Cookie Consent Laws by Country: Complete Guide (2026)
Cookie consent requirements differ across virtually every major jurisdiction. A website accessible worldwide faces a patchwork of laws ranging from the EU's strict opt-in regime to countries with no cookie-specific regulations at all. For website operators, understanding which rules apply where is not optional: enforcement actions and fines have reached hundreds of millions of euros in the EU alone.
This guide surveys cookie consent laws across more than 30 countries and regions, organized by strictness of requirements. It covers the legal basis in each jurisdiction, what consent looks like in practice, enforcement trends, and how the rules interact with broader data privacy frameworks.
European Union: The Global Standard-Setter
The EU's cookie consent framework rests on two pillars: the ePrivacy Directive (Directive 2002/58/EC, amended by 2009/136/EC) and the GDPR (Regulation 2016/679). Together, they create the strictest cookie consent regime in the world.
How It Works
The ePrivacy Directive's Article 5(3) requires prior, informed consent before placing any non-essential cookie on a user's device. The GDPR defines what "consent" means: it must be freely given, specific, informed, and unambiguous, demonstrated through a clear affirmative action.
Pre-ticked checkboxes are illegal under the CJEU's Planet49 ruling (Case C-673/17). Scrolling or continuing to browse does not constitute consent. Users must be able to reject cookies as easily as they accept them.
Enforcement Highlights
The EU's 27 member states each enforce cookie rules through their national data protection authorities. Enforcement intensity varies, but several countries stand out.
France (CNIL): Fined Google 150 million euros and Facebook 60 million euros in December 2021 for making cookie rejection difficult. The CNIL requires a first-layer reject button and allows limited exemptions for privacy-preserving first-party analytics.
Italy (Garante): Updated its cookie guidelines in 2021 to require a visible reject button on the initial banner. Italy mandates a separate cookie policy distinct from the general privacy policy.
Germany (BfDI and state authorities): The Bundesgerichtshof adopted the Planet49 standard in October 2020. Germany's federal structure means 16 state-level data protection authorities plus the federal BfDI all enforce cookie rules.
Spain (AEPD): Enforces cookie compliance under Ley 34/2002 (LSSI), with fines up to 300,000 euros under the LSSI or GDPR-level fines when personal data is involved.
Belgium (APD): Issued a landmark 2022 decision against IAB Europe's Transparency and Consent Framework, finding the TCF itself violated the GDPR.
United Kingdom: Post-Brexit EU Alignment
The UK's cookie rules come from the Privacy and Electronic Communications Regulations 2003 (PECR), as amended. PECR mirrors the EU's ePrivacy Directive and continues to require opt-in consent for non-essential cookies after Brexit.
Key Requirements
Regulation 6 of PECR requires prior consent before placing cookies or similar technologies on a user's device. The consent standard aligns with the UK GDPR: it must be informed, specific, and involve a clear affirmative action. Strictly necessary cookies are exempt.
The Information Commissioner's Office (ICO) enforces PECR. The ICO has taken a guidance-first approach, issuing detailed technical guidance rather than immediately pursuing large fines. Maximum penalties under PECR are 500,000 pounds, though the ICO can also use GDPR enforcement powers (up to 17.5 million pounds or 4% of global turnover) when cookie violations involve personal data.
In November 2023, the ICO issued enforcement notices to several major websites following a cookie banner sweep, signaling a shift toward more active enforcement.
United States: No Federal Cookie Law
The United States has no federal law specifically governing cookies or requiring cookie consent banners. Instead, cookie-related obligations arise from a growing patchwork of state privacy laws that regulate the broader categories of online tracking, personal data sales, and targeted advertising.
State-Level Landscape
California (CCPA/CPRA): Does not require opt-in consent for cookies but mandates a "Do Not Sell or Share My Personal Information" link. Businesses that use advertising cookies to share data with third parties must honor opt-out requests, including the Global Privacy Control (GPC) signal.
Colorado, Connecticut, Virginia, and other states: Comprehensive privacy laws in these states require opt-out mechanisms for targeted advertising and data sales but do not mandate EU-style cookie consent banners.
No U.S. state currently requires affirmative opt-in consent for cookies in the way the EU does. The American approach is opt-out rather than opt-in. See our detailed state-by-state guide for specifics on each state's requirements.
Canada: PIPEDA and CASL
Canada regulates cookies primarily through the Personal Information Protection and Electronic Documents Act (PIPEDA) and Canada's Anti-Spam Legislation (CASL). The Office of the Privacy Commissioner (OPC) provides guidance on cookie consent.
Under PIPEDA, organizations must obtain meaningful consent for collecting, using, or disclosing personal information. The OPC interprets this to include cookies that collect personal information. For analytics and advertising cookies that track identifiable behavior, organizations should obtain express consent. For cookies that collect non-identifiable information, implied consent may suffice.
