The Ultimate Guide to Understanding Cookie Laws

As ubiquitous as so-called “cookies” are in the operation of the internet, their use and the rules that govern their use are generally poorly understood. What even *is* a cookie? What are they used for? Can you really get in trouble with legal authorities for using them on your website? What’s allowed and what’s not? 
 
If you’re in marketing or sales, you might get some of the downstream data created by the use of cookies and think that it’s pretty valuable! The use of some cookies make it possible to see what other sites people visit in addition to yours, to see what actions they take after they leave your site, and to see how loyal they are to your brand. 
 
But no one wants to break the law and incur costly penalties that could both lead to fines and the loss of reputation in the marketplace. 
 
This guide will help you understand how cookies are used, which cookie laws are important to follow, and how organizations like yours are managing cookie compliance. 

What Are Cookies, Anyway? 

Essentially, cookies are small data files that websites place into the memories of devices that access the site. During the time the device is on the site (and often up until the next time that device accesses the site), the site remembers the device and gathers information about what the device is doing or did in the meantime. In simpler terms, cookies let websites track user behavior when they interact with the website, and sometimes when they interact with other websites. 
 
There are many different ways of categorizing cookies, but there are three primary distinctions that matter the most when it comes to cookie laws: 

• Session vs. Persistent: Does the cookie automatically delete when the device stops accessing the website or does it stick around until the next visit and beyond? 
• Necessary vs. Elective: Does the site need the cookie in order to operate correctly (such as allowing you to put items in an online shopping cart to save for later) or is the cookie performing some other tasks, like allowing users to shape their experience or marketers to track their activity? 
• First-party vs. Third-party: Is your organization dropping the cookie or is the cookie being dropped on behalf of a marketing partner or other outside organization? FYI: You are the “first party,” the user of your site is the “second party,” and any other organization is the “third party” — in case you wondered how that term worked. 

As we discuss how to legally deploy cookies, you’ll find these distinctions come up over and over again. Whether a cookie is a first-party, necessary, session cookie or a third-party, elective, persistent cookie makes a big difference! 

Learn how to stay compliant with our Cookie Consent FAQ guide - Download here. 

What Is the EU Cookie Law (ePrivacy Directive)? 

In 2011, the EU passed the ePrivacy Directive—often called the EU Cookie Law—which regulated the placement of digital files on digital devices. While it wasn’t the first data protection law in the world (that’d be Germany’s 1970 Data Protection Act), it was the first to address the data privacy implications of cookies. 
 
Most recently, in 2018, the European Union’s General Data Protection Regulation (GDPR) went into effect, establishing core principles to govern the collection of personal information along with strict penalties for violations of those principles. In combination with the EU Cookie Law, the GDPR classifies any data created by an identifiable person as personal data and requires consent before collection of that data, along with granting people a number of rights (known as data subject rights) to access, delete, correct, and object to the collection of their personal data.

This ushered in a wave of privacy legislation around the globe. Other countries wanted to continue doing business with the European Union and needed to meet its data privacy standards to do so. Furthermore, with the rise of fully digital lives where personal data is extremely valuable and can be extremely sensitive, digital privacy has come further to the front of mainstream conversations. 

Other important laws that affect cookie use include: 

U.S. Cookie Laws 

As of this writing, there is no federal U.S. cookie law (although there has been some progress in advancing the ADPPA, or American Data Privacy Protection Act). However, many states have enacted their own regional U.S. cookie laws. The following are some examples of important U.S. cookie laws. 

The California Privacy Rights Act (CPRA) 

An update to the California Consumer Privacy Act (CCPA) that came into effect on January 1, 2023, the CPRA classifies online activity data as personal data and tightly regulates its use, allowing California residents to opt-out of collection, sale, and sharing and to request access to their personal data, among other rights. If you use cookies to track activity, they are covered under CPRA. 

The Virginia Consumer Data Protection Act (VCDPA) 

The VCDPA, which also came into effect on January 1, 2023, allows consumers to opt out of targeted advertising, profiling, and the sale of personal data. If you use cookies to collect information that allows ads to be targeted, to build a profile of a customer, or to enable the sale of their data down the road, they are covered by the VCDPA. 

