🍪 Cookie Banner Requirements: GDPR, CCPA, CPRA, UK & More
Table of Contents
Businesses rely on cookies to glean information about web visitors. Details such as their IP address, device, browser, and demographic details can all be gleaned from cookies.
But such data is sensitive and each country has its own set of cookie banner requirements. These requirements explain how users can opt-out of cookie tracking if they wish, and make it mandatory for businesses to design their cookie banners for accessibility.
In this article, we'll take you through important cookie banner requirements around the world and how you can get set up for compliance.
Key Global Cookie Banner Requirements
The countries and regions that have specific cookie requirements are the European Union, Canada, the UK, and the United States. As a general rule, it’s best to meet the expectations for each requirement regardless of whether your business is physically located in those jurisdictions or not.
As long as your website or mobile app attracts visitors from these countries, it's incumbent on you to adhere to cookie banner requirements. Let's take a closer look at each.
GDPR Cookie Banner Requirements for the EU
Of all the cookie regulations in the world, GDPR is considered one of the most stringent. The formal policy that oversees cookie usage in the EU is the E-Privacy Directive or Cookie Directive.
The Cookie Directive defines what a cookie is, and the GDPR takes it a step further by explicitly stating a business’ obligations for notifying, managing, and providing consumers with access to data collected about them.
Articles 12 through 21 of the GDPR all outline key obligations a business must meet if they collect non-essential data from EU citizens and what notices are required — regardless of whether or not that individual ever becomes a paying customer. Key takeaways from these articles that need to be in your cookie banner include:
- Article 12: Businesses must clearly define what data is being collected, why it’s being collected, and how consumers can contact your business to access, amend, or request that you delete it.
- Article 13: Businesses must explicitly state how data is being collected, who is storing it, what data processing (if any) is occurring, and for how long it will be stored. Note this part also includes transatlantic data sharing and processing which is specific to U.S. businesses and is further outlined in the Trans-Atlantic Data Privacy Framework.
- Articles 15 and 16: These articles reiterate Article 13 but emphasizes that your business must provide clear instructions for how a consumer can contact you to either view, amend, or request that their data be deleted.
- Article 18: This article notes that consumers have the right to refuse to allow cookies that would track them or to restrict a data transfer to third parties for further processing. This is a critical point because it’s the “opt-out” requirement that is very common in cookie policies around the world. Also, note that you can’t restrict your website from a consumer just because they opt out of your cookie consent request.
The EU expects businesses to make cookie consent a priority and deploy a notification on the first-page visit for a new internet session. Specifically, that banner has to be easily visible across devices.
Many companies have run afoul of the EU and other jurisdiction’s cookie laws because the banner was hard to find and have been fined as a result.
U.S. Cookie Banner Requirements
In the U.S., there's no single federal cookie banner requirement. Hence, each state has their own which means it's important that you research the requirements for each carefully.
California Consumer Privacy Act (CCPA) Cookie Banner Requirements
The CCPA has specific requirements around how companies must disclose their data processing.
1. Full cookie policy disclosure: Websites must show all visitors a clear understanding of how they gather personal information and what they use it for.
2. Opt-out options: A cookie banner must give visitors the ability to opt-out of cookie tracking, including third-party cookies.
3. Cookie consent: Visitors must be able to mange and update their preferences as and when they want.
4. Cookie accountability: The banner must clearly state that the website and webmaster are accountable for all storage and processing of personal information.
California Privacy Rights Act (CPRA) Cookie Banner Requirements
The California Privacy Rights Act or CPRA is the latest iteration for the state’s consumer privacy regulations and was released in 2023 to strengthen regulations outlined in the 2018 California Consumer Privacy Act (CCPA). The CPRA is somewhat similar to GDPR in that your business must allow California residents to opt out of cookies, data sharing, and data sales of their information with third-party entities.
