Cookie Consent Laws by Country: Complete Guide (2026)

Cookie consent law follows three models worldwide: the EU's opt-in standard under the ePrivacy Directive, the US opt-out approach built on state privacy statutes, and a notice-only model used in countries such as Australia. Applying EU-standard opt-in consent to all visitors satisfies the requirements of virtually every other jurisdiction.

Cookie consent requirements differ across virtually every major jurisdiction. A website accessible worldwide faces a patchwork of laws ranging from the EU's strict opt-in regime to countries with no cookie-specific rules at all. Enforcement actions and fines have reached hundreds of millions of euros in the EU alone, and the regulatory landscape shifted significantly in 2024-2026 with a wave of new laws and enforcement decisions.

This guide surveys cookie consent rules across more than 30 countries and regions, with particular focus on what changed in 2024-2026 and what to expect next.

Quick Answer: How Cookie Consent Varies by Country

Cookie consent law does not work the same way everywhere. Three distinct models exist:

Opt-in model: Cookies cannot be placed until the user actively agrees. The EU, UK, South Korea, and a growing number of countries in Asia and Africa use this approach.

Opt-out model: Cookies are permitted by default; users must take action to stop them. This is the dominant US state-law model, where the focus is on honoring opt-out signals like the Global Privacy Control rather than requiring upfront consent.

Notice-only model: Organizations must inform users that cookies are used (typically in a privacy policy), but no consent banner is required. Australia has operated under this model, though recent reforms tighten the rules.

The practical implication for global websites: applying EU-standard opt-in consent to all visitors is the safest single policy. Any site that meets the EU's requirements will satisfy virtually every other jurisdiction's rules.

Why Cookie Consent Varies by Country

The variation reflects fundamentally different legal traditions and policy priorities. The EU treats privacy as a fundamental right and has historically regulated technology proactively. The United States has historically favored a sectoral and market-based approach, relying on state legislatures and the FTC rather than a comprehensive federal data protection law. Developing economies have often adopted modern data protection frameworks modeled on the EU (or in some cases the APEC Privacy Framework) but with different enforcement capacity and timelines.

The technology also matters. Cookie consent rules generally trace their origins to the EU's ePrivacy Directive, which was a response to specific concerns about tracking in the early 2000s. Countries that adopted data protection frameworks later, such as Brazil, India, and Thailand, typically address cookies through broader personal data processing rules rather than cookie-specific legislation.

The EU/EEA: The Global Standard-Setter

The EU's cookie framework rests on two instruments: the ePrivacy Directive (Directive 2002/58/EC as amended by 2009/136/EC) and the GDPR (Regulation 2016/679). Together they create the world's most demanding cookie consent regime.

How the EU Framework Works

Article 5(3) of the ePrivacy Directive requires prior, informed consent before any non-essential cookie is placed on a user's device. The GDPR's consent standard requires that consent be freely given, specific, informed, and demonstrated through an unambiguous affirmative action.

Pre-ticked checkboxes are illegal following the CJEU's Planet49 ruling (Case C-673/17). Scrolling or continued browsing does not constitute consent. Rejection must be as easy as acceptance, a principle that led to major fines.

Strictly necessary cookies are exempt from consent. These include cookies essential for the service the user explicitly requested, such as session cookies for a shopping cart or security tokens.

The ePrivacy Regulation: Withdrawn February 2025

For years, the EU had been trying to replace the ePrivacy Directive with a new Regulation. The proposed ePrivacy Regulation, introduced in 2017, promised to harmonize rules across member states and address gaps in the Directive.

In February 2025, the European Commission's 2025 Work Programme formally withdrew the proposal. The Commission stated that "no agreement is expected from the co-legislators" and that the proposal was "outdated in view of some recent legislation in both the technological and the legislative landscape." The current ePrivacy Directive and its national implementations remain the applicable law.

The Digital Omnibus Proposal: New Cookie Rules on the Horizon

On November 19, 2025, the European Commission proposed the Digital Omnibus package, a broad legislative initiative that would fundamentally reshape how cookie rules work in the EU.

