Cookie Consent Outside of the EU
If you sell goods or services to EU residents, and you want to use non-essential cookies to collect their personal data, then you need their consent before using such cookies. The EU has some of the strictest cookie laws in the world, but even if EU laws don't apply, you might still need consent before using non-essential cookies.
This article will explore what cookie consent requirements look like outside of the EU.
- 1. What are Cookies?
- 2. What is Cookie Consent?
- 3. Why Does Consent Matter?
- 4. EU Cookie Consent
- 4.1. Cookie Consent Notice
- 4.2. Strictly Necessary Cookies
- 4.3. EEA Countries
- 4.4. Consent and Third Countries
- 4.5. Cookie Consent and Minors
- 5. Australia Cookie Consent
- 6. Brazil Cookie Consent
- 7. Canada Cookie Consent
- 8. China Cookie Consent
- 9. Egypt Cookie Consent
- 10. India Cookie Consent
- 11. New Zealand Cookie Consent
- 12. South Africa Cookie Consent
- 13. U.S. Cookie Consent
- 13.1. California Consumer Privacy Act (CPRA)
- 13.2. Virginia Consumer Data Protection Act (CDPA)
- 13.3. Children's Online Privacy Protection Act (COPPA)
- 14. Summary
What are Cookies?
Cookies are files which are stored on a user's device when they visit a website. The cookies contain small text codes which can be used to, for example, collect personal data and monitor someone's behavior.
Irrespective of the applicable laws, it's good practice to define cookies and how you use them in your Privacy Policy and/or Cookies Policy.
Here's how Starbucks defines cookies in its Privacy Notice:
Your description should be clear and easy enough for the average user to understand.
What is Cookie Consent?
Cookie consent is when you explicitly ask for consent from users before you place cookies on their devices. This is usually in the form of a pop-up or banner requesting consent upon first visiting a website.
Here's a classic example:
For more information, check out our feature articles:
Why Does Consent Matter?
Consent matters because it gives individuals more control over their personal data and how it's processed around the internet. It empowers people to make informed choices regarding how much information they share, and who they share it with.
Consent enables companies to gather data to personalize marketing campaigns, target the right demographics, and grow their business without compromising an individual's right to privacy online.
EU Cookie Consent
EU cookie consent rules come from two laws: the General Data Protection Regulation (GDPR) and the ePrivacy Directive (the "Cookie Law").
- Under the ePrivacy Directive, you can't use non-essential cookies to collect personal data, or to track a user's behavior, without clear and express consent from the user first.
- The GDPR requires clear, informed, unambiguous, and easily revocable consent if you're relying on consent as your lawful basis for data processing.
The easiest way to comply with these requirements is to use a Cookie Consent Notice or pop-up consent mechanism.
Cookie Consent Notice
A Cookie Consent Notice should explain what cookies are, how they work, and how people can accept or reject cookies. It should require users to expressly and affirmatively consent to non-essential cookies and give them a clear option to refuse such cookies.
Here's an example of one that explains how cookies are used for advertising purposes, and allows individuals to accept or reject all cookies, or customize which cookies they accept:
Strictly Necessary Cookies
You don't need consent to cookies in the EU if the cookies are strictly necessary. Necessary cookies are defined in the ePrivacy Directive, Article 5(3), as "to provide an information society service explicitly requested by the subscriber or user."
Examples of necessary cookies include those which allow a web page to load up or a shopping cart to function.
EEA Countries
The GDPR and ePrivacy Directive also apply to countries in the European Economic Area (EEA), so EU cookie rules apply to Norway, Iceland, and Liechtenstein.
Consent and Third Countries
Countries beyond the EU should comply with the GDPR if they're selling goods or services to EU residents, or monitoring EU residents' behavior. And the UK, although no longer an EU Member State, incorporated the GDPR into British domestic law and so GDPR consent rules still apply.
Cookie Consent and Minors
The consent rules we're discussing apply to data belonging to adults, not minors. If you're processing personal data belonging to minors, or using marketing cookies targeted at children, consider seeking legal advice before doing so to ensure you comply with the relevant laws.
Now, let's consider how cookie consent rules vary around the world.
Australia Cookie Consent
There are no Australian laws specifically covering cookie consent. However, here's what we can take from the Privacy Act Principles set out in the Australian Privacy Act 1988:
- Every business should take reasonable steps to inform people if they are collecting personal data, and what type of data they are collecting (Principle 5).
- A business needs consent to use or share the information for another purpose not already disclosed (Principle 6).
- You can use data for direct marketing if the user would reasonably expect you to use data for this purpose or they consented to you using their data for unexpected marketing purposes (Principle 7).
So, you don't typically need consent to use cookies but you may need consent if you're using personal data for new or unexpected purposes. You can obtain consent through a Cookie Consent Notice.
Brazil Cookie Consent
Brazil's General Data Protection Law (LGPD) came into force in 2021. Under Article 7, personal data should only be processed in certain circumstances, including if a person consents to personal data handling:
Consent, to be valid, must be clear and specific, and it should be easily revocable at any time. These conditions are set out in Article 8:
"By other means" can be taken to include an obvious notice or pop-up banner, like a Cookie Consent Notice.
Although Brazilian privacy laws don't expressly govern cookies, they are very clear on how businesses should obtain consent from data subjects. If you're using marketing cookies capable of processing personal data, then you should use a Cookie Notice to get express consent.
Canada Cookie Consent
Cookies are regulated in Canada by a combination of two laws: Canada's Anti-Spam Law (CASL) and the Personal Information Protection and Electronic Documents Act (PIPEDA). In summary, here's what we know.
According to CASL requirements and prohibitions in Section 8, you can't install a "computer program" without express consent. "Programs" explicitly include cookies:
What's interesting is the standard for express consent. If someone behaves in a way that it's reasonable to assume they've consented, then this is deemed to be express consent.
