Cookie and Privacy Regulations: A Global Overview

Cookie compliance is not governed by a single law. It is shaped by a patchwork of national and regional regulations that vary significantly in their scope, requirements, and enforcement. For any website with an international audience — which, on the open internet, is nearly every website — understanding which laws apply and how they differ is essential.

This guide maps the global regulatory landscape for cookies and online tracking, from the EU's consent-first model to the US's notice-and-choice approach and emerging frameworks elsewhere.

The Global Patchwork

There is no single "cookie law." Instead, cookie compliance sits at the intersection of privacy regulations, electronic communications directives, and consumer protection laws. The result is a complex, sometimes contradictory landscape where the same website may be subject to different rules depending on where its visitors are located.

Two broad models have emerged:

• The EU model (consent-first): Non-essential cookies may only be set after the user has given informed, specific, freely given consent. The default is no tracking. The user must opt in.
• The US model (notice-and-choice): Businesses must disclose their data collection practices and give users the ability to opt out of certain uses (particularly the sale or sharing of personal information). The default is tracking, with the user able to opt out.

Most new privacy regulations around the world are converging toward the EU model, though with local variations. Understanding both models — and the specific laws within them — is necessary for any website operating across borders.

The EU Framework: ePrivacy Directive + GDPR

The European Union's approach to cookie regulation is built on two legal instruments that work together:

The ePrivacy Directive (2002/58/EC)

The ePrivacy Directive — often called the "Cookie Directive" — is the primary EU law governing the use of cookies and similar tracking technologies. Its key provision, Article 5(3), states:

Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information.

The only exception is for cookies that are "strictly necessary" for providing a service explicitly requested by the user — for example, session cookies for a shopping cart or login state.

Important: the ePrivacy Directive is a directive, not a regulation. This means each EU member state has transposed it into national law with local variations. The core principle (consent required for non-essential cookies) is consistent, but implementation details differ. For example:

• France (CNIL): Has issued detailed cookie guidelines including a limited exemption for certain audience measurement tools that meet strict conditions (anonymization, no cross-site tracking, limited retention).
• Germany: Implemented through the TTDSG (Telekommunikation-Telemedien-Datenschutz-Gesetz), which took effect in December 2021 and codified the consent requirement explicitly.
• Italy (Garante): Published detailed cookie guidelines in 2021 requiring a reject button on the first layer and prohibiting cookie walls.
• Netherlands (AP): Has taken a somewhat more permissive stance on cookie walls, suggesting they may be acceptable if the user has a genuine alternative way to access the content.

The GDPR (Regulation (EU) 2016/679)

The General Data Protection Regulation does not specifically mention cookies, but it governs the processing of personal data — and cookies frequently involve personal data. The GDPR is relevant to cookie compliance in several ways:

• Consent standard (Article 4(11), Article 7): The GDPR defines what constitutes valid consent: freely given, specific, informed, unambiguous, given by a clear affirmative action. This standard applies to cookie consent obtained under the ePrivacy Directive.
• Transparency (Articles 12-14): When cookies process personal data, the GDPR's transparency requirements apply. This means your cookie policy must provide specific information about the data processing involved.
• Legal basis (Article 6): Processing personal data through cookies requires a legal basis. For non-essential cookies, that basis is consent. Some controllers attempt to rely on legitimate interest (Article 6(1)(f)), but data protection authorities have increasingly rejected legitimate interest as a basis for advertising and analytics tracking.
• Data subject rights (Articles 15-22): Users have rights to access, rectification, erasure, and portability of their data — including data collected through cookies.
• Extra-territorial reach (Article 3): The GDPR applies to any organization that processes the personal data of individuals in the EU, regardless of where the organization is established. A US company targeting EU customers must comply.