Key proposed changes relevant to cookies:

• The ePrivacy Directive would no longer govern personal data processing. The GDPR alone would apply to cookies that collect personal data, unifying the legal framework.
• New exemptions would be created for security cookies, first-party analytics cookies, and cookies necessary to deliver a user-requested service. These would not require a consent banner.
• Repeated consent requests for the same purpose would be prohibited within a six-month window.
• Businesses would be required to respect machine-readable consent signals (such as browser-level preferences).

These changes would address a long-standing complaint about cookie banner fatigue. However, the Digital Omnibus is still in legislative review. Optimistic timelines put adoption at end-2026, with entry into force no earlier than 2027.

EU Enforcement Highlights

Each of the EU's 27 member states enforces cookie rules through its national data protection authority (DPA). Several stand out for enforcement intensity.

France (CNIL): Fined Google 150 million euros and Facebook 60 million euros in December 2021 for making cookie rejection too difficult. The CNIL requires a visible reject button on the first-layer banner and allows limited first-party analytics exemptions.

Italy (Garante): Issued updated cookie guidelines in 2021 requiring a visible reject button on the initial banner and a separate cookie policy distinct from the general privacy notice.

Germany (BfDI and state DPAs): Adopted the Planet49 standard via the Federal Court of Justice in October 2020. Germany's 16 state-level DPAs plus the federal BfDI all enforce cookie rules, creating a layered enforcement landscape.

Spain (AEPD): Enforces cookie compliance under the LSSI (Ley 34/2002) alongside GDPR, with fines reaching 300,000 euros under LSSI or GDPR-level fines when personal data is involved.

Belgium (APD): Issued a landmark 2022 decision against IAB Europe's Transparency and Consent Framework, finding the TCF itself violated the GDPR.

EDPB Cookie Banner Taskforce

The European Data Protection Board (EDPB) established a Cookie Banner Taskforce in 2021 to coordinate enforcement across DPAs. Its January 2023 report set minimum requirements: a reject button must be as prominent as the accept button; dark patterns (confusing colors, misleading wording, pre-selected acceptance) violate the GDPR; and users must be able to withdraw consent as easily as they gave it. DPAs across the EU have since issued enforcement notices and fines, including a 15,000 euro fine against an e-commerce operator in 2024 for a non-compliant banner.

The UK: PECR and the DUAA 2025 Changes

The UK's cookie rules derive from the Privacy and Electronic Communications Regulations 2003 (PECR), which mirror the EU's ePrivacy framework. Post-Brexit, PECR operates independently alongside UK GDPR, enforced by the Information Commissioner's Office (ICO).

What PECR Requires

Regulation 6 of PECR requires prior consent before placing cookies or similar technologies. Consent must be informed, specific, and involve a clear affirmative action. Strictly necessary cookies are exempt. The consent standard aligns with UK GDPR.

Data (Use and Access) Act 2025: A Significant Shift

The Data (Use and Access) Act 2025 (DUAA) received Royal Assent on June 19, 2025. Key PECR-related provisions came into force on February 5, 2026. The DUAA made two material changes to cookie rules:

New cookie exemptions: Three categories now fall outside PECR's consent requirement: (1) analytics cookies whose sole purpose is collecting aggregate statistics to improve a website or service; (2) preference cookies that adapt how a site looks or behaves (such as language or theme); and (3) strictly necessary cookies as before. Advertising cookies, targeting, frequency capping, and ad measurement still require consent.

Significantly higher fines: The maximum PECR penalty rose to UK GDPR levels: up to £17.5 million or 4% of global annual turnover, whichever is higher. Previously the PECR maximum was £500,000. This aligns PECR enforcement power with UK GDPR and signals that ICO enforcement is likely to intensify.

The United States: State-Law Patchwork

The United States has no federal law requiring cookie consent banners. Cookie-related obligations arise from a growing set of state privacy statutes focused on opt-out rights, online tracking, and targeted advertising. See our detailed state-by-state US guide for specifics.

