You may have noticed an increasing number of “cookie banners” over the past few years. These are those dialogue boxes that display on a website, asking if you give your consent for cookies to be placed on your device.
Most websites that have adopted a cookie consent solution like a cookie banner have done so to comply with European Union (EU) law. The EU places strict requirements on businesses that collect personal information about internet users within its borders.
But what about countries outside of the EU? Almost every country has privacy laws of some kind. Let’s take a look at the rules on cookie consent in some major markets around the world.
Cookies Consent for Email Marketing Under UK and EU Law
The EU’s requirement for cookie consent comes from two important laws:
- The ePrivacy Directive requires consent for cookies and other things that collect personal information or track users’ behaviour.
- The General Data Protection Regulation (GDPR), sets strict rules on how businesses request and obtain consent. “Implied” consent and “opt-out” models of consent are not allowed. Consent must be earned via a user’s specific, clear, affirmative action.
The combination of these two laws has led to many websites implementing cookie banners so that they could continue legally engaging in practices like hyper-personalised marketing, retargeting and analytics.
Here’s an example of a standard cookie banner that allows users to give or decline to give consent for cookies:
If you use advertising cookies, and you offer goods and services in the UK and EU, you’ll need a cookie consent solution, too.
Why Cookie Consent Matters
The EU is way ahead of any other jurisdiction in the world when it comes to data protection. Gradually, however, other places are starting to introduce privacy laws inspired by EU law.
On the face of it, cookie banners may seem like an unnecessary annoyance. There is a reason that governments are becoming more concerned about regulating online business activity.
Businesses are increasingly driven by an imperative to collect personal information. This can help drive sales by personalizing marketing, predicting people’s behaviour, and influencing their choices. Cookies are a way to help achieve all of these things.
Before we look at some treatment of cookies around the world, there are a few things to keep in mind.
Technically Necessary Cookies
There is an important distinction between different types of cookies. Some are necessary for the functioning of a website, and some are desirable from a user’s perspective.
Generally, when we refer to “cookies” in this article, we’re referring to cookies that are used for ad personalisation and tracking. These are the sorts of cookies that collect personal information and can have privacy implications.
You should also assume that other devices that serve similar functions, such as web beacons and pixel tags, are included in this definition.
Cookies and Children
Very often, separate laws apply to tracking the online behaviour of children.
We’re only going to look at one such law, the Children’s Online Privacy Protection Act (COPPA) in the United States. This will give you an idea of how such regulation works.
There may be similar laws in other countries we look at, too. If your business intends to market to children, you should think very carefully about whether using advertising cookies is appropriate at all.
Legal Uncertainty
Cookies are not mentioned explicitly in many laws. Even the mammoth GDPR only mentions the word “cookie” once.
Some jurisdictions define “personal information” in a broad way cookies should be included. Others define “personal information” in a more narrow way.
When asking whether a particular country requires cookie consent, it’s not always easy to answer simply yes or no. It may be that the issue of cookies simply hasn’t been considered by the country’s lawmakers or courts yet. We can’t be certain about how they will treat the issue once they do.
North America
Cookie Consent in United States (Federal Laws)
Privacy law in the United States is very weak compared to many other major economies. Essentially, the U.S. does not require consent for cookies.
But there is a federal law that places strict restrictions on the use of cookies – the Children’s Online Privacy Protection Act (COPPA). This law regulates the activity of websites and online services aimed at children under 13 years old.
If you’ve determined that COPPA applies to you, you’ll need to be very careful about using cookies at all, particularly tracking cookies. Numerous investigations have been launched into the use of tracking cookies, for example on websites operated by Hasbro, Mattel and Fisher-Price.
If you wish to use cookies or other devices that qualify as “persistent identifiers” on a website, app or other online service covered by COPPA, you’ll need to earn verifiable parental consent. It is unlikely that this will be feasible, and so you may wish to consider other marketing methods.
Cookie Consent in California
The strongest privacy laws in the U.S. can be found in California. And because they apply to any business operating in California, they effectively apply to any business operating in the United States.
The California Consumer Privacy Act (CCPA) and its amendments, known as the California Privacy Rights Act (CPRA) both have requirements when it comes to cookies.
The California Online Privacy Protection Act (CalOPPA) requires operators of commercial websites and online services to create a Privacy Policy that discloses how they collect personal information. The California Attorney General states a CalOPPA-compliant Privacy Policy should include a reference to the collection of personal information via cookies.
CalOPPA also requires that your Privacy Policy states that you let users know how your website treats browser “Do Not Track” (DNT) requests. However, you aren’t obliged to obey such requests.