You may have noticed an increasing number of "cookie banners" over the past few years. These are those dialogue boxes that display on a website, asking if you give your consent for cookies to be placed on your device.
Most websites that have adopted a cookie consent solution like a cookie banner have done so in order to comply with European Union (EU) law. The EU places strict requirements on businesses who collect personal information about internet users within its borders.
But what about countries outside of the EU? Almost every country has privacy laws of some kind. Let's take a look at the rules on cookie consent in some major markets around the world.
Cookies Under EU Law
The EU's requirement for cookie consent comes from two important laws:
- The ePrivacy Directive, which requires consent for cookies and other things that collect personal information or track users' behavior.
- The General Data Protection Regulation (GDPR), which sets strict rules on how businesses request and obtain consent. "Implied" consent and "opt-out" models of consent are not allowed. Consent must be earned via a user's specific, clear, affirmative action.
The combination of these two laws has led to many websites implementing cookie banners so that they could continue legally engaging in practices like personalized advertising, retargeting and analytics.
Here's an example of a standard cookie banner that allows users to give or decline to give consent for cookies:
If you use advertising cookies, and you offer goods and services in the EU, you'll need a cookie consent solution, too.
Why Cookie Consent Matters
The EU is way ahead of any other jurisdiction in the world when it comes to data protection. Gradually, however, other places are starting to introduce privacy laws inspired by EU law.
On the face of it, cookie banners may seem like an unnecessary annoyance. But there is a reason that governments are becoming more concerned about regulating online business activity.
Businesses are increasingly driven by an imperative to collect personal information. This can help drive sales by personalizing marketing, predicting people's behavior, and influencing their choices. Cookies are a way to help achieve all of these things.
Before we look at some the treatment of cookies around the world, there are a few things to keep in mind.
Technically Necessary Cookies
There is an important distinction between different types of cookies. Some are necessary for the functioning of a website, and some are desirable from a user's perspective.
Generally, when we refer to "cookies" in this article, we're referring to cookies that are used for ad personalization and tracking. These are the sorts of cookies that collect personal information and can have privacy implications.
You should also assume that other devices that serve similar functions, such as web beacons and pixel tags, are included in this definition.
Cookies and Children
Very often, separate laws apply to tracking the online behavior of children.
We're only going to look at one such law, the Children's Online Privacy Protection Act (COPPA) in the United States. This will give you an idea of how such regulation works.
There may be similar laws in other countries we look at, too. If your business intends to market to children, you should think very carefully about whether using advertising cookies is appropriate at all.
Cookies are not mentioned explicitly in many laws. Even the mammoth GDPR only mentions the word "cookie" once.
Some jurisdictions define "personal information" in a broad way, that implies that cookies should be included. Others define "personal information" in a more narrow way.
When asking whether a particular country requires cookie consent, it's not always easy to answer simply yes or no. It may be that the issue of cookies simply hasn't been considered by the country's lawmakers or courts yet. We can't be certain about how they will treat the issue once they do.
United States (Federal Laws)
Privacy law in the United States (US) is very weak compared to many other major economies. Essentially, the US does not require consent for cookies.
If you've determined that COPPA applies to you, you'll need to be very careful about using cookies at all, particularly tracking cookies. Numerous investigations have been launched into the use of tracking cookies, for example on websites operated by Hasbro, Mattel and Fisher-Price.
The strongest privacy laws in the US can be found in California. And because they apply to any business operating in California, they effectively apply to any business operating in the US.
The privacy regime in Canada is much stricter than in the US. But it's still not as strict as in the EU.
There is some confusion about the cookie situation in Canada. Let's examine how cookies are treated under Canadian law.
Canada has two main privacy laws:
- Personal Information Protection and Electronic Documents Act (PIPEDA)
- Canada's Anti-Spam Legislation (CASL)
The combination of these two laws gives some sort of requirement for cookie consent, but not necessarily cookie banners.
PIPEDA mentions two types of consent:
- Express consent. This type of consent is given explicitly, through a specific action. For example, clicking the "I agree" option on a cookie banner.
- Implied consent. This type of consent can be inferred through a person's actions or inaction. For example, where a user has been given the option to opt out but has not done so.
CASL requires that website and app operators get "express consent" for the installation of certain "computer programs." CASL deems that cookies are a type of computer program.
However, you can assume that you have a person's express consent for cookies if "the person's conduct is such that it is reasonable to believe that they consent to the program's installation."
How might a person's conduct indicate that they consent to cookies? Here's some guidance from the Canadian Radio-television and Communications Commission:
So, as long as you respect people's opt-out choices and browser settings, you can assume that you have their express consent to set cookies under Canadian law.
