Cookie Law Guide for Businesses: EU, US, and the UK

Covered by Termly

By: Masha Komnenic CIPP/E, CIPM, CIPT, FIP Masha Komnenic CIPP/E, CIPM, CIPT, FIP | Updated on: February 21, 2022

Use Termly For ePrivacy
Cookie-Law-Guide-for-Businesses-EU-US-and-the-UK-01

The ePrivacy Directive, also known as the European Union (EU) cookie law, is a piece of privacy legislation that requires sites to obtain consent from visitors before retrieving or storing their personal information.

Its purpose is to protect privacy rights by giving consumers the right to say “no” if a company wants to collect, store, and use their information.

Read on to learn more cookie law info and how you can ensure proper compliance with cookie requirements. First, we’ll go through the EU cookie law — and who needs to comply with it — then we’ll cover any similar cookie laws in the US and UK.

Table of Contents
  1. What Is the EU Cookie Law?
  2. How to Comply With the Cookie Law
  3. Penalties for Noncompliance With Cookie Law
  4. Is There a Cookie Law in the US?
  5. Is There a UK Cookie Law?
  6. Cookie Law FAQs
  7. Summary

The European cookie law or EU cookie law is a nickname for the EU’s ePrivacy Directive: a piece of legislation that requires websites to get consent from users before storing, using, or retrieving their personal information.

The ePrivacy Directive was the first law that required sites to obtain prior consent from EU-based users before activating trackers and cookies to process their data. Together with the General Data Protection Regulation (GDPR), the ePrivacy Directive makes up one of the strictest privacy regimes in the world.

What Are the Requirements of the EU Cookie Law?

The EU cookie law requires you to:

  • Refrain from placing trackers and cookies on users’ browsers until they’ve given their consent for you to do so
  • Ask users for consent to all trackers and cookies on your site
  • Give users detailed information about all trackers and cookies on your site
  • Give users the ability to withdraw or opt out of consent as easily as they can opt in

The cookie law only requires you to do this for non-essential cookies like advertising cookies and social media cookies. You don’t need to follow these rules for essential cookies, which are the types of website cookies that are either:

  • Necessary to provide an online service, such as your website or service on your website
  • Used solely to facilitate or carry out the transmission of communications over a network

You should also keep in mind that the cookie law isn’t just for cookies. Despite its nickname, the ePrivacy Directive is meant to apply to every type of technology that you can use to store and process user information. That’s why it doesn’t name any technology explicitly — it wants to encompass all of these technologies, including technologies that haven’t been created yet.

It’s only referred to as the EU cookie law because cookies are currently the most common technology for storing user information on personal devices.

Who Needs to Comply With the Cookie Law?

The EU cookie law applies to every website with visitors from the EU, regardless of where your business is located. This means that you must comply with the EU cookie law if:

  • Your website uses cookies
  • You process and store the data of EU citizens

Furthermore, to cover your bases, you should also follow the EU cookie rules even if you don’t have any EU visitors since you may receive traffic from the EU in the future.

There are three ways you can comply with the EU cookie law:

Use a Managed Solution

This is the easiest method because there are many tools and applications that you can use to comply with the EU cookie law automatically.

For example, our Cookie Consent Manager will help you:

  • Ensure that users only have cookies on their browsers that they consented to
  • Detect, categorize, and block scripts from running based on users’ unique cookie settings
  • Create a cookie policy tailored to your business
  • Collect user consent through fully customized cookie banners in the language depending on each users’ location

Besides helping you comply with the EU cookie law, our tool can also help you comply with other data privacy laws such as the GDPR and the CCPA.

Manual Option

If you don’t want to use a managed solution, you can choose to perform all of the above functions of our cookie manager manually. However, this route is a much more time-consuming method, and you should only try it if you are well versed in data privacy laws and have the technical capabilities. You can use our website cookie scanner to at least lighten some of your burden.

