You may have noticed an increasing number of "cookie banners" over the past few years. These are those dialogue boxes that display on a website, asking if you give your consent for cookies to be placed on your device.
Most websites that have adopted a cookie consent solution like a cookie banner have done so in order to comply with European Union (EU) law. The EU places strict requirements on businesses who collect personal information about internet users within its borders.
But what about countries outside of the EU? Almost every country has privacy laws of some kind. Let's take a look at the rules on cookie consent in some major markets around the world.
- 1. Cookies Under EU Law
- 2. Why Cookie Consent Matters
- 2.1. Technically Necessary Cookies
- 2.2. Cookies and Children
- 2.3. Legal Uncertainty
- 3. North America
- 3.1. United States (Federal Laws)
- 3.1.1. California
- 3.2. Canada
- 4. South and Central America
- 4.1. Argentina
- 4.2. Brazil
- 4.3. Mexico
- 5. Africa
- 5.1. Nigeria
- 5.2. South Africa
- 6. Asia
- 6.1. China
- 6.2. Hong Kong
- 6.3. India
- 6.4. Japan
- 7. Australasia
- 7.1. Australia
- 7.2. New Zealand
- 8. Summary Chart
Cookies Under EU Law
The EU's requirement for cookie consent comes from two important laws:
- The ePrivacy Directive, which requires consent for cookies and other things that collect personal information or track users' behavior.
- The General Data Protection Regulation (GDPR), which sets strict rules on how businesses request and obtain consent. "Implied" consent and "opt-out" models of consent are not allowed. Consent must be earned via a user's specific, clear, affirmative action.
The combination of these two laws has led to many websites implementing cookie banners so that they could continue legally engaging in practices like personalized advertising, retargeting and analytics.
Here's an example of a standard cookie banner that allows users to give or decline to give consent for cookies:
If you use advertising cookies, and you offer goods and services in the EU, you'll need a cookie consent solution, too.
Why Cookie Consent Matters
The EU is way ahead of any other jurisdiction in the world when it comes to data protection. Gradually, however, other places are starting to introduce privacy laws inspired by EU law.
On the face of it, cookie banners may seem like an unnecessary annoyance. But there is a reason that governments are becoming more concerned about regulating online business activity.
Businesses are increasingly driven by an imperative to collect personal information. This can help drive sales by personalizing marketing, predicting people's behavior, and influencing their choices. Cookies are a way to help achieve all of these things.
Before we look at some the treatment of cookies around the world, there are a few things to keep in mind.
Technically Necessary Cookies
There is an important distinction between different types of cookies. Some are necessary for the functioning of a website, and some are desirable from a user's perspective.
Generally, when we refer to "cookies" in this article, we're referring to cookies that are used for ad personalization and tracking. These are the sorts of cookies that collect personal information and can have privacy implications.
You should also assume that other devices that serve similar functions, such as web beacons and pixel tags, are included in this definition.
Cookies and Children
Very often, separate laws apply to tracking the online behavior of children.
We're only going to look at one such law, the Children's Online Privacy Protection Act (COPPA) in the United States. This will give you an idea of how such regulation works.
There may be similar laws in other countries we look at, too. If your business intends to market to children, you should think very carefully about whether using advertising cookies is appropriate at all.
Legal Uncertainty
Cookies are not mentioned explicitly in many laws. Even the mammoth GDPR only mentions the word "cookie" once.
Some jurisdictions define "personal information" in a broad way, that implies that cookies should be included. Others define "personal information" in a more narrow way.
When asking whether a particular country requires cookie consent, it's not always easy to answer simply yes or no. It may be that the issue of cookies simply hasn't been considered by the country's lawmakers or courts yet. We can't be certain about how they will treat the issue once they do.
North America
United States (Federal Laws)
Privacy law in the United States (US) is very weak compared to many other major economies. Essentially, the US does not require consent for cookies.
But there is a federal law that places strict restrictions on the use of cookies - the Children's Online Privacy Protection Act (COPPA). This law regulates the activity of websites and online services aimed at children under 13 years old.
If you've determined that COPPA applies to you, you'll need to be very careful about using cookies at all, particularly tracking cookies. Numerous investigations have been launched into the use of tracking cookies, for example on websites operated by Hasbro, Mattel and Fisher-Price.
If you wish to use cookies or other devices that qualify as "persistent identifiers" on a website, app or other online service covered by COPPA, you'll need to earn verifiable parental consent. It is unlikely that this will be feasible, and so you may wish to consider other marketing methods.