PIPEDA gives you the option of using either express (GDPR-style consent) or implied consent. To ensure full compliance, it may be wise to use a Cookie Notice with an "I Consent" type of affirmative action required.
Check out our feature article for more information: GDPR Consent Versus PIPEDA Consent.
China Cookie Consent
China introduced the Personal Information Protection Law (PIPL) in 2021. The law does not specifically address the issue of cookie consent, so it's not entirely clear whether China requires consent for using cookies.
"Personal information" is defined in Article 4 as any information, including data recorded electronically, that can identify someone. Personal information handling includes collection, processing, and storage:
From this, we can assume that personal information collected through cookies is protected by PIPL.
According to Article 13, consent is one of the grounds for processing personal data. Under Articles 14 and 15, if a business wishes to rely on consent as a legitimate basis for processing, then consent must be voluntary, fully informed, explicit, and retractable:
From PIPL, we can assume that you may need someone's express and informed consent through a Cookie Consent Notice to use non-essential cookies. To ensure compliance, use the GDPR standards for affirmative consent.
Egypt Cookie Consent
There's no specific cookie law in Egypt, but the Egypt Law 151/2020 offers some fairly clear guidance.
Article 2 states that personal data cannot be collected without explicit consent unless you're collecting the data for another reason permitted by law:
And "personal data" includes data which can be used to directly or indirectly identify someone:
Since cookies are capable of processing personal data, you should use a Cookie Consent Notice or pop-up notice since the standards are very similar to those imposed by the GDPR.
India Cookie Consent
At present, India does not have a specific law covering cookies. The law does not define cookies as being capable of collecting or processing personal information.
In short then, there is at the time of writing no requirement to get express consent before using cookies if you're targeting Indian residents. You may wish to do so, though, simply to comply with more robust privacy laws like the GDPR.
New Zealand Cookie Consent
New Zealand's main privacy law is the Privacy Act 2020.
Based on the act, there is no need to get express and affirmative consent to non-essential cookies. However, to ensure full compliance with the law, you should still inform people if you plan on using cookies to collect personal data. Here's why:
Personal information is defined in the act at Section 7 as any data which you can use to identify someone. Personal data should be handled in accordance with the Information Privacy Principles set out in Section 22.
According to Principle 3, businesses must take reasonable steps to inform users that:
- They collect personal data
- Why they collect personal data
- Who receives the data
- What happens if the person does not provide the data
It's reasonable to assume you should notify users if cookies on your website are capable of processing personal data. You can use a Cookie Consent Notice to do this.
South Africa Cookie Consent
In South Africa, the major privacy law we're concerned about is the Protection of Personal Information Act (POPI). Although the POPI Act doesn't specifically address cookies, it does address the issue of consent.
Businesses cannot process personal information unless they have the person's consent or meet one of the "conditions for lawful processing" as set out in Chapter 3, Section 11(1):
It's also the company's responsibility to show that individuals have freely consented to sharing their personal data if they choose to rely on this ground for processing. Recordkeeping is, then, essential.
Since cookies can process personal data, if you wish to use cookies which are otherwise nonessential e.g. to allow your site to work properly, you may need consent. Use a clear opt-in, opt-out Cookie Consent Notice on your website, just as you would to comply with the GDPR.
U.S. Cookie Consent
At a federal level, there are no rules regarding cookies. Meaning, there's no general legal requirement to get consent at the U.S. federal level. Some states, however, have their own laws.
California Consumer Privacy Act (CPRA)
Under the California Consumer Privacy Act (CCPA) and its CPRA amendments, you don't need express consent to use cookies. However, you do have a few obligations.
As per Section 1798.100, you must inform individuals if you collect personal data, what categories of personal data you collect.
And as per section Section 1798.120, you must give your consumers the chance to opt out of non-essential cookies.
Put simply, you don't need express consent, but you must disclose if you use cookies and you need to give consumers a clear means to opt out (e.g., by clicking a "Disagree" checkbox or following another procedure).
Virginia Consumer Data Protection Act (CDPA)
Similarly, in Virgina, the CDPA makes it mandatory for businesses to get consent before they use cookies on a person's device for certain functions. Under Section 59.1-577, you need consent before using data for "the purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling..."
So while you don't always need express consent, you will need consent in some circumstances. Users must also be able to opt out whenever they wish.
Children's Online Privacy Protection Act (COPPA)
COPPA makes it challenging to use any cookies on websites aimed at children i.e. those under 13. The only way to use cookies is to get verifiable, express parental consent first.
Summary
Depending on which laws apply, you may need consent to use non-essential cookies in countries outside of the EU.
- Not every country has rules which explicitly deal with cookie consent. In these territories, it's unclear whether you need consent. However, if you're already complying with laws like the GDPR, it's best to use the same type of opt-in Cookie Consent Notice anyway.
- Some countries require disclosure even if they don't need express consent (such as New Zealand). This means you need a Cookie Consent Notice even if it does not have an opt-in or opt-out button to affirmatively give consent.
- In countries such as Canada and Australia, where you may need consent but the rules aren't entirely clear, err on the side of caution. Use a GDPR-compliant Cookie Consent Notice to get consent.
- Some countries like Egypt require you to get explicit consent before using cookies. In such territories, you must use a GDPR-level Cookie Consent Notice or pop-up banner.
The short answer is that, given how fast privacy laws are evolving worldwide, it's wise to get express rather than implied consent to non-essential cookies wherever your business is located. Whatever type of cookies you use, always describe your cookie practices in your Privacy Policy or Cookie Policy, and clearly disclose your use of cookies through a Cookie Consent Notice.
Finally, always make it easy for people to opt out of accepting cookies.