Canada is considering a new privacy framework (Bill C-27, the Digital Charter Implementation Act) that would replace PIPEDA and could strengthen cookie consent requirements. As of March 2026, this legislation remains in parliamentary review.
Brazil: LGPD
Brazil's Lei Geral de Protecao de Dados (LGPD) does not contain a specific cookie provision. However, the LGPD's requirements for a legal basis for processing personal data apply to cookies that collect personal information.
The Autoridade Nacional de Protecao de Dados (ANPD) has stated that consent is the most appropriate legal basis for advertising and analytics cookies. For strictly necessary cookies, the legal basis of "legitimate interest" or "regular exercise of rights" may apply.
Brazilian websites have widely adopted EU-style cookie banners in practice, partly because many Brazilian companies also serve European users and partly because the ANPD's enforcement posture favors consent for tracking technologies.
China: PIPL
China's Personal Information Protection Law (PIPL), effective since November 1, 2021, regulates cookies as part of its broader personal information protection framework. The Cyberspace Administration of China (CAC) oversees enforcement.
Under the PIPL, processing personal information requires either consent or another legal basis specified in Articles 13-14. For cookies that collect personal information, organizations must provide clear notification of their purposes and obtain the individual's consent before processing.
China's approach is notable for requiring separate consent for transferring personal information to third parties and for cross-border data transfers. Advertising cookies that share data with overseas ad networks face particularly strict requirements, including data transfer impact assessments.
Japan: APPI
Japan's Act on the Protection of Personal Information (APPI), as significantly amended in April 2022, regulates cookies through its concept of "personally referable information." The Personal Information Protection Commission (PPC) enforces the APPI.
The 2022 amendments introduced new rules for "individual-related information," which includes cookie identifiers. When a business provides cookie data to a third party that can combine it with other data to identify individuals, the providing business must confirm that the third party has obtained the individual's consent.
Japan does not require EU-style cookie consent banners for first-party cookies. However, sharing cookie data with third parties for advertising purposes triggers the consent confirmation requirement.
South Korea: PIPA
South Korea's Personal Information Protection Act (PIPA) is one of Asia's strictest data protection laws. The Personal Information Protection Commission (PIPC) enforces it.
PIPA requires consent for collecting personal information, which includes cookies that track identifiable users. South Korea also enforces the Act on Promotion of Information and Communications Network Utilization and Information Protection (Network Act), which specifically addresses online tracking.
Korean websites commonly display cookie consent notices. The PIPC has been active in enforcement, with fines reaching billions of Korean won for violations involving personal data collection through tracking technologies.
India: DPDPA
India's Digital Personal Data Protection Act 2023 (DPDPA) was enacted in August 2023. The law regulates personal data processing and applies to cookies that collect personal data. Full implementation rules are still being finalized as of March 2026.
The DPDPA requires consent as the primary legal basis for processing personal data, with some exceptions for "legitimate uses." Cookie consent will likely be required for analytics and advertising cookies once the implementation rules and the Data Protection Board of India become fully operational.
Australia: Privacy Act
Australia regulates cookies through the Privacy Act 1988 and the Australian Privacy Principles (APPs). The Office of the Australian Information Commissioner (OAIC) provides guidance on cookies.
Australia does not require cookie consent banners. The Privacy Act requires organizations to notify individuals about the collection of personal information and its purposes, but this notification can be provided through a privacy policy rather than a pop-up banner. First-party analytics and functional cookies generally do not require explicit consent.
The Australian government has been reviewing the Privacy Act since 2020, with proposed amendments that could introduce stronger consent requirements for online tracking. As of March 2026, the reforms have not yet been enacted.