California
The strongest privacy laws in the US can be found in California. And because they apply to any business operating in California, they effectively apply to any business operating in the US.
The California Online Privacy Protection Act (CalOPPA) requires operators of commercial websites and online services to create a Privacy Policy that discloses how they collect personal information. The California Attorney General states a CalOPPA-compliant Privacy Policy should include reference to the collection of personal information via cookies.
CalOPPA also requires that your Privacy Policy states that you let users know how your website treats browser "Do Not Track" (DNT) requests. However, you aren't actually obliged to obey such requests.
Although disclosure in a Privacy Policy is advised (and potentially required), California does not require consent for cookies.
Canada
The privacy regime in Canada is much stricter than in the US. But it's still not as strict as in the EU.
There is some confusion about the cookie situation in Canada. Let's examine how cookies are treated under Canadian law.
Canada has two main privacy laws:
- Personal Information Protection and Electronic Documents Act (PIPEDA)
- Canada's Anti-Spam Legislation (CASL)
The combination of these two laws gives some sort of requirement for cookie consent, but not necessarily cookie banners.
PIPEDA mentions two types of consent:
- Express consent. This type of consent is given explicitly, through a specific action. For example, clicking the "I agree" option on a cookie banner.
- Implied consent. This type of consent can be inferred through a person's actions or inaction. For example, where a user has been given the option to opt out but has not done so.
CASL requires that website and app operators get "express consent" for the installation of certain "computer programs." CASL deems that cookies are a type of computer program.
However, you can assume that you have a person's express consent for cookies if "the person's conduct is such that it is reasonable to believe that they consent to the program's installation."
How might a person's conduct indicate that they consent to cookies? Here's some guidance from the Canadian Radio-television and Communications Commission:
So, as long as you respect people's opt-out choices and browser settings, you can assume that you have their express consent to set cookies under Canadian law.
It may have occurred to you that this sounds more like "implied consent" than "express consent." In any case, the upshot is that Canada does not require (express) consent for cookies, as long as proper information and an opt-out process are provided.
South and Central America
Argentina
Argentina's Personal Data Protection Act (English version) requires personal information to only be collected with express consent, given in writing or "other similar means."
There are a few exceptions to this consent requirement, such as where the personal information forms part of a list limited to:
- Name
- National identity number
- Tax or social security identification
- Occupation
- Date of birth
- Address
- Phone number
The question, then, turns to whether cookies are considered personal information. This is not clear from the law.
Applying the principle that cookies are increasingly considered personal information, you should proceed with caution - Argentina may require consent for cookies.
Brazil
There are two key privacy pieces of privacy legislation in Brazil:
- The Civil Rights Framework for the Internet (known as the "Marco Civil") (English version)
- The Brazilian General Data Protection Law (LGPD) (English version), which comes into force in 2020
These laws don't make specific reference to cookies. But in a similar way to other Latin American laws, they do suggest that cookies containing personal information require express consent.
Therefore, proceed with caution - Brazil may require consent for cookies.
Mexico
There are several important privacy laws in Mexico, including
- The Federal Law on the Protection of Personal Data held by Private Parties (English version)
- The Privacy Notice Guidelines (Spanish version)
Under these laws, Mexico does require consent for cookies, except where cookies are required for technical purposes. Full notice of how cookies and other devices collect personal information is also a legal requirement.
Africa
Nigeria
Nigeria's main privacy laws are:
- The National Information Technology Development Agency Act 2007 (English version)
- The Nigerian Data Protection Regulation 2019 (English version)
The 2007 Act does not refer to cookies. At the time of writing, the 2019 Regulation is very new. Little appears to have been written about its requirements or interpretation.
The Regulation does require that use of "technical methods used to collect and store personal information," such as cookies, are disclosed in a Privacy Policy. It follows that Nigerian law considers that cookies can constitute personal information.
The language around consent in the Regulation is very similar to that of the EU's GDPR. Consent is defined as:
"any freely given, specific, informed and unambiguous indication of the data subject's wishes by a clear affirmative action"
This would suggest a strong "opt-in" or "express" model of consent.
Consent is one of six legal reasons for processing personal information. The others, which include fulfillment of a "legal obligation" or performance of a contract, are unlikely to apply when using cookies.
Therefore, it would appear that, as of January 2019, Nigeria does require consent for cookies.
South Africa
There are two main privacy laws in South Africa:
- The Electronic Communications and Transactions Act 2002 (English version)
- The Protection of Personal Information Act (POPIA) (English version)
The POPIA bears some similarities to EU data protection law. Although it passed in 2013, the Act has yet to fully come into force.
