It’s Time for Privacy Pros to Make a Strategic Shift
The importance of effective data privacy can no longer be ignored.
Read NowGet an overview of the simple, all-in-one data privacy platform
Manage consent for data privacy laws in 50+ countries
Streamline and automate the DSAR workflow
Efficiently manage assessment workflows using custom or pre-built templates
Streamline consent, utilize non-cookie data, and enhance customer trust
Automate and visualize data store discovery and classification
Ensure your customers’ data is in good hands
Key Features & Integrations
Discover how Osano supports CPRA compliance
Learn about the CCPA and how Osano can help
Achieve compliance with one of the world’s most comprehensive data privacy laws
Key resources on all things data privacy
Expert insights on all things privacy
Key resources to further your data privacy education
Meet some of the 5,000+ leaders using Osano to transform their privacy programs
A guide to data privacy in the U.S.
What's the latest from Osano?
Data privacy is complex but you're not alone
Join our weekly newsletter with over 35,000 subscribers
Global experts share insights and compelling personal stories about the critical importance of data privacy
Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start a privacy program
Upcoming webinars and in-person events designed for privacy professionals
The Osano story
Become an Osanian and help us build the future of privacy!
We’re eager to hear from you
Updated: December 11, 2023
Published: July 6, 2022
As ubiquitous as so-called “cookies” are in the operation of the internet, their use and the rules that govern their use are generally poorly understood. What even *is* a cookie? What are they used for? Can you really get in trouble with legal authorities for using them on your website? What’s allowed and what’s not?
If you’re in marketing or sales, you might get some of the downstream data created by the use of cookies and think that it’s pretty valuable! The use of some cookies make it possible to see what other sites people visit in addition to yours, to see what actions they take after they leave your site, and to see how loyal they are to your brand.
But no one wants to break the law and incur costly penalties that could both lead to fines and the loss of reputation in the marketplace.
This guide will help you understand how cookies are used, which cookie laws are important to follow, and how organizations like yours are managing cookie compliance.
Essentially, cookies are small data files that websites place into the memories of devices that access the site. During the time the device is on the site (and often up until the next time that device accesses the site), the site remembers the device and gathers information about what the device is doing or did in the meantime. In simpler terms, cookies let websites track user behavior when they interact with the website, and sometimes when they interact with other websites.
There are many different ways of categorizing cookies, but there are three primary distinctions that matter the most when it comes to cookie laws:
As we discuss how to legally deploy cookies, you’ll find these distinctions come up over and over again. Whether a cookie is a first-party, necessary, session cookie or a third-party, elective, persistent cookie makes a big difference!
Learn how to stay compliant with our Cookie Consent FAQ guide - Download here.
In 2011, the EU passed the ePrivacy Directive—often called the EU Cookie Law—which regulated the placement of digital files on digital devices. While it wasn’t the first data protection law in the world (that’d be Germany’s 1970 Data Protection Act), it was the first to address the data privacy implications of cookies.
Most recently, in 2018, the European Union’s General Data Protection Regulation (GDPR) went into effect, establishing core principles to govern the collection of personal information along with strict penalties for violations of those principles. In combination with the EU Cookie Law, the GDPR classifies any data created by an identifiable person as personal data and requires consent before collection of that data, along with granting people a number of rights (known as data subject rights) to access, delete, correct, and object to the collection of their personal data.
This ushered in a wave of privacy legislation around the globe. Other countries wanted to continue doing business with the European Union and needed to meet its data privacy standards to do so. Furthermore, with the rise of fully digital lives where personal data is extremely valuable and can be extremely sensitive, digital privacy has come further to the front of mainstream conversations.
Other important laws that affect cookie use include:
As of this writing, there is no federal U.S. cookie law (although there has been some progress in advancing the ADPPA, or American Data Privacy Protection Act). However, many states have enacted their own regional U.S. cookie laws. The following are some examples of important U.S. cookie laws.
An update to the California Consumer Privacy Act (CCPA) that came into effect on January 1, 2023, the CPRA classifies online activity data as personal data and tightly regulates its use, allowing California residents to opt-out of collection, sale, and sharing and to request access to their personal data, among other rights. If you use cookies to track activity, they are covered under CPRA.
