Latest Insights/Back to Generator
By the Legal Policy Generator team · Published 2026-02-07

Cookie Consent Requirements by Country: A Global Guide

With websites accessible globally, understanding cookie consent requirements in different jurisdictions is essential. A cookie that's perfectly legal in the US might require explicit consent in France. The rules differ on one fundamental point: some countries require you to ask permission before a non-essential cookie is set, while others only require transparency and a way to opt out. Getting that distinction wrong is what turns a routine analytics script into a regulatory problem. Here's a country-by-country breakdown of what the law actually says.

One framing note: modern privacy laws rarely regulate the word "cookie." They regulate storing or accessing information on a user's device and the processing of personal data, regardless of the technology — so pixels, local storage, fingerprinting, and SDKs are usually caught by the same rules. Read "cookies" below as "cookies and equivalent tracking technologies."

European Union (GDPR + ePrivacy Directive)

The EU has the strictest cookie regime in the world, and it rests on two laws working together: the ePrivacy Directive (2002/58/EC, the "Cookie Law") governs storing or accessing information on a device, while the GDPR governs the personal data involved and sets the standard for valid consent.

Article 5(3) of the ePrivacy Directive states that storing information, or gaining access to information already stored, on a user's device is only allowed where the user "is provided with clear and comprehensive information ... and is offered the right to refuse such processing" — subject to a narrow carve-out for storage that is "strictly necessary in order to provide an information society service explicitly requested by the subscriber or user" ([Directive 2002/58/EC, Art. 5(3), EUR-Lex](https://eur-lex.europa.eu/eli/dir/2002/58/oj/eng)). In practice, this gives you:

  • You must obtain prior, informed consent before placing any non-essential cookie. Consent has to be a clear affirmative act — under the GDPR, "silence, pre-ticked boxes or inactivity should not ... constitute consent" ([GDPR Recital 32, EUR-Lex](https://eur-lex.europa.eu/eli/reg/2016/679/oj/eng)).
  • Implied consent (e.g., "by continuing to browse...") is not valid; the user must take a deliberate action.
  • Users must be able to refuse or withdraw consent, and the GDPR requires that "it shall be as easy to withdraw as to give consent" ([GDPR Art. 7(3), EUR-Lex](https://eur-lex.europa.eu/eli/reg/2016/679/oj/eng)).
  • You must provide a detailed cookie policy listing the cookies in use, their purposes, and their lifespans, so consent is genuinely "informed."
  • Strictly necessary cookies — those required to deliver a service the user explicitly asked for — fall under the Article 5(3) exemption and can be set without consent.

Penalties. Breaching the GDPR's conditions for consent sits in the top fine tier. Under Article 83(5), infringements of the basic principles for processing, including the conditions for consent (Articles 5, 6, 7 and 9), attract administrative fines of up to €20 million, or 4% of total worldwide annual turnover of the preceding financial year, whichever is higher ([GDPR Art. 83(5), EUR-Lex](https://eur-lex.europa.eu/eli/reg/2016/679/oj/eng)). National ePrivacy penalties can apply on top, depending on the member state.

United Kingdom

Despite Brexit, the UK has kept GDPR-equivalent rules through the UK GDPR and the Privacy and Electronic Communications Regulations 2003 (PECR). PECR Regulation 6 is the UK's direct counterpart to ePrivacy Article 5(3): storing or accessing information on a user's device requires clear information and consent, unless an exception applies. The requirements track the EU closely:

  • Prior consent is required for non-essential cookies, and that consent must meet the UK GDPR standard, which defines consent as a "freely given, specific, informed and unambiguous" indication of the person's wishes (UK GDPR Article 4(11)). The ICO applies this standard to PECR in its [guidance on the use of storage and access technologies](https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/guidance-on-the-use-of-storage-and-access-technologies/).
  • Clear and comprehensive information about the cookies must be provided before consent is sought.
  • The ICO's position is that rejecting cookies should be as straightforward as accepting them, and it has publicly warned operators of high-traffic sites whose banners did not offer an equally easy "reject all" option.