Don’t Use Cookies at All

Finally, you can choose not to use cookies at all. However, if your site uses more than just static HTML, it can be challenging to not use cookies. You may have to sacrifice certain functions such as comments or embedded videos.

The EU cookie law leaves penalties to be decided by local governments. As such, penalties for not complying with the cookie law will vary depending on your location.

Generally, most local regulators take the following actions if you fail to comply with the cookie law:

Request for information

Your local regulator will ask you to provide additional information, including:

  • Links to your cookie information section in your Terms and Conditions and cookie policy
  • Types of cookies that your site uses
  • Anything else that can help them determine whether you’re in compliance

Request for changes

If your regulator determines that your website isn’t compliant, they will probably ask you to make it compliant. Use one of the methods covered above to do this.

Enforcement

If you fail to comply with the EU cookie law after the request for changes, your local regulator will list out specific actions that you need to complete within a certain timeframe. If you don’t comply, you could potentially face criminal charges and fines.

Fines vary depending on your jurisdiction and the severity of your violations, but they can go up to hundreds of millions. For example, France recently fined Google a whopping $169 million and Facebook $67 million for requiring too many clicks for users to opt out of cookies.

No, there is not a cookie law in the US. However, some states have laws that regulate cookie usage as it relates to their residents, like the California Consumer Privacy Act (CCPA).

Comply With the US Cookie Regulations For Free Using Termly

Step 1: Enter your website URL into the scanner below

Step 2: We’ll scan your site and categorize the majority of your cookies

Step 3: We’ll generate your cookie policy & customizable cookie banner

The CCPA or “California Cookie Law”

The California Consumer Privacy Act (CCPA) is one of the strictest laws that govern website cookies in the US. Like the EU cookie law, it regulates how you use cookies to access and gather consumers’ personal information.

The goal of the CCPA is to give Californian consumers the following rights:

  1. To know what information companies are collecting about them
  2. To know if companies are selling or disclosing their information and to whom
  3. To opt out or say “no” to the sale of their personal information (or opt in if between 13 and 16 years old)
  4. To equal price and service, even if they decide to exercise their privacy rights
  5. To delete and access personal information

As such, you need to use and regulate cookies in a certain way to comply with the CCPA.

Specifically, the CCPA explicitly requires you to acknowledge:

  • If the data you get from cookies is sold or shared with third parties
  • That consumers have the right to opt out from non-essential cookies

You must also create an easy-to-read cookie policy that users can use whenever they opt in or opt out of cookies.

Additionally, you need to respond to customer requests about the following within 45 days upon “verifiable request”:

  • What information you collect through cookies and trackers
  • Which parts of your site use cookies
  • Whether you sell the information collected through cookies and for what purpose
  • Whether there are any third-party recipients of the information you’ve collected

Similar to the EU cookie law, the CCPA applies to all cookies except essential cookies.

Who does the CCPA apply to?

According to section 9 of the CCPA, every “business” that collects Californian consumers’ data is subject to CCPA compliance. The CCPA defines “business” as any for-profit entity that collects Californian consumers’ data and meets at least one of the following:

  • It makes 50% or more of its annual revenue from selling Californian consumers’ personal information.
  • It makes over $25 million in annual gross revenue.
  • It annually buys, sells, receives, or shares the personal information of 50,000 or more Californian consumers, devices, or households for commercial purposes.

Preparing for the California Privacy Rights Act (CPRA)

The CCPA will be replaced by the California Privacy Rights Act (CPRA) on January 1, 2023. This new law expands the types of data protected and gives new rights to consumers, including:

  • The right to rectification, allowing consumers to correct inaccurate information companies have collected from them.
  • Consumers will also have the right to restriction, which gives consumers the ability to limit the use and disclosure of sensitive personal information.

Since it’s stricter than the CCPA and will be coming into effect quite soon, you need to start preparing for CPRA compliance.

For example, you should start changing “selling information” to “sharing and selling information” in your cookie notifications since the CPRA covers sharing and selling information.