The Upcoming ePrivacy Regulation

The European Commission proposed an ePrivacy Regulation in 2017 to replace the ePrivacy Directive, harmonize rules across member states, and update them for modern technologies. As of early 2026, the regulation has not been finalized. Negotiations have been protracted, with disagreements over legitimate interest exceptions, cookie wall provisions, and browser-level consent mechanisms.

When eventually adopted, the ePrivacy Regulation will directly apply in all member states (unlike the current directive, which requires national transposition). Until then, the existing ePrivacy Directive and its national implementations remain the governing law.

The US Framework: State-Level Privacy Laws

The United States has no federal cookie law and no federal comprehensive privacy law (as of early 2026). Instead, privacy regulation has emerged at the state level, creating a patchwork of requirements.

California: CCPA and CPRA

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), is the most comprehensive US state privacy law. Key provisions relevant to cookies:

• Right to opt out of sale/sharing. Consumers have the right to opt out of the "sale" or "sharing" of their personal information. Under the CPRA, "sharing" includes sharing data with third parties for cross-context behavioral advertising — which is exactly what most advertising cookies do.
• No prior consent required. Unlike the EU model, the CCPA/CPRA does not require prior consent for cookies. The default is that tracking is permitted, and users must actively opt out.
• "Do Not Sell or Share" link. Businesses must provide a conspicuous "Do Not Sell or Share My Personal Information" link on their website.
• Global Privacy Control (GPC). Businesses must honor the GPC browser signal as a valid opt-out request. If a user's browser sends a GPC signal, the business must treat it as if the user clicked "Do Not Sell or Share."
• Notice at collection. Businesses must disclose, at or before the point of collection, the categories of personal information collected and the purposes for which it will be used.

Other US State Laws

Following California's lead, numerous US states have enacted comprehensive privacy laws. As of early 2026, states with active privacy laws include:

Additional states have enacted laws with effective dates in 2025 and 2026. The trend is clear: state-level privacy regulation is expanding, and most new laws include opt-out rights for targeted advertising that directly affect cookie practices.

Other Notable Regulations

United Kingdom: UK GDPR and PECR

After Brexit, the UK retained the GDPR as the "UK GDPR" and continues to enforce the Privacy and Electronic Communications Regulations (PECR), which implement the ePrivacy Directive. The requirements for cookies are essentially identical to the EU: prior consent is required for non-essential cookies, with a narrow exception for strictly necessary cookies. The Information Commissioner's Office (ICO) enforces these rules and has published detailed cookie guidance.

Brazil: LGPD

Brazil's Lei Geral de Protecao de Dados (LGPD), effective since 2020, is heavily inspired by the GDPR. It requires a legal basis for processing personal data, including data collected through cookies. While the LGPD does not have a direct equivalent of the ePrivacy Directive's cookie-specific provision, consent or legitimate interest must be established for cookie-based data processing. The ANPD (national data protection authority) is gradually issuing guidance on cookies and consent.

Canada: PIPEDA and Bill C-27

Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) requires "meaningful consent" for the collection, use, and disclosure of personal information. For cookies that collect personal information, organizations must obtain consent and provide clear information about their practices. Bill C-27, the proposed Consumer Privacy Protection Act, would modernize Canada's framework with stronger consent requirements, but its passage has been delayed.

Japan: APPI

Japan's Act on the Protection of Personal Information (APPI), amended in 2022, introduced the concept of "personally referable information" which can include cookie identifiers in certain contexts. When cookie data is combined with other information to identify an individual, consent requirements apply.

South Korea: PIPA

South Korea's Personal Information Protection Act (PIPA), amended in 2023, requires consent for the collection and use of personal information, which can include cookie data when it identifies or can identify an individual.

Convergence Trend

Despite the current patchwork, a clear trend is emerging: most new privacy laws follow the EU model of consent-first, user-empowering regulation. Even US state laws, while technically based on opt-out rather than opt-in, are moving toward stricter requirements with universal opt-out signals (GPC), data minimization principles, and expanded definitions of "personal information" that capture cookie identifiers.

