Failure to comply with the different cookie consent laws around the world can lead to costly fines and penalties. According to the United Nations Conference on Trade and Development,137 out of 194 countries have enacted legislation to protect data and privacy.
Cookies are just the most common technique currently used to store user information on personal devices.
Understanding the Different Types of Cookies
Cookies are small data files that are stored in a device’s memory to gather information about the device user’s activity when the user accesses the site. When used to collect personal information, like in ad personalization and tracking, cookies have privacy implications.
A basic understanding of the different types of cookies is necessary to better understand the laws that regulate their use and to ensure compliance with the cookie consent laws of various countries around the world.
- Session vs. persistent cookies: Session cookies are automatically deleted when the device stops accessing the website, whereas persistent cookies remain for subsequent visits by the device user.
- Necessary vs. elective cookies: Necessary cookies are required for the site to operate correctly. A prime example is cookies that allow users to put items in an online shopping cart and save them for later. Elective cookies, on the other hand, perform another task, like allowing users to customize their experience or allowing marketers to track user activity.
- First-party vs. third-party cookies: Whether the cookie is being employed by your organization or on behalf of a marketing partner or some outside organization.
See also: FAQ for Privacy Consent Management
EU Cookie Consent Laws
The sudden increase in the use of “cookie banners,” notices that are displayed on websites and apps requesting user consent to visit the site, is largely due to the strict requirements the European Union (EU) places on businesses that collect personal information of internet users in EU countries.
The EU has become the world leader when it comes to data protection and online privacy legislation.
In 2002, the EU passed the ePrivacy Directive (amended in 2008 and came into effect in 2011), which requires websites to obtain user consent before they can store, use or retrieve users’ personal information.
In 2018, the EU passed the General Data Protection Regulation (GDPR), governing the collection of personal information and imposing strict penalties for law violations. Taken together, the ePrivacy Directive and the GDPR characterize personal data as any data created by an identifiable person, and they require user consent to collect that data.
The GDPR cookie consent laws also grant users the right to access, delete, correct, and object to the collection of their personal data.
The EU cookie laws apply to every website that has visitors from within the EU, regardless of where the business is physically located. The EU cookie laws require businesses to:
- Obtain consent from users before placing any trackers or cookies on users’ browsers;
- Give detailed information about all trackers and cookies used on their sites;
- Provide users the ability to easily withdraw or opt out of consent.
Not all cookies require consent, though. The EU recognizes that some cookies are essential for a website to function properly. Therefore, they make an exception for cookies that are “strictly necessary” to perform the services requested by visitors to the site.
The best example of necessary cookie use is online retailers that allow users to save items in an online shopping cart. While the scope of what is “strictly necessary” is not clearly defined, users of shopping sites expect the shopping cart feature to function, making those cookies necessary.
On the other hand, cookies that provide users with a customized experience or tailored advertising are not necessary for the proper functioning of a website, including online stores. Such cookies do not fall under the exception, and consent is required before using them.
Other cookies that are deemed strictly necessary include those that provide security features for websites where users expect high levels of security, including online banking sites. Any cookie that is not considered strictly necessary requires consent before it can be stored on a user’s device.
Cookie Consent Laws in the United States
While several U.S. states have passed or are considering passing privacy legislation, federal privacy laws in the United States are generally weak in comparison to other major countries. Basically, the U.S. does not require consent for cookies, with the exception of the Children’s Online Privacy Protection Act (COPPA), which regulates the activity of websites and online services aimed at children under 13 years old.
COPPA exclusively applies to the collection of personal information from kids under the age of 13. You must become compliant with COPPA if any of the following apply:
- The content of your website or app is aimed at children under 13 and you collect their personal information;
- The content of your website or app is aimed at children under 13 and you allow third parties to collect their personal information;
- Your website or app is aimed at a general audience, but you have knowledge that children under 13 use your site and you collect personal information from them.
The Federal Trade Commission (FTC) defines “website or online service” in its Children's Online Privacy Protection Rule: A Six-Step Compliance Plan for Your Business, and it includes all of the following:
- Mobile apps that send or receive information online
- Internet-enabled gaming platforms
- Advertising networks
- Internet-enabled location-based services
- Voice over Internet Protocol services
According to the FTC, COPPA does not apply to schools because it does not apply to information collected by nonprofits that serve educational purposes or to information collected by state governments.
COPPA does apply, however, to third-party commercial entities that provide websites and apps to schools and students. In such cases, the third party can obtain consent directly from the school rather than from the parent.
Cookie Consent Laws in Canada
- Personal Information Protection and Electronic Documents Act (PIPEDA)
- Canada’s Anti-Spam Legislation (CASL)
PIPEDA recognizes “express” and “implied” consent. Express consent or “opt-in” consent is given explicitly through a specific action. Implied consent or “opt-out” consent can be inferred through a person’s inaction.
CASL requires that website and app operators obtain express consent before installing certain computer programs, including cookies. Under CASL, website operators can assume that a user has given express consent for cookies if “the person’s conduct is such that it is reasonable to believe that they consent to the program's installation.”
This may sound more like implied consent than express consent. Regardless, Canadian law does not require express visitor consent for cookies as long as websites and apps provide the proper information and an opt-out for users.
CASL is similar to the California Online Privacy Protection Act (CalOPPA) because both laws essentially apply to anyone and everyone. With the global nature of the internet, a business is likely to reach a resident of California or Canada and, therefore, must comply with the requirements of CalOPPA and CASL.
Cookie Consent in the United Kingdom
In the United Kingdom, the Data Protection Act of 2018 governs data privacy and consent. The Data Protection Act requires you to obtain express consent from users before collecting their personal data. The Act is the UK's implementation of a directive from GDPR to all member nations.
Notably, however, the British government has recently proposed a departure from the EU’s data protection laws. In an effort to reduce the barrage of cookie consent banners, the U.K. is considering changing to an opt-out rather than an opt-in framework.
Cookie Consent Laws in Australia and New Zealand
Neither Australia nor New Zealand requires consent for cookies. Both countries have enacted privacy laws, but those laws do not specifically reference cookies or imply that the data collected by cookies should be treated as personal information.
Cookie Consent Laws in China
China passed the Personal Information Protection Law (PIPL) in 2021, and it imposes some of the most strict requirements for the collection of personal data. Under the PIPL, very specific conditions are required in order to remove personal data from within the borders of China.
Violations of the law can result in major fines for both your business and individual employees.
Learn How Admiral Can Help You Manage Privacy Consent
Admiral’s Privacy Consent Management Platform is designed to comply with the cookie consent GDPR and current U.S. state laws, and it is simple to install and easy to use. Admiral is a Google-approved CMP provider for GDPR compliance purposes.
Admiral offers a Consent Management Platform (CMP) that works for GDPR and the IAB TCF framework.
Schedule time to discuss your compliance options today.