Possible Wisconsin Cookie Law

Wisconsin currently doesn’t have a cookie law or cookie consent law, but it may soon.

On February 10, 2020, Wisconsin introduced a trio of privacy laws modeled after the GDPR. These new bills — Assembly Bills (AB) 870, 871, and 872 — will constitute the Wisconsin Data Privacy Act.

Wisconsin’s data privacy and cookies law will impose significant obligations on businesses. The Wisconsin Attorney General will enforce this new law, and it could result in penalties up to 4% of the offending entity’s total annual revenue or $20,000,000, whichever is greater.

Like the CCPA, this law will apply to any company that deals with the personal information of individuals who live in Wisconsin. However, unlike the CCPA, it applies to a much wider range of individuals and companies.

For example, it applies to all “controllers,” defined as people who determine the means and purposes of processing personal data alone or jointly with others.

This potential Wisconsin cookie law has an expansive definition of “personal data,” which it defines as any information relating to a consumer that allows the consumer to be indirectly or directly identified, including by reference to identifiers such as location, online identifiers, and location data.

This means that cookies and trackers are included under its definition.

It also has strict GDPR-like requirements that no other US cookie law has. For example, according to AB 872, every controller must meet the following criteria before using cookies and trackers to process consumers’ personal data:

  • Conduct the data processing for a purpose that the consumer consents to through explicit affirmative action or a statement
  • Obtain consent that is freely given (i.e., not coerced), unambiguous, and informed
  • Allow the consumer to withdraw their consent as easily as they can give it
  • Distinguish consent for processing personal data from other issues
  • Be able to show that the consumer consented (i.e., through an electronic trail such as clickwrap)
  • Let the consumer use your service without consenting to data processing

Yes, there is a UK cookie law: the Data Protection Act 2018.

It’s the UK’s version of the EU’s GDPR and ePrivacy Directive and affects how you can obtain, store, and use cookie consents from UK and EU visitors.

The Data Protection Act 2018 has four sections, each of which creates a different data protection regime:

  1. Part one is based on the GDPR. It tailors the GDPR into domestic UK law.
  2. Part two extends the GDPR and modifies it to fit into UK law.
  3. Part three creates a new privacy regime for law enforcement.
  4. Part four creates a new regime for UK intelligence services.

Most of the Data Protection Act’s provisions about cookies are similar to what we see in the GDPR and the EU cookie law. As with the GDPR and the EU cookie law, the UK’s Data Protection Act requires you to obtain consumers’ explicit consent before processing their personal data.

Consumers also have the right to correct inaccurate information about them.

Does EU cookie law apply to US websites?

Non-US cookie regulations may also apply to US websites. For example, the General Data Protection Regulation (GDPR) applies to all businesses that market to EEA consumers. US websites who have non-US visitors may need to evaluate where their users are based to understand what cookie laws they need to follow.

Is there a cookie law in Canada?

No, Canada does not have a specific cookie law. However, they regulate cookie usage using anti-spam and privacy laws such as PIPEDA.

Termly_Icon

Try Termly for Free!

Termly is a an easy-to-use solution for cookie consent management and data privacy compliance.

cookie-banner-settings-dashboard-screenshot

We know that keeping up with complex data privacy laws can be confusing and time-consuming; that’s why we do the hard work for you!

Try our cookie consent management solutions and legal policy generators for FREE!

Summary

The EU cookie law, also known as the ePrivacy Directive, is privacy legislation that requires sites to get consent from visitors before placing cookies on their devices.

Along with the GDPR, the EU cookie law places strict requirements on sites that deal with the personal information of EU citizens. Failing to comply with the EU cookie law can lead to fines and criminal charges.

Masha Komnenic CIPP/E, CIPM, CIPT, FIP
More about the author

Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP

Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author

Related Articles

Explore more resources

Enter Your Website URL

In order to help you create a cookie solution that is GDPR and Cookie Law compliant, we must first scan your website for cookies.