For practical purposes, this convergence means that websites implementing EU-level cookie compliance (prior consent, clear accept/reject, granular categories, transparent policies) are well-positioned for compliance with most other jurisdictions. The EU standard is the highest common denominator.

Risk Assessment: Which Laws Apply to Your Website?

The key question for any website operator is: which laws apply to me? The answer depends on two factors:

1. Where your organization is established. You are subject to the privacy laws of the jurisdictions where your organization has an establishment (office, subsidiary, branch).
2. Where your users are located. Under the GDPR's extra-territorial reach (Article 3(2)), you are subject to EU privacy law if you offer goods or services to individuals in the EU, or if you monitor the behavior of individuals in the EU. Similar extra-territorial provisions exist in the UK GDPR, Brazil's LGPD, and other laws.

In practice, if your website is accessible to users in the EU — and you have any EU traffic, which virtually all websites do — you should comply with the ePrivacy Directive and GDPR. If you have US traffic, you should address CCPA/CPRA (California) and other applicable state laws.

A pragmatic approach:

• Implement EU-standard consent for all EU/EEA/UK visitors (prior opt-in consent for non-essential cookies).
• Implement opt-out mechanisms for US visitors (Do Not Sell/Share link, GPC support).
• Default to the higher standard if geographic detection is impractical. EU-level consent satisfies virtually all jurisdictions.

Extra-Territorial Reach

One of the most significant aspects of modern privacy regulation is its extra-territorial reach. The GDPR (Article 3(2)) applies to organizations outside the EU that:

• Offer goods or services to individuals in the EU (even if free — a website accessible in the EU that targets EU users qualifies), or
• Monitor the behavior of individuals in the EU (analytics and advertising tracking constitute monitoring).

This means a US company running Google Analytics on a website that receives EU traffic is, technically, subject to the GDPR and the ePrivacy Directive's cookie requirements. Enforcement against non-EU organizations has historically been limited but is increasing, particularly for large companies. The practical risk for smaller organizations depends on visibility and complaint volume, but the legal obligation exists regardless of size.

Enforcement Landscape

Cookie compliance enforcement has intensified dramatically since 2020. Key trends:

Who Enforces

In the EU, national data protection authorities (DPAs) enforce both the ePrivacy Directive and the GDPR. Notable active enforcers include the CNIL (France), the Garante (Italy), the Datatilsynet (Denmark and Norway), the BfDI (Germany at the federal level), and the APD (Belgium). The EDPB coordinates cross-border enforcement.

In the US, the California Attorney General and the California Privacy Protection Agency enforce the CCPA/CPRA. State attorneys general enforce other state laws.

How They Enforce

• Complaint-driven investigations. Most enforcement begins with a user complaint to a DPA. The complaint triggers an investigation of the website's cookie practices.
• Sweep investigations. DPAs periodically conduct sector-wide sweeps, scanning hundreds of websites for cookie compliance. The CNIL, the Italian Garante, and the Danish Datatilsynet have all conducted publicized sweeps.
• NGO complaints. Privacy advocacy organizations such as noyb (led by Max Schrems) have filed mass complaints against hundreds of websites, creating significant enforcement volume. Noyb's cookie banner complaints alone have led to dozens of enforcement actions across the EU.

Penalties

GDPR fines for cookie violations can reach up to EUR 20 million or 4% of annual global turnover, whichever is higher. In practice, fines for cookie violations have ranged from warnings (for small organizations with minor violations) to EUR 150 million (Google, CNIL, 2022). The trend is toward higher fines and more frequent enforcement.

Beyond fines, non-compliance carries reputational risk, consumer trust damage, and the operational cost of emergency remediation under a regulatory order.

Passiro helps you navigate this regulatory complexity with automated compliance that adapts to the laws applicable to your visitors. Learn how Passiro simplifies cookie compliance across jurisdictions.