Global Comparison Table
| Country/Region | Consent Model | Cookie-Specific Law | Enforcement Authority | Max Penalty |
|---|---|---|---|---|
| EU (27 states) | Opt-in | ePrivacy Directive + GDPR | National DPAs | 20M euros / 4% turnover |
| UK | Opt-in | PECR + UK GDPR | ICO | 17.5M GBP / 4% turnover |
| USA | Opt-out (state level) | None federal; state laws | State AGs, FTC | Varies by state |
| Canada | Meaningful consent | PIPEDA, CASL | OPC | 100K CAD (PIPEDA) |
| Brazil | Consent preferred | LGPD (general) | ANPD | 2% revenue, 50M BRL cap |
| China | Consent | PIPL (general) | CAC | 50M CNY / 5% revenue |
| Japan | Third-party consent | APPI (general) | PPC | 100M JPY |
| South Korea | Opt-in | PIPA + Network Act | PIPC | 3% revenue |
| India | Consent (pending rules) | DPDPA (general) | DPBI | 250 crore INR |
| Australia | Notice-based | Privacy Act (general) | OAIC | 50M AUD |
| Singapore | Consent | PDPA | PDPC | 1M SGD / 10% turnover |
| Thailand | Consent | PDPA | PDPC | 5M THB |
| South Africa | Consent | POPIA | Information Regulator | 10M ZAR |
| Nigeria | Consent | NDPR | NITDA | 2% turnover |
| Argentina | Consent | PDPL (Law 25,326) | AAIP | 100K ARS |
| Israel | Notice-based | Privacy Protection Law | PPA | Administrative fines |
| UAE | Consent | Federal Decree-Law 45/2021 | UAE Data Office | 1M AED |
| Turkey | Consent | KVKK | KVKK Board | 1.95M TRY |
| Switzerland | Implied (changing) | revDSG (2023) | FDPIC | 250K CHF (individuals) |
| New Zealand | Notice-based | Privacy Act 2020 | OPC | Modest fines |
Regional Trends
Asia-Pacific: Rapid Regulatory Growth
The Asia-Pacific region is experiencing the fastest growth in data protection legislation. Thailand's PDPA (fully effective June 2022), Vietnam's Personal Data Protection Decree (2023), and Indonesia's Personal Data Protection Law (2022) all contain provisions affecting cookies. Most Asian countries are moving toward a consent-based model for online tracking, influenced by the EU's approach but typically with lighter enforcement.
Africa and Middle East: Emerging Frameworks
Several African countries have adopted data protection laws in recent years. Nigeria's NDPR, South Africa's POPIA, Kenya's Data Protection Act, and Egypt's Data Protection Law all address the collection of personal data online. Cookie-specific requirements are generally less developed, but the trend is toward requiring consent for tracking technologies.
The UAE's Federal Decree-Law No. 45 of 2021 on personal data protection applies to cookies that process personal data and requires data subject consent. Saudi Arabia's Personal Data Protection Law (PDPL), effective September 2023, similarly requires consent for personal data processing.
Latin America: Following Brazil's Lead
Beyond Brazil, several Latin American countries have modernized their data protection frameworks. Chile reformed its data protection law in 2024, Argentina is updating Law 25,326, and Colombia's Habeas Data Law applies to online data collection. The trend across the region is toward stronger consent requirements for tracking technologies.
Practical Guidance for Global Websites
Organizations operating websites accessible in multiple jurisdictions face practical challenges in complying with this patchwork of laws.
Geolocation-Based Consent
Most compliance platforms use IP geolocation to determine which consent rules apply to each visitor. An EU visitor sees a full opt-in cookie banner. A US visitor may see a simpler notice with opt-out options. An Australian visitor may see only a link to the cookie policy.
Minimum Viable Compliance
For organizations that cannot implement jurisdiction-specific consent flows, applying the EU standard globally is the safest approach. If your website complies with the EU's opt-in consent model, it will meet or exceed the requirements of virtually every other jurisdiction.
Consent Management Platforms
Dedicated consent management platforms (CMPs) automate cookie scanning, banner display, consent collection, and cookie blocking. Popular options include OneTrust, Cookiebot (Usercentrics), and open-source alternatives like Tarteaucitron. When selecting a CMP, verify that it supports the specific jurisdictions your website serves.
This is general legal information, not legal advice. Cookie law compliance depends on the specific jurisdictions your website targets, the types of cookies used, and your organization's data processing activities. Consult a qualified attorney in each relevant jurisdiction for advice specific to your situation.
Sources and References
Sources and References
- Directive 2002/58/EC - ePrivacy Directive(eur-lex.europa.eu).gov
- CJEU Case C-673/17 (Planet49)(curia.europa.eu).gov
- UK PECR(legislation.gov.uk).gov
- ICO Cookie Guide(ico.org.uk).gov
- California CCPA(oag.ca.gov).gov
- Canada PIPEDA(laws-lois.justice.gc.ca).gov
- Canada CASL(laws-lois.justice.gc.ca).gov
- OPC Canada(priv.gc.ca).gov
- Brazil LGPD(planalto.gov.br).gov
- Brazil ANPD(gov.br).gov
- China PIPL(npc.gov.cn).gov
- Japan PPC(ppc.go.jp).gov
- South Korea PIPC(pipc.go.kr).gov
- India DPDPA(meity.gov.in).gov
- Australia Privacy Act 1988(legislation.gov.au).gov
- OAIC Australia(oaic.gov.au).gov
- CNIL Cookie Guidelines(cnil.fr).gov
- Italy Garante Cookie Guidelines(garanteprivacy.it).gov