The Core Model: Opt-Out, Not Opt-In

No US state requires EU-style affirmative opt-in consent for cookies. The American model is opt-out: cookies are permitted unless a user signals otherwise. The primary mechanisms are:

"Do Not Sell or Share" links: California's CCPA/CPRA requires a link allowing consumers to opt out of the sale or sharing of personal information, including advertising cookies.

Global Privacy Control (GPC): A browser-level signal that communicates opt-out preferences. Businesses subject to California's CCPA/CPRA must honor GPC as a valid opt-out request.

States Requiring GPC Compliance (as of May 2026)

The list of states mandating that businesses honor the GPC signal has expanded significantly:

• California: Requires honoring GPC under CCPA/CPRA; the California Privacy Protection Agency launched coordinated enforcement sweeps targeting GPC non-compliance in September 2025 alongside the AGs of Colorado and Connecticut.
• Colorado: The Colorado AG has designated GPC as an acceptable universal opt-out mechanism.
• Connecticut: As of January 1, 2025, businesses must honor universal opt-out signals under the Connecticut Data Privacy Act.
• Montana, Texas: Also require honoring universal opt-out mechanisms.
• Maryland: The Maryland Online Data Privacy Act (MODPA), effective October 1, 2025, requires honoring opt-out signals.
• New Jersey: Under the New Jersey Data Privacy Law, effective July 15, 2025, businesses must respect GPC.
• Oregon: Under the Oregon Consumer Privacy Act, effective January 1, 2026, businesses must honor qualifying opt-out signals.

By July 2026, at least 12 states will mandate recognition of universal opt-out mechanisms like GPC.

Federal Picture

Congress has repeatedly introduced comprehensive federal privacy bills but none have passed. The FTC exercises limited authority over deceptive cookie practices under Section 5 of the FTC Act.

Canada: PIPEDA and Stalled Reform

Canada regulates cookies through the Personal Information Protection and Electronic Documents Act (PIPEDA) and Canada's Anti-Spam Legislation (CASL). The Office of the Privacy Commissioner (OPC) provides enforcement and guidance.

Under PIPEDA, organizations must obtain meaningful consent for collecting or using personal information. The OPC interprets analytics and advertising cookies that track identifiable behavior as requiring express consent. Cookies collecting non-identifiable information may rely on implied consent.

Bill C-27 (the Digital Charter Implementation Act 2022), which would have replaced PIPEDA with stricter rules, died on the Order Paper when Parliament was prorogued on January 6, 2025. As of May 2026, it has not been reintroduced. PIPEDA remains the governing law.

Brazil: LGPD

Brazil's Lei Geral de Protecao de Dados (LGPD) does not contain a specific cookie provision, but its requirements for a legal basis for processing personal data apply to cookies that collect personal information. The Autoridade Nacional de Protecao de Dados (ANPD) treats consent as the appropriate basis for advertising and analytics cookies. Brazilian websites have widely adopted EU-style cookie banners in practice, partly because many also serve European users and partly because the ANPD's posture favors consent for tracking technologies.

China: PIPL

China's Personal Information Protection Law (PIPL), effective November 2021, regulates cookies as part of its broader personal information framework. The Cyberspace Administration of China (CAC) oversees enforcement.

The PIPL requires consent or another specified legal basis before processing personal information. Advertising cookies that share data with third parties or involve cross-border transfers face additional requirements, including data transfer impact assessments. China's approach is notably strict on third-party data sharing: each overseas transfer of personal information requires a separate legal basis and, in many cases, a security assessment filed with the CAC.

Japan: APPI

Japan's Act on the Protection of Personal Information (APPI), significantly amended in April 2022, addresses cookies through the concept of "individually-referable information." The Personal Information Protection Commission (PPC) enforces the APPI.