The VCDPA, which also came into effect on January 1, 2023, allows consumers to opt out of targeted advertising, profiling, and the sale of personal data. If you use cookies to collect information that allows ads to be targeted, to build a profile of a customer, or to enable the sale of their data down the road, they are covered by the VCDPA.
On July 1, 2023, the CTDPA came into effect. It similarly allows consumers to opt out of targeted advertising, the sale of personal data, and profiling that leads to “significant effects,” such as a different price on a product or different services being offered.
Once the United Kingdom left the European Union, it needed a law to mimic the GDPR in order to continue sharing data with the EU. The UKDPA, enforced by the UK’s Information Commissioner’s Office, is virtually the same as the GDPR.
Short for Lei Geral de Proteção de Dados Pessoais, LGPD is often referred to as the Brazilian GDPR and conveys largely the same rights regarding personal data. Additionally, it similarly penalizes organizations who don’t allow people to access those rights. For all intents and purposes, the EU’s cookie rules are the same as Brazil’s cookie rules.
One of the world’s older and strictest privacy laws, South Korea’s Personal Information Protection Act (PIPA) was enacted in 2011. It imposes significant penalties for the mishandling of personal data. While cookies aren’t expressly mentioned in the act, it is similar to the GDPR in that cookies that collect personal information require consent.
The Personal Information Protection Law (PIPL) passed by China in 2020 is among the most stringent privacy laws in the world. In particular, it requires consent for the collection of personal data, and there are very specific conditions under which you are allowed to move personal data outside of the country’s borders. If your cookies collect personal data and transmit it back to a server in another country, that could be a considerable problem under PIPL.
Major violations of the law can mean a fine of up to 5% of your annual revenue, or roughly $7.5 million, whichever is higher. There can also be fines for individual members of your executive team or employee base of up to about $150k. You may even have to directly compensate affected parties.
While Japan doesn’t address cookies specifically and while the Act on the Protection of Personal Information (APPI) is rarely enforced against non-Japanese organizations, it’s generally believed that data collected by cookies would fall under the APPI’s definition of personally referable information. As a result, you also need consent to transfer that data out of the country.
If you market to the European Union and the broader European Economic Area, the GDPR applies. Similarly, if you market to Brazilians or South Koreans, the LGPD and PIPA apply. If you handle the data of Chinese citizens, the PIPL applies; if you process the data of any individuals living in Japan, the APPI applies.
The U.S. state laws generally only apply to for-profit businesses and have thresholds for the number of residents from whom you collect the information, the amount of revenue you collect annually, or other benchmarks that make them apply. If you are unsure if these laws apply to you or will apply to you, you should consult a data privacy-focused lawyer.
Further, everyone who pays attention to privacy laws generally agrees: We will have more states and countries with cookie laws in the future and they will mostly be in agreement with each other.
As the United Nations notes, there are currently 137 countries with at least some data privacy legislation on the books. Not all of them regulate privacy in the same way or regulate cookies in the same way, but most are coming around to the basic idea that you should ask for consent before collecting data about someone and that you should get some kind of consent (even if it’s opt-out) before you place persistent cookies on a device.
Most organizations try to create a cookie compliance program that assumes all of the privacy laws apply to them if they do business in that jurisdiction at all, as it can be very difficult to know exactly where customers are located when they engage with your website.
With the proliferation of data privacy laws across countries and states, it’s no longer really possible to avoid the need for compliance—that is, unless your digital channel isn’t all that important to your business. If you’ve got a website that you rely on for customers, then the odds are good that you need to comply with one law or another.
It has become best practice, then, for companies to implement cookie management and consent management systems as part of their internal cookie policy so that visitors to their website can customize the cookies that are placed on their devices and manage the experience that they have on company websites.
These systems are largely operated via so-called “cookie banners” or “cookie notices,” which alert visitors to the fact that cookies will be placed as soon as they land on the site. These also allow visitors to either agree to those cookies (by clicking a button to make the banner go away) or to customize their experience by clicking through to a dashboard and selecting the types of cookies (if any) they are comfortable with.
