Cookie consent laws in the EU, US, and UK

Compliance with data privacy regulations has crystallized cookie consent at the center of governing policies for organizations involved in targeting, marketing, or analytics practices. But why is there buzz around cookies? Is it their ability to store little data files on users’ computers or mobile devices that enables them to collect data about users’ online activities, such as browsing history, IP address, search queries, preferences, etc?

While such practices improve user experience and personalize content, they raise privacy concerns when used to process user data or track users across multiple websites or services without obtaining their prior consent. That’s where the need for enacting stronger privacy laws around cookies becomes paramount.

At their heart, cookie laws balance the needs for businesses with the rights and interests of users. They require businesses to obtain user consent before processing user data in any form. By recognizing and respecting the importance of user privacy, data-driven businesses can comply with regulatory compliance and evade business losses from legal actions, reputational damage, financial penalties, etc.

In this article, we’ll shed light on cookie laws and their key provisions in major economies.

Consent and preference management laws in the EU

The EU leads the world in entitling customers their privacy empowerment and personal data protection. ePrivacy Directive and GDPR are the two laws in the EU that bolster cookie-related consent and preference management. These laws apply across member states on all organizations that deal with personal data of EU citizens, regardless of their location. With different scopes and requirements, these two laws together form a comprehensive data protection framework and aim to protect the privacy and personal data of EU individuals.

ePrivacy Directive

ePrivacy Directive requires organizations to be transparent about their data utility practices. It puts users in control of their data and helps them make informed decisions about the use of cookies. This law was passed in 2002, amended in 2008, and came into effect in 2011 as a supplement to the Data Privacy Directive to address privacy concerns related to cookies and other electronic tracking technologies, such as SMS, instant messaging, emails, etc.

It sets out the following key principles for consent:

• Obtaining prior consent from users before collecting sensitive information through cookies;
• Providing users with clear and comprehensive information in relation to the use of cookies in a transparent and concise manner;
• Enabling users to refuse or accept the use of non-essential cookies through the use of a banner or pop-up message, including the ability to revoke their consent at will;
• Inscribing a link to the privacy policy of the website in the banner to inform users of (how, why, and what) data that is collected, used, stored, and shared, including the legal basis for processing data and rights they can exercise;
• Ensuring adequate security measures are in place to safeguard the confidentiality and integrity of cookies against unauthorized access or misuse.

In 2017, the EU proposed the ePrivacy Regulation (ePR) to replace the existing ePrivacy Directive. Currently being debated, the ePR will likely introduce new rules governing user consent, online tracking, and cookies. Unlike ePD, ePR will not allow websites to use ‘legitimate interest’ as the basis for data collection. Additionally, it will include provisions for metadata, which include information about the timing, duration, and location of electronic communications.

GDPR

GDPR (General Data Protection Regulation) came into effect in 2018. Compared to the ePD, the GDPR has broader applicability and applies to organizations that process the personal data of EU residents regardless of the industry, sector, or location. Additionally, GDPR restricts websites from disallowing access based on users’ consent to the use of cookies. This means website operators can’t make it conditional to access their website. On top of it, the GDPR imposes non-compliance penalties up to 4% of annual global revenue or €20 million, whichever is higher. With a few exceptions, both laws have similar cookie-related clauses and emphasize transparency and accountability equally, requiring websites to provide users with detailed information about their data processing activities.

Cookie laws in the United States

Although the US lacks a comprehensive privacy law on a federal level that regulates the use of cookies, some states have taken it upon themselves to pass their separate privacy laws that contain provisions related to cookies. Additionally, for minors, there is Children’s Online Privacy Protection Act (COPAA), which puts together rules related to the handling of sensitive personal data of children under the age of 13.