When a business provides cookie identifiers to a third party that can combine them with other data to identify individuals, the providing business must confirm that the third party has obtained the individual's consent. Japan does not require EU-style consent banners for first-party cookies. The focus is on third-party data sharing for advertising rather than initial cookie placement.

South Korea: PIPA

South Korea's Personal Information Protection Act (PIPA) is one of Asia's strictest frameworks. The Personal Information Protection Commission (PIPC) enforces it alongside the Network Act, which addresses online tracking specifically.

PIPA requires consent for collecting personal information, which covers cookies that track identifiable users. Korean websites commonly display cookie consent notices. The PIPC has been active in enforcement, with fines reaching billions of Korean won for violations involving personal data collection through tracking technologies.

India: DPDPA and the 2025 Rules

India's Digital Personal Data Protection Act 2023 (DPDPA) was enacted in August 2023. The Ministry of Electronics and Information Technology published the DPDP Rules 2025 on November 13, 2025, activating the framework.

The DPDPA requires consent that is specific, unambiguous, and involves a clear affirmative action, language that closely mirrors the GDPR. Cookies that collect personal data require consent. A new "Consent Manager" framework allows intermediaries registered with the Data Protection Board of India to handle consent on behalf of data principals.

Implementation follows a phased timeline: the Data Protection Board was established in November 2025; Consent Manager registration opens November 2026; all other provisions including consent and security requirements take effect May 13, 2027.

Australia: Privacy Act Amended

Australia regulates online data collection through the Privacy Act 1988 and the Australian Privacy Principles, enforced by the Office of the Australian Information Commissioner (OAIC).

The Privacy and Other Legislation Amendment Act 2024, signed into law in December 2024, is the most significant reform in years. Key changes affecting cookies:

• Consent must be voluntary, informed, current, specific, and unambiguous. Pre-ticked boxes and dark patterns are restricted.
• Further amendments are planned for 2026 that would expand the definition of personal information to explicitly include technical identifiers such as IP addresses, device IDs, and cookie identifiers.

Australia still does not require a pop-up cookie consent banner; notice through a privacy policy generally satisfies the current requirement. But the trajectory is toward stronger cookie-specific obligations.

Region-by-Region Roundup

Latin America

Beyond Brazil, several Latin American countries have strengthened their data protection frameworks. Chile reformed its data protection law in 2024. Colombia applies its Habeas Data Law (Law 1581/2012) to online data collection. Argentina operates under Personal Data Protection Law 25,326 and is developing updated rules. The regional trend is toward stronger consent requirements for tracking, with Brazil's ANPD serving as the regional enforcement reference point.

Asia-Pacific

Singapore: The Personal Data Protection Act (PDPA) requires consent for collecting personal data, which covers cookies that identify individuals. The PDPC has been active in enforcement with fines up to SGD 1 million, increasing to 10% of local turnover for egregious breaches.

Thailand: The Personal Data Protection Act (PDPA), fully effective June 2022, requires consent for collecting personal data through cookies. Consent must be freely given, specific, and informed.

Vietnam: The Personal Data Protection Decree (2023) introduces consent requirements for processing personal data, including cookie-based tracking.

Indonesia: The Personal Data Protection Law (2022) requires lawful basis for processing, with consent as the primary basis for tracking technologies.

New Zealand: The Privacy Act 2020 requires notification about data collection but does not mandate a cookie consent banner. The Office of the Privacy Commissioner provides guidance on cookie best practices.

Middle East and Africa

United Arab Emirates: Federal Decree-Law No. 45 of 2021 on personal data protection requires data subject consent for processing personal data, including cookies.

Saudi Arabia: The Personal Data Protection Law (PDPL), effective September 2023, requires consent for personal data processing that is not otherwise authorized by law.

South Africa: POPIA (Protection of Personal Information Act) requires consent for processing personal information, which the Information Regulator has interpreted to include behavioral tracking cookies.

Nigeria: The Nigeria Data Protection Regulation (NDPR) and the Nigeria Data Protection Act 2023 require consent for personal data collection.