The Connecticut Data Privacy Act (CTDPA) 

On July 1, 2023, the CTDPA came into effect. It similarly allows consumers to opt out of targeted advertising, the sale of personal data, and profiling that leads to “significant effects,” such as a different price on a product or different services being offered. 

The U.K. Data Protection Act 

Once the United Kingdom left the European Union, it needed a law to mimic the GDPR in order to continue sharing data with the EU. The UKDPA, enforced by the UK’s Information Commissioner’s Office, is virtually the same as the GDPR. 

Brazil’s LGPD 

Short for Lei Geral de Proteção de Dados Pessoais, LGPD is often referred to as the Brazilian GDPR and conveys largely the same rights regarding personal data. Additionally, it similarly penalizes organizations who don’t allow people to access those rights. For all intents and purposes, the EU’s cookie rules are the same as Brazil’s cookie rules. 

South Korea’s PIPA 

One of the world’s older and strictest privacy laws, South Korea’s Personal Information Protection Act (PIPA) was enacted in 2011. It imposes significant penalties for the mishandling of personal data. While cookies aren’t expressly mentioned in the act, it is similar to the GDPR in that cookies that collect personal information require consent. 

China’s PIPL 

The Personal Information Protection Law (PIPL) passed by China in 2020 is among the most stringent privacy laws in the world. In particular, it requires consent for the collection of personal data, and there are very specific conditions under which you are allowed to move personal data outside of the country’s borders. If your cookies collect personal data and transmit it back to a server in another country, that could be a considerable problem under PIPL. 

Major violations of the law can mean a fine of up to 5% of your annual revenue, or roughly $7.5 million, whichever is higher. There can also be fines for individual members of your executive team or employee base of up to about $150k. You may even have to directly compensate affected parties. 

Japan’s APPI 

While Japan doesn’t address cookies specifically and while the Act on the Protection of Personal Information (APPI) is rarely enforced against non-Japanese organizations, it’s generally believed that data collected by cookies would fall under the APPI’s definition of personally referable information. As a result, you also need consent to transfer that data out of the country. 

When Do I Need to Comply With These Cookie Laws? 

If you market to the European Union and the broader European Economic Area, the GDPR applies. Similarly, if you market to Brazilians or South Koreans, the LGPD and PIPA apply. If you handle the data of Chinese citizens, the PIPL applies; if you process the data of any individuals living in Japan, the APPI applies. 
 
The U.S. state laws generally only apply to for-profit businesses and have thresholds for the number of residents from whom you collect the information, the amount of revenue you collect annually, or other benchmarks that make them apply. If you are unsure if these laws apply to you or will apply to you, you should consult a data privacy-focused lawyer. 

Further, everyone who pays attention to privacy laws generally agrees: We will have more states and countries with cookie laws in the future and they will mostly be in agreement with each other. 
 
As the United Nations notes, there are currently 137 countries with at least some data privacy legislation on the books. Not all of them regulate privacy in the same way or regulate cookies in the same way, but most are coming around to the basic idea that you should ask for consent before collecting data about someone and that you should get some kind of consent (even if it’s opt-out) before you place persistent cookies on a device. 
 
Most organizations try to create a cookie compliance program that assumes all of the privacy laws apply to them if they do business in that jurisdiction at all, as it can be very difficult to know exactly where customers are located when they engage with your website. 

How Do I Comply With Cookie Laws? 

With the proliferation of data privacy laws across countries and states, it’s no longer really possible to avoid the need for compliance—that is, unless your digital channel isn’t all that important to your business. If you’ve got a website that you rely on for customers, then the odds are good that you need to comply with one law or another. 
 
It has become best practice, then, for companies to implement cookie management and consent management systems as part of their internal cookie policy so that visitors to their website can customize the cookies that are placed on their devices and manage the experience that they have on company websites. 
 
These systems are largely operated via so-called “cookie banners” or “cookie notices,” which alert visitors to the fact that cookies will be placed as soon as they land on the site. These also allow visitors to either agree to those cookies (by clicking a button to make the banner go away) or to customize their experience by clicking through to a dashboard and selecting the types of cookies (if any) they are comfortable with. 
 
Some organizations may choose to develop this cookie management system on their own, especially if they are a tech-focused company that has coding and IT skills in-house. However, crafting a cookie notice that complies with not only the GDPR and LGPD and other international laws but also respects user privacy choices in the United States is not only a difficult task, but also presents a moving target. Data privacy regulation and best practices are constantly evolving, meaning compliance is more of a process than a one-off activity. 

