Latest Insights/Back to Generator
PUBLISHED ON 2026-02-07

Cookie Consent Requirements by Country: A Global Guide

With websites accessible globally, understanding cookie consent requirements in different jurisdictions is essential. A cookie that's perfectly legal in the US might require explicit consent in France. Here's a country-by-country breakdown of what you need to know.

European Union (GDPR + ePrivacy Directive)

The EU has the strictest cookie laws in the world. Under the ePrivacy Directive (often called the "Cookie Law") combined with the GDPR:

  • You must obtain explicit, informed consent before placing any non-essential cookies.
  • Pre-checked boxes or implied consent (e.g., "by continuing to browse...") are not valid.
  • Users must be able to reject all non-essential cookies as easily as they can accept them.
  • You must provide a detailed cookie policy listing all cookies, their purposes, and their lifespans.
  • Essential cookies (strictly necessary for the site to function) can be placed without consent.

Penalties: Up to €20 million or 4% of global annual turnover under the GDPR.

United Kingdom

Despite Brexit, the UK has maintained GDPR-equivalent rules through the UK GDPR and the Privacy and Electronic Communications Regulations (PECR). The requirements are essentially the same as the EU:

  • Prior consent required for non-essential cookies.
  • Clear and comprehensive information about cookies must be provided.
  • The ICO (Information Commissioner's Office) actively enforces these rules.

United States

The US does not have a federal cookie law. However, several state laws impact cookie usage:

  • California (CCPA/CPRA): While not specifically a "cookie law," the CCPA requires businesses to disclose data collection practices, including cookies, and provide an opt-out for the sale of personal information.
  • Colorado, Connecticut, Virginia: These states have enacted comprehensive privacy laws that include requirements related to tracking technologies.
  • Best practice: Even without a federal law, providing a cookie notice and opt-out mechanism is recommended for US-based sites.

Canada (PIPEDA)

Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) requires organizations to obtain meaningful consent for data collection, including through cookies. The Office of the Privacy Commissioner has stated that:

  • Implied consent may be acceptable for less sensitive data (such as analytics cookies).
  • Express consent is required for more sensitive data collection.
  • Organizations must clearly explain what cookies they use and why.

Australia

Australia's Privacy Act 1988 does not specifically regulate cookies, but it requires organizations to handle personal information transparently. The Australian Privacy Principles (APPs) require:

  • Notice about the collection of personal information, which can include cookie data.
  • A privacy policy that describes what information is collected and how it's used.

While Australia doesn't require a cookie consent banner, providing one is considered best practice.

Brazil (LGPD)

Brazil's Lei Geral de Proteção de Dados (LGPD) is similar to the GDPR in many respects. It requires:

  • A valid legal basis for processing personal data, including data collected through cookies.
  • Clear, prominent notice about what data is collected and why.
  • The ability for users to revoke consent at any time.

Best Practice: Cover All Bases

If your website has international traffic, the simplest strategy is to implement a GDPR-compliant cookie consent banner for all visitors. This approach satisfies the strictest requirements and protects you globally.

Get Your Cookie Policy

Creating a compliant cookie policy doesn't have to be complicated. Use our Free Cookie Policy Generator and Cookie Consent Banner Generator to get set up in minutes.