State-level laws

• California has the strongest US privacy laws. The California Consumer Privacy Act (CCPA), which came into effect in 2020 and The California Privacy Rights Act (CPRA), in January 2023. The scope of personal information under the CCPA includes digital identifiers such as cookies. By default, it doesn’t require businesses to gain opt-in consent for cookies; only for targeted advertising does the CCPA require obtaining opt-in consent. It requires websites to inform users about the types of cookies set by the site, the purposes for which they are used, the categories of personal information collected through cookies, and with whom they share the information.
• The California Online Privacy Protection Act (CalOPPA) also applies to information collected through cookies. It requires operators of commercial websites and services to post a privacy policy on the website, indicating information on what types of data are collected, how they are used, and with whom they are shared. This law does not specifically ask for opt-in or opt-out consent for cookies but requires websites to be transparent about their use of cookies.
• In Nevada, the NPICICA (Nevada Privacy of Information Collected on the Internet from Consumers Act) requires website operators to disclose the type of data they collect and with whom they share that information. It requires businesses involved in the sale of personal data to provide users with an easily accessible opt-out mechanism to refuse the sale of their data.
• In Maine, the Act to Protect the Privacy of Online Customer Information (APPOCI) governs the use of cookies. It defines personal data broadly and covers information that may be collected through cookies, such as IP address, browsing history, etc. This law applies only to internet service providers. It requires them to obtain express opt-in consent before processing user data and provide users with conspicuous and clear notice of their data collection and sharing practices, including mechanisms to opt-out of sale or sharing. Additionally, it prohibits ISPs from refusing service, charging different prices, or providing a different quality of service if the user chooses to opt out.
• A growing number of states are close to enacting their own data privacy laws that will require opt-in mechanisms similar to California’s CPRA. In 2021, Virginia became the second state in the US to enact the Consumer Data Protection Act (CDPA). It requires businesses to disclose their data collection practices and obtain their consent before processing their personal information. Data privacy laws in Utah, Colorado, Virginia, and Connecticut are scheduled to soon come into effect.

Laws for children (COPPA)

The Children’s Online Privacy Protection Act, enacted in 1998, is a federal law that protects children’s online privacy. It places strict restrictions on the use of cookies by websites catering to children under 13. Websites covered by COPPA must obtain verifiable parental consent before going about collecting children’s data through cookies or other tracking technologies. It also requires website operators to post a privacy policy containing information in relation to what data is collected, how it is used, and how it is shared. If COPPA is violated, the Federal Trade Commission (FTA), which is responsible for enforcing COPPA, can impose a penalty of $43,280 per violation.

Cookie laws in the United Kingdom

After Brexit, the Data Protection Act, together with UK GDPR and Privacy and Electronic Communications Regulations (PECR), governs the data protection landscape of the UK.

Except for national intelligence and security regimes, as the UK GDPR almost mirrors word-for-word the EU version, cookie-related requirements for businesses dealing with personal data of UK individuals remain the same as the EU GDPR.

Provisions about cookies under the Data Protection Act are the same as those under the UK GDPR and EU cookie laws.

PECR contains clauses similar to its EU counterpart (the ePrivacy Directive). It requires websites to provide users with clear and concise information about cookies and explain what they do and their purposes. Additionally, websites must obtain prior consent from users before placing cookies on their devices. The consent given by users must be freely given, explicit, and withdrawable. For failing to comply with PECR, the Information Commissioner’s Office can impose a fine of up to £500,000.

Respecting the privacy rights of individuals is critical, and that’s why cookies are not something to get away with easily. Penalties by enforcement agencies can serve as a valuable reminder for following the rules related to cookies. It’s important to note that the above list is not exhaustive, and the data protection landscape is ever-changing. It’s crucial for organizations to keep updated on the laws governing cookies in the territories in which their business operates, follow the best practices for trust development with customers, and carry out operations with integrity and respect. That is how they can work towards creating a safer and more secure online world for everyone.

Identify and understand your visitors with Cassie’s cookie solution

If you have multiple websites and digital platforms, then Cassie is the cookie management system for you.

Cassie specializes in cross-domain and cross-device consent, so you can collect visitors’ consent across multiple subdomains.

Choose Cassie for the most flexible cookie solution on the market and get a deeper insight into your visitors.

Flexible for global operations

Cassie’s multi-lingual and jurisdictional cookie module will ensure you always align with the various regulations.

Why clients choose Cassie for their compliance needs

We are experts at helping global businesses achieve compliance whilst building long-term customer relationships.

We ensure we always stay current with any and all legislation changes. Our unparalleled knowledge of global legislation gives us the ability and confidence to anticipate if and how new legislations will impact you.

Cassie makes sure that when you are compliant, you stay compliant.