Fortunately, ready-made cookie disclosures and management systems are available. Osano Consent Manager, for example, is designed to comply with the GDPR, LGPD, and aspects of current U.S. state laws, updated as new privacy laws are passed and come into force. 
 
With the Cookie Consent solution, website operators can choose from several cookie notification options, including:  

• An opt-in disclosure, in which the user must specifically agree to the use of cookies. 
• An opt-out disclosure, in which the user is given the option of blocking some or all cookies.  
• An implied consent disclosure, in which the user is informed that their continued use of the website implies consent to the use of cookies. 

Each organization can customize the user experience based on their own cookie policy, which will be based on where they do business, the types of cookies they use, and how personal data plays a role in their business plan. 

What Are the Penalties for Not Complying With Cookie Laws? 

You see so many cookie banners on different websites because not only do data privacy and protection laws like the GDPR and CPRA regulate the use of cookies, they also carry hefty fines and other penalties for not complying with them. 
 
The GDPR authorizes supervisory authorities to impose various penalties, including: 

• Ordering a temporary or permanent ban on collecting data of EU residents. 
• Ordering the processor to erase data processed in violation of the law. 
• Banning the transfer of data to certain countries. 
• Imposing significant fines—as much as 2% or 4% of a company’s annual revenues. 

The CPRA creates a new privacy enforcement agency (known as the California Privacy Protection Agency, or CPPA) as well as empowering the attorney general’s office and municipal attorneys to: 

• Impose fines of up to $2,500 per infraction. 
• Impose fines of up to $7,500 for what are deemed intentional infractions. 

Each instance of improperly processed personal data counts as an infraction, making it quite easy for businesses to incur fines in the millions or tens of millions. The first enforcement action of the CCPA, for example, was against makeup retailer Sephora for $1.2 million. 

Other international and state laws impose similarly large fines and penalties. 
 
With the implementation of cookie policies now a relatively straightforward task and the consequences for non-compliance so large, most organizations are rightly making the decision to implement cookie banners and notices that allow them to comply with a broad set of privacy laws. 
 
Given the global nature of business today, the internet is available to just about everyone across the world, and you never know where your next customer will come from. It’s best to make them feel comfortable that you care about their privacy and are doing your best to make sure they have an experience that is legal and trustworthy. 

Cookie Law FAQs 

Which Regions Have Cookie Laws? 

Over 130 of the world’s 197 countries have some sort of data privacy legislation, and many of those laws regulate the use of cookies. Notably, the EU cookie law and U.S. state data privacy laws regulate cookies, as well as China, Canada, Japan, and many other countries. 

When Do I Need to Comply With Cookie Laws? 

Specific requirements differ from law to law, but generally, if your cookies collect users’ personal information (and most do) and those users are protected by a data privacy law, you will have to comply. Some regulations, such as the CPRA, kick in only after you meet certain thresholds, while others, like the GDPR, apply no matter how many protected individuals you collect data from. 

What Do I Need to Do to Be Compliant With Cookie Laws? 

Generally, cookie laws require you to provide notice about data collection, minimize data collection to only what is necessary to achieve a stated purpose, delete or anonymize personal data once that purpose has been achieved, and give consumers the ability to opt into or out of data collection. Some laws specifically regulate targeted advertising, and some require you to provide consumers with granular control over the types of cookies they agree to. Data privacy laws generally also require you to acknowledge certain rights, known as data subject rights—a consumer might exercise their right to request you summarize the data you have collected from them, for example.  

Every law is different in one way or another, however; you will want to review the specific guidance surrounding the specific laws that apply to your organization. 

What Are the Penalties for Noncompliance With Cookie Laws? 

Generally, government authorities have the power to levy fines against noncompliant organizations based on the number of infractions they incur. Each law has different penalties. Since every instance of inappropriately processed data counts as an infraction, penalties can become expensive, fast.  

Authorities may also order your organization to take certain actions, such as operational changes to avoid future noncompliance or payment to repair consumer damages. Some laws, such as the CPRA, provide a private right of action—meaning individual citizens can sue noncompliant organizations. However, individuals can only sue noncompliant organizations under highly specific circumstances, and such suits are uncommon.