United States

The US has no single federal cookie law. Instead, a growing patchwork of state privacy statutes governs tracking technologies, and the model is generally opt-out rather than the EU's opt-in:

  • California (CCPA, as amended by the CPRA): Not a "cookie law" as such, but it gives consumers the right to know what personal information is collected and the right to "request that businesses stop selling or sharing your personal information" — an opt-out that, for online data, must be honored through a browser-level Global Privacy Control signal ([California Attorney General, CCPA overview](https://oag.ca.gov/privacy/ccpa)). Because many ad and analytics cookies involve "sharing" personal information, this directly affects how those cookies are deployed.
  • Other state laws (Colorado, Connecticut, Virginia, and a growing list): These comprehensive privacy laws likewise require disclosure of tracking and give consumers opt-out rights for targeted advertising, sale, and certain profiling.
  • Practical takeaway: Even without a federal mandate, a clear cookie notice plus a working opt-out is the baseline most US-facing sites adopt.

Canada (PIPEDA)

Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) requires organizations to obtain meaningful consent for collecting personal information, including through cookies. The Office of the Privacy Commissioner of Canada (OPC) takes a sensitivity-based approach to what form that consent must take:

  • The form of consent must reflect "the sensitivity of the information and the reasonable expectations of the individual," and "express consent is the most appropriate and respectful form of consent to use in any circumstances; implied consent can be acceptable in strictly defined circumstances" ([OPC, Interpretation Bulletin: Form of Consent](https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda-compliance-help/pipeda-interpretation-bulletins/interpretations_07_consent/)).
  • Express (opt-in) consent is expected for sensitive data; the OPC notes, for example, that it is "inappropriate to rely on implied consent" to use health-related browsing for tailored advertising.
  • Organizations must clearly explain what cookies they use and why, so the consent is meaningful.

Australia

Australia's Privacy Act 1988 does not single out cookies, but it requires organizations to handle personal information transparently. The Australian Privacy Principles (APPs) require:

  • Notice about the collection of personal information, which can include cookie-derived data.
  • A privacy policy describing what information is collected and how it is used.

Australia does not currently mandate a cookie consent banner, but a clear notice and opt-out are widely treated as best practice, and reforms to strengthen the Privacy Act are underway.

Brazil (LGPD)

Brazil's Lei Geral de Proteção de Dados (LGPD) closely mirrors the GDPR. It requires:

  • A valid legal basis for processing personal data, including data collected through cookies.
  • Clear, prominent notice about what data is collected and why.
  • The ability for users to revoke consent at any time, where consent is the legal basis relied on.

Opt-in vs. opt-out: the core distinction

If you remember one thing, make it this. The EU, UK, and Brazil generally follow an opt-in model: non-essential cookies are blocked until the user actively agrees. The US state laws follow an opt-out model: you can set cookies by default but must give users a clear, working way to say no. Canada sits in between, scaling the strictness of consent to how sensitive the data is.

Practical steps for a defensible setup

  • Audit what you actually load. List every cookie, pixel, and third-party script, what it does, and how long it persists. You cannot write an accurate cookie policy without this inventory.
  • Block non-essential cookies until consent (for opt-in regions). Tags should not fire before the user agrees. A banner that "remembers" a choice but loads trackers anyway defeats the purpose.
  • Make reject as easy as accept. Equal prominence, equal number of clicks, no pre-ticked boxes, no dark patterns nudging users toward "accept."
  • Offer granular control and ongoing withdrawal. Let users accept some categories (e.g., analytics) and refuse others (e.g., advertising), and keep a persistent settings link so they can change their mind later.
  • Keep records and honor browser signals. Log what each user consented to and when, and treat Global Privacy Control as a valid opt-out for California consumers.

Best Practice: Cover All Bases

If your website has international traffic, the simplest strategy is to implement a GDPR-compliant cookie consent banner for all visitors and layer in the US opt-out and Global Privacy Control handling where applicable. The opt-in approach already satisfies the strictest requirements, so building to that standard protects you across most jurisdictions at once. A single banner that defaults to the strictest behavior is the cleanest way to avoid mismatches.

Get Your Cookie Policy

Creating a compliant cookie policy doesn't have to be complicated. Use our Free Cookie Policy Generator and Cookie Consent Banner Generator to get set up in minutes.

This article is general information about cookie and privacy laws across jurisdictions, not legal advice. Laws change and their application depends on your specific circumstances, the data you collect, and where your users are located. For advice on your situation, consult a qualified privacy lawyer or the relevant regulator.