The POPIA does regulate the use of cookies, as they are an "online identifier," and so qualify as personal information covered by consent requirements. However, it's not clear how consent under the POPIA will be interpreted. It may be that "implied" or "opt-out" consent is acceptable for cookies.
Until POPIA comes fully into force and the South African Information Regulator provides further guidance on its interpretation, it's reasonable to state that South Africa does not require consent for cookies.
Asia
China
Privacy law in China is covered by myriad regulations, statutes and court opinions. Internet censorship, cybersecurity laws and the "Great Firewall of China" present additional challenges to entering this online marketplace.
Examples of laws governing online marketing include:
- The Internet Email Services Regulations (information in English)
- The Law on Tortious Liability (English version)
However, no Chinese law appears to make reference to cookies.
An interesting civil lawsuit was brought against Chinese search engine Baidu in 2015. The claimant alleged that she had been psychologically harmed by Baidu's use of retargeting cookies.
The court considered Baidu's opt-out mechanism and Privacy Policy to be adequate and did not find that the claimant's privacy had been violated.
Although this decision is not binding on other courts, it can be taken as partial confirmation that China does not require consent for cookies.
Hong Kong
The main privacy laws in Hong Kong are:
- The Personal Data (Privacy) Ordinance (English/Cantonese version)
- The Unsolicited Electronic Messages Ordinance (English version)
These laws don't specifically require consent for cookies.
The Hong Kong Privacy Commissioner provides some helpful guidance on applying the Ordinances in the context of online behavioral advertising.
It's clear that the Privacy Commissioner considers certain cookies to collect personal information, and thus disclosure of their use in a Privacy Policy would be required under Hong Kong law.
However, Hong Kong does not require consent for cookies.
India
India doesn't have a comprehensive data protection or privacy law. There is no regulation specifically governing the use of cookies, or defining them as personal information.
However, the Information Technology Act 2000 (IT Act) cybersecurity law (English version) could be read as prohibiting the use of cookies without consent.
The IT Act prohibits the introduction of a "computer virus" into a computer. "Computer virus" is defined quite broadly. Here's part of the definition:
"any computer instruction, data or programme that [...] attaches itself to another computer resource and operates when a programme, data or instruction is executed or some other event takes place in that computer resource."
It is possible that cookies could be captured within this definition. Therefore, proceed with caution - India may prohibit the use of cookies.
Japan
Two of Japan's main privacy laws are:
- The Act on the Protection of Personal Information (APPI) (English version)
- The Act on Regulation of the Transmission of Specified Electronic Mail (English version)
Neither law makes any reference to cookies. However, the definition of "personal information" in the APPI is very broad.
It is therefore conceivable that, like under EU law, the use of certain cookies could fall under the ambit of the APPI. The APPI requires consent for the transfer of personal data rather than its collection. So, first-party cookies might not require consent but would require disclosure in a Privacy Policy.
Therefore, proceed with caution - Japan might require consent for certain third-party cookies.
Australasia
Australia
Australia's main privacy laws are:
- The Privacy Act 1988
- The Spam Act 2003 marketing law
Neither law makes any reference to cookies.
The Office of the Australian Information Commissioner provides some guidance on applying the "Australian Privacy Principles" that derive from Australian law. This does suggest that information collected by cookies might constitute personal information if a person could be "reasonably identified" from it.
Therefore, it would be necessary to disclose your use of cookies in a Privacy Policy under Australian law. However, Australia does not require consent for cookies.
New Zealand
New Zealand's main privacy laws are:
- The Privacy Act 1993, a data protection law
- The Unsolicited Electronic Messages Act 2007, an anti-spam law
Neither of these laws makes reference to cookies or implies that they should be treated as personal information.
New Zealand does not require consent for cookies.
Summary Chart
Here's what we've learned about cookie consent around the world.
Remember the caveats we considered at the top of the article about children, technically necessary cookies and legal uncertainty. And be aware that certain laws require disclosure even if they don't require express consent.
Consent required | Consent not required | Proceed with caution | |
Argentina | ✔ | ||
Australia | ✔ | ||
Brazil | ✔ | ||
Canada | ✔ (consent can be assumed under certain conditions) | ||
China | ✔ | ||
Hong Kong | ✔ | ||
India | ✔ | ||
Japan | ✔ (for first-party cookies) | ✔ (for third-party cookies) | |
Mexico | ✔ | ||
New Zealand | ✔ | ||
Nigeria | ✔ | ||
South Africa | ✔ | ||
United States | ✔ | ||
United States (California) | ✔ |
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.