Similar to the GDPR and the Cookie Directive, you need to make contact support clearly visible, and must provide real communication channels that are regularly monitored for consumers to access, amend, or restrict the usage of their information. Note that this data usage also extends to businesses that rely on data collection to deploy retargeting ads, or to build customer profiles. Unlike GDPR, the CPRA doesn’t require consent before using cookies — but you must give California residents the option to change or revoke access if they request it.
Virginia Consumer Data Protection Act (VCDPA) Cookie Requirements
In 2023, Virginia passed the Virginia Consumer Data Protection Act (VCDPA) which gives Virginians the right to opt out of cookies, and control how any data that is collected about them is shared. Similar to CPRA, any commercial activities that rely on consumer data — including retargeting ads, building customer profiles, or simply storing data for third-party sales (like an email list rental) are all regulated by the VCDPA.
The Connecticut Data Privacy Act (CTDPA) Cookie Banner Requirements
Finally in the U.S., the Connecticut Data Privacy Act (CTDPA) is another cookie-focused data privacy law that just debuted in July 2023. Simply put, it’s another consumer opt-out of data collection for the purpose of advertising, data collection for future sales, or anything that might significantly impact how your company performs its business duties (i.e. adjusting prices based on data gleaned from users).
PIPEDA and Canada's Cookie Banner Requirements
In Canada, data privacy — which includes cookie consent — is regulated by the Personal Information Protection and Electronic Documents Act (PIPEDA). Unlike GDPR/E-Privacy Directive in the EU, or even the few cookie consent regulations in the U.S., Canada’s PIPEDA is not quite as explicit or easy to follow.
Any website that accepts Canadian traffic is bound by PIPEDA as well as other provincial regulations like the British Columbia Personal Information Privacy Act. While PIPEDA doesn’t explicitly state how your cookie consent banner must look, the key takeaway is that you need one that’s easily accessible upon website entry, and must allow Canadian consumers to easily opt out as well as amend or modify any information collected about them.
UK Cookie Banner Requirements
The UK's Information Commissioner's Office says that businesses are allowed to collect cookies. However, the cookie banner must obtain consent and provide information about the purpose of data gathering. The best way to do so is via a cookie consent tool — such tools pop up when visitors first land on websites and confirm that users want to accept their cookies being stored.
Australia Cookie Banner Requirements
Australia’s Privacy Act of 1988 has 13 Australian Privacy Principles (AAPs) that explain how commercial entities should handle consumer data, and when notifications — if any — are required.
Within the 13 APPs, APP 5 requires commercial entities to make reasonable efforts to notify consumers of when their personal data is being collected. This must be done before or at the time that data collection starts. Within Australian privacy legislation, this particular APP most closely monitors cookie consent.
Similar to the other cookie and data consent laws listed from other countries and jurisdictions above, the APP 5 from Australia requires that businesses explicitly outline what information is being collected, why, whether it’s required by law or as a part of general (but not legally mandated) business practices, where it’s being shared, and how a consumer can review the privacy policy for more details and to contact the business.
Should Your Business Have a Cookie Banner?
We've tried to show you how important cookie banners are to data privacy compliance laws around the world. Failing to have a cookie consent banner that explicitly requires website visitors to provide consent or the ability to opt-out will expose you to potentially hefty fines if you receive traffic from the EU. Meanwhile, you have countries like Canada and Australia that don’t require consent unless your business is gathering highly sensitive information.
If you would like to see how cookie banners look in the wild, our roundup of the best cookie banners is a good resource to check out.
Building your own legally-compliant cookie consent banner is a tough ask, especially one that checks off all the boxes from a compliance standpoint. Enzuzo's battle-tested compliance solutions can help you cross the bridge, without spending thousands of dollars in legal and front-end web development fees.
Check out Enzuzo's cookie banner generator for robust privacy compliance wherever you do business.
Osman Husain
Osman is the content lead at Enzuzo. He has a background in data privacy management via a two-year role at ExpressVPN and extensive freelance work with cybersecurity and blockchain companies. Osman also holds an MBA from the Toronto Metropolitan University.