opt-out compliance, you inform users that you’ll be using cookies and present them with the option to learn more about the process. If they choose to learn more, they can select the cookies they want to keep and opt out of the rest.
This method must be used carefully, as it is compliant with the CCPA but not necessarily with the GDPR since it places cookies on the user’s device without their prior consent.
Opt-in Compliance
Opt-in cookie compliance is slightly different.
An opt-in notice will offer users two buttons: one that accepts all cookies and one that denies them. The users must actively check a box to confirm that they accept the cookies.
Furthermore, opt-in cookie compliance doesn’t allow websites to drop cookies or gather data on users before they explicitly consent to do so.
This method is compliant with the GDPR and CCPA (when a website collects data from minors).
Cookie Notice Without Opt-in or Opt-out Options
With this method, you provide a clear explanation of the cookies your site uses and inform the visitor that — by using the site — they accept those cookies.
The user doesn’t have the ability to opt out of those cookies. As a result, this method is not compliant with the GDPR or the CCPA.
What Are the Consequences of Noncompliance?
Noncompliance with the above privacy laws has different consequences depending on where you live. For example, if you’re not in the EU or California, you’re not directly under the jurisdiction of those laws.
Failing to comply with the CCPA and GDPR only affects you if you target customers in those areas or meet certain threshold requirements.
Here are two examples to better paint the picture:
Suppose you operate a restaurant in Idaho. Your website targets locals to encourage them to place an order or make a reservation. In that case, you probably don’t need to comply with either the CCPA or the GDPR because you’re not targeting users in the EU or California or tracking their information.
In contrast, imagine you run a news site based in New York and run any articles that could target traffic from the EU or California.
In that case, you have two options:
You can either block traffic from those locations to make sure you’re not accidentally processing their information or comply with the relevant laws.
GDPR Consequences
If these regulations apply to you, the consequences for noncompliance can be steep. The GDPR carries significant fines, so depending on the type of violation, you could face:
- Fines of up to 20 million euros
- Fines equaling up to 2% to 4% of your company’s worldwide annual revenue from the preceding financial year
The regulation states that you will be fined whichever amount is higher, with more severe allegations resulting in greater fines.
Even minor violations can lead to fines of thousands of euros and reputational risks.
CCPA Consequences
The CCPA also imposes dramatic fines.
Instances of noncompliance can lead to fines of $2,500 per violation for unintentional violations.
Intentional violations can lead to fines of $7,500 per incident. That means that each customer whose information is processed or stored in violation of the CCPA adds at least $2,500 to the fine total.
In addition, if you’re in violation of the CCPA and expose your visitors to a data breach, each affected individual has grounds to sue your organization for up to $750 or their actual damages, whichever is higher.
If you’re in any doubt about becoming cookie compliant, it’s safer to take steps to follow the laws than to risk it.
How To Achieve Cookie Compliance
Once you’ve determined the type of cookie compliance that fits your needs, you can take steps to implement it. The basic process is similar for all three varieties.
To be cookie compliant, you need to make sure you’re receiving consent before using cookies (GDPR), or you need to implement an easy opt-out mechanism (CCPA).
The GDPR opt-in consent must be:
- Acquired before the use of anything but essential cookies
- Freely given by the visitor, without being required before they are granted access to services or content
- Clearly documented and stored for the future reference
- Renewed to ensure that the visitor continues to consent to cookies
This means you need to collect consent through a clearly written cookie banner before you save a single nonessential cookie on a visitor’s computer.
Furthermore, to be completely GDPR compliant regarding cookies, you’re required to meet three criteria:
- You display a cookie consent banner with simple language on your website.
- You store all cookie consent information in a secure database.
- You make it easy for visitors to withdraw that consent.
Audit Your Website
If you’re not sure whether you’re cookie compliant, you need to audit your website.
- First, scan your site to find every cookie it attempts to save to a computer. You can read our guide on performing cookie audits to learn more about this.
- Once you’ve identified all the cookies your site uses, you need to set up a cookie consent banner and cookie blocker. You can program your own banner or work with a banner tool that will collect consent on your behalf.
- Finally, you’ll need to write and post your cookie policy and update it regularly.
Automated Cookie Compliance Tools
You don’t have to manage your cookie compliance alone. You can use cookie compliance tools to streamline the process and monitor your cookies with less of a hassle. A great cookie compliance solution will help you:
- Create a cookie policy
- Display a personalized cookie banner that matches your site’s design
- Adjust both the policy and the banner to be displayed in visitors’ preferred languages
- Record and save user preferences for the future
- Automatically categorize the cookies your site offers into GDPR types
- Block cookies from your site depending on your users’ preferences
With all of these features in place, you don’t have to think about your cookies at all. Instead, you can trust your cookie manager to handle it all for you.
Our cookie consent manager lets you track all of your cookies in one place and keep your cookie notice up to date at all times.
Ensure Cookie Compliance Using Termly
Step 1: Enter your website URL into the scanner below
Step 2: We’ll scan your site and categorize the majority of your cookies
Step 3: We’ll generate your cookie policy & customizable cookie banner
Cookie Compliance Infographic
Summary
Cookie compliance is vital if you have any potential California or EU customers. Maintaining compliance with laws like the GDPR and CCPA protects your users from data breaches and privacy invasions and helps you avoid fines for noncompliance.
More about the author
Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP
Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author