Some organizations may choose to develop this cookie management system on their own, especially if they are a tech-focused company that has coding and IT skills in-house. However, crafting a cookie notice that complies with not only the GDPR and LGPD and other international laws but also respects user privacy choices in the United States is not only a difficult task, but also presents a moving target. Data privacy regulation and best practices are constantly evolving, meaning compliance is more of a process than a one-off activity.
Fortunately, ready-made cookie disclosures and management systems are available. Osano Consent Manager, for example, is designed to comply with the GDPR, LGPD, and aspects of current U.S. state laws, updated as new privacy laws are passed and come into force.
With the Cookie Consent solution, website operators can choose from several cookie notification options, including:
Each organization can customize the user experience based on their own cookie policy, which will be based on where they do business, the types of cookies they use, and how personal data plays a role in their business plan.
You see so many cookie banners on different websites because not only do data privacy and protection laws like the GDPR and CPRA regulate the use of cookies, they also carry hefty fines and other penalties for not complying with them.
The GDPR authorizes supervisory authorities to impose various penalties, including:
The CPRA creates a new privacy enforcement agency (known as the California Privacy Protection Agency, or CPPA) as well as empowering the attorney general’s office and municipal attorneys to:
Each instance of improperly processed personal data counts as an infraction, making it quite easy for businesses to incur fines in the millions or tens of millions. The first enforcement action of the CCPA, for example, was against makeup retailer Sephora for $1.2 million.
Other international and state laws impose similarly large fines and penalties.
With the implementation of cookie policies now a relatively straightforward task and the consequences for non-compliance so large, most organizations are rightly making the decision to implement cookie banners and notices that allow them to comply with a broad set of privacy laws.
Given the global nature of business today, the internet is available to just about everyone across the world, and you never know where your next customer will come from. It’s best to make them feel comfortable that you care about their privacy and are doing your best to make sure they have an experience that is legal and trustworthy.
Over 130 of the world’s 197 countries have some sort of data privacy legislation, and many of those laws regulate the use of cookies. Notably, the EU cookie law and U.S. state data privacy laws regulate cookies, as well as China, Canada, Japan, and many other countries.
Specific requirements differ from law to law, but generally, if your cookies collect users’ personal information (and most do) and those users are protected by a data privacy law, you will have to comply. Some regulations, such as the CPRA, kick in only after you meet certain thresholds, while others, like the GDPR, apply no matter how many protected individuals you collect data from.
Generally, cookie laws require you to provide notice about data collection, minimize data collection to only what is necessary to achieve a stated purpose, delete or anonymize personal data once that purpose has been achieved, and give consumers the ability to opt into or out of data collection. Some laws specifically regulate targeted advertising, and some require you to provide consumers with granular control over the types of cookies they agree to. Data privacy laws generally also require you to acknowledge certain rights, known as data subject rights—a consumer might exercise their right to request you summarize the data you have collected from them, for example.
Every law is different in one way or another, however; you will want to review the specific guidance surrounding the specific laws that apply to your organization.
Generally, government authorities have the power to levy fines against noncompliant organizations based on the number of infractions they incur. Each law has different penalties. Since every instance of inappropriately processed data counts as an infraction, penalties can become expensive, fast.
Authorities may also order your organization to take certain actions, such as operational changes to avoid future noncompliance or payment to repair consumer damages. Some laws, such as the CPRA, provide a private right of action—meaning individual citizens can sue noncompliant organizations. However, individuals can only sue noncompliant organizations under highly specific circumstances, and such suits are uncommon.
As more and more privacy laws are enacted, it's becoming increasingly difficult to stay compliant while still using cookies to collect data. That's why we've created this FAQ guide: to help you keep your cookie usage legal while still getting the information you need to run your business effectively. Download the guide to answer all your cookie questions.
Download Now
Sam is a journalist and head of West Gray Creative, a content services firm based in Maine. In a former life, he was director of content at the IAPP and has run publications in the security, workboat, and 3D reality capture spaces. Currently, he serves as the chair of his local school board, fronts the World Famous Grassholes, and would like to be a professional baseball player when he grows up.
Osano is used by the world's most innovative and forward-thinking companies to easily manage and monitor their privacy compliance.
With Osano, building, managing, and scaling your privacy program becomes simple. Schedule a demo or try a free 30-day trial today.