Kenya: The Data Protection Act 2019 requires consent for processing personal data, including cookie-based tracking.

Israel: The Privacy Protection Law requires notice about data collection. Israel operates closer to the notice model but is modernizing its framework.

Turkey: The KVKK (Law No. 6698) requires explicit consent for processing sensitive data and informed consent for general personal data, including cookies.

Switzerland: The revised Federal Act on Data Protection (revDSG), effective September 2023, aligns Switzerland's framework with GDPR-equivalent standards, requiring consent for cookies that collect personal data.

Global Comparison Table

Cookie Banner Enforcement and "Consent or Pay"

EDPB Cookie Banner Taskforce

The EDPB's Cookie Banner Taskforce coordinates enforcement across DPAs. Its 2023 report set binding minimum standards: the reject option must be as easy to reach as the accept option; interface designs must not use colors, sizing, or wording to steer users toward acceptance; and consent must be granular by purpose, not bundled. DPAs have issued enforcement notices based on these standards, and fines for deceptive cookie banners continue to be issued across member states.

"Consent or Pay" Models

A "consent or pay" model presents users with a binary choice: consent to behavioral advertising or pay a subscription fee to access the service. Meta introduced such a model for Facebook and Instagram in the EU in 2023.

In April 2024, the EDPB's Opinion 08/2024 concluded that consent or pay models generally do not result in valid, freely given consent for large online platforms. The EDPB found that presenting users with no genuine alternative to consenting fails the "freely given" standard. The EDPB recommended that large platforms offer an equivalent alternative without behavioral advertising and without a paywall. Meta's legal challenge to this opinion was dismissed by the EU General Court in 2025.

For smaller websites, the picture is less settled. Most EU DPAs take a restrictive view of cookie walls. The safest approach for EU-facing websites is to allow access regardless of cookie choices.

Browser-Level Consent Signals: Global Privacy Control

The Global Privacy Control (GPC) is a browser or browser-extension signal that communicates a user's opt-out preference to every website they visit. It is supported natively in Firefox and Brave, and via extensions for Chrome and Safari.

In the US, compliance with GPC is now legally required in an expanding list of states. The California CPPA launched coordinated enforcement sweeps targeting GPC non-compliance in September 2025 alongside the AGs of Colorado and Connecticut. By July 2026, at least 12 states will mandate recognition of GPC or equivalent universal opt-out mechanisms.

In the EU, the Digital Omnibus proposal would require data controllers to respect machine-readable consent signals, which would give GPC-like signals legal weight for the first time in European law.

The practical implication: websites that do not yet listen for the GPC signal are falling behind the legal curve in the US and may need to comply with signal-based consent in the EU by 2027.

Practical Multi-Country Compliance Guidance

Geolocation-Based Consent

Most compliance platforms use IP geolocation to determine which consent rules apply to each visitor. An EU visitor sees a full opt-in banner. A US visitor from a GPC-mandatory state sees opt-out options and GPC honored. An Australian visitor sees a privacy policy notice. Geolocation-based routing is the standard approach for large multi-national publishers.

The Global Floor Strategy

For organizations that cannot implement jurisdiction-specific flows, applying EU-standard opt-in consent to all visitors is the safest and simplest approach. Meeting the EU's requirements satisfies or exceeds the requirements of virtually every other jurisdiction. The tradeoff is that consent rates for non-essential cookies are often significantly lower when opt-in is required, which affects advertising revenue and analytics coverage.

Consent Management Platforms

Dedicated consent management platforms (CMPs) automate cookie scanning, banner display, consent recording, and cookie blocking based on consent status. When choosing a CMP for multi-country compliance, verify support for the specific jurisdictions your site serves, that it can honor the GPC signal, and that consent records are stored in a format that satisfies GDPR audit requirements (Article 7(1)).

This is general legal information, not legal advice. Cookie compliance depends on the specific jurisdictions your website targets, the types of cookies used, and your organization's activities. Consult a qualified attorney in each relevant jurisdiction for advice specific to your situation.