It may have occurred to you that this sounds more like "implied consent" than "express consent." In any case, the upshot is that Canada does not require (express) consent for cookies, as long as proper information and an opt-out process are provided.
South and Central America
Argentina's Personal Data Protection Act (English version) requires personal information to only be collected with express consent, given in writing or "other similar means."
There are a few exceptions to this consent requirement, such as where the personal information forms part of a list limited to:
- National identity number
- Tax or social security identification
- Date of birth
- Phone number
The question, then, turns to whether cookies are considered personal information. This is not clear from the law.
Applying the principle that cookies are increasingly considered personal information, you should proceed with caution - Argentina may require consent for cookies.
There are two key privacy pieces of privacy legislation in Brazil:
- The Civil Rights Framework for the Internet (known as the "Marco Civil") (English version)
- The Brazilian General Data Protection Law (LGPD) (English version), which comes into force in 2020
These laws don't make specific reference to cookies. But in a similar way to other Latin American laws, they do suggest that cookies containing personal information require express consent.
Therefore, proceed with caution - Brazil may require consent for cookies.
There are several important privacy laws in Mexico, including
Under these laws, Mexico does require consent for cookies, except where cookies are required for technical purposes. Full notice of how cookies and other devices collect personal information is also a legal requirement.
Nigeria's main privacy laws are:
The 2007 Act does not refer to cookies. At the time of writing, the 2019 Regulation is very new. Little appears to have been written about its requirements or interpretation.
The language around consent in the Regulation is very similar to that of the EU's GDPR. Consent is defined as:
"any freely given, specific, informed and unambiguous indication of the data subject's wishes by a clear affirmative action"
This would suggest a strong "opt-in" or "express" model of consent.
Consent is one of six legal reasons for processing personal information. The others, which include fulfillment of a "legal obligation" or performance of a contract, are unlikely to apply when using cookies.
Therefore, it would appear that, as of January 2019, Nigeria does require consent for cookies.
There are two main privacy laws in South Africa:
The POPIA bears some similarities to EU data protection law. Although it passed in 2013, the Act has yet to fully come into force.
Until POPIA comes fully into force and the South African Information Regulator provides further guidance on its interpretation, it's reasonable to state that South Africa does not require consent for cookies.
Privacy law in China is covered by myriad regulations, statutes and court opinions. Internet censorship, cybersecurity laws and the "Great Firewall of China" present additional challenges to entering this online marketplace.
Examples of laws governing online marketing include:
However, no Chinese law appears to make reference to cookies.
An interesting civil lawsuit was brought against Chinese search engine Baidu in 2015. The claimant alleged that she had been psychologically harmed by Baidu's use of retargeting cookies.
Although this decision is not binding on other courts, it can be taken as partial confirmation that China does not require consent for cookies.
The main privacy laws in Hong Kong are:
These laws don't specifically require consent for cookies.
The Hong Kong Privacy Commissioner provides some helpful guidance on applying the Ordinances in the context of online behavioral advertising.
However, Hong Kong does not require consent for cookies.
The IT Act prohibits the introduction of a "computer virus" into a computer. "Computer virus" is defined quite broadly. Here's part of the definition:
"any computer instruction, data or programme that [...] attaches itself to another computer resource and operates when a programme, data or instruction is executed or some other event takes place in that computer resource."
Two of Japan's main privacy laws are:
- The Act on the Protection of Personal Information (APPI) (English version)
- The Act on Regulation of the Transmission of Specified Electronic Mail (English version)
Neither law makes any reference to cookies. However, the definition of "personal information" in the APPI is very broad.
Therefore, proceed with caution - Japan might require consent for certain third-party cookies.
Australia's main privacy laws are:
Neither law makes any reference to cookies.
The Office of the Australian Information Commissioner provides some guidance on applying the "Australian Privacy Principles" that derive from Australian law. This does suggest that information collected by cookies might constitute personal information if a person could be "reasonably identified" from it.
New Zealand's main privacy laws are:
- The Privacy Act 1993, a data protection law
- The Unsolicited Electronic Messages Act 2007, an anti-spam law
Neither of these laws makes reference to cookies or implies that they should be treated as personal information.
New Zealand does not require consent for cookies.
Here's what we've learned about cookie consent around the world.
Remember the caveats we considered at the top of the article about children, technically necessary cookies and legal uncertainty. And be aware that certain laws require disclosure even if they don't require express consent.
||Consent not required
||Proceed with caution
||✔ (consent can be assumed under certain conditions)
||✔ (for first-party cookies)
||✔ (for third-party cookies)
|United States (California)