Many regions around the world require a cookie policy as part of data protection laws – for example, California’s California Consumer Privacy Act (CCPA) or the EU’s General Data Protection Regulation (GDPR). These laws make a cookie policy a legal requirement and failure to comply may result in fines and penalties.
Other geographic areas are preparing their own data protection laws, meaning cookie policies are likely to become mandatory there soon, too.
Even where a region has no legal requirement to provide a cookie policy, arguably it’s simply best practice to provide one. You will be showing your site’s users the courtesy of being transparent about how you collect user data and for what purposes. You will also be a step ahead in preparing for any future data protection laws that country introduces.
Do I need a cookie consent on my website?
It’s important to be clear about the difference between a privacy policy and a cookies policy. A privacy policy will tell your users how your website gathers data, and how that data is shared and stored.
A privacy policy usually sets out the type of personal information that is collected and why, along with details of how users can access, amend, control or delete their data. All data laws require something of this kind.
A cookies policy is a more specific document that explains which cookies are used on your site, a description of what they do, and details of the types of cookies used on your site by you and third parties. It should give information about how cookies are used, how site users can opt out and the routes for contacting your organization about the cookies.
Which countries require me to have a cookies policy?
USA
There is no single federal data protection law for the USA, although some states have individual laws. The most far-reaching of these is CCPA, which applies to California consumers. CCPA gives individuals rights to know what information is being collected about them, how it is used or whether it is sold on. They also have the right to opt out of data being sold, to access and delete personal information.
CCPA requires explicit notification of consumers where data is sold or shared with third parties, including giving consumers the right to opt out from non-essential cookies. This information should all be contained in a cookies policy.
In addition to California, Colorado, Connecticut, Utah and Virginia have introduced data privacy laws. Many other US states are in the process of introducing their own legislation, so it’s vital to be on top of cookies requirements in the regions where you operate.
Canada
The Personal Information Protection and Electronic Documents Act (PIPEDA) covers rules on data consent in Canada for private sector organizations. The law requires businesses to seek consent for the collection, disclosure and use of personal information, and make reasonable efforts to inform individuals of the purposes for collecting information.
A separate law, the Canada Anti-Spam Law (CASL) allows organizations to infer consent for cookies in some situations.
UK
As a member of the EU, the UK introduced GDPR in 2018. When the UK left the EU, the rules set out in GDPR were kept in place and these are expected to be retained until at least 2025. However, new legislation (Data Protection and Digital Information (No 2) Bill) is being prepared that would see the UK begin to diverge from EU rules.
One of the proposals includes introducing a list of categories of data that could be collected using cookies without express consent being required, for example where data is used solely to improve website performance.
India
There is no Indian legislation that explicitly covers cookies, but the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (SPDI) state that sensitive personal data should be subject to higher compliance, including written consent for data collection. Where cookies are used to collect this data, consent must be sought before their use.
Sensitive personal data includes information such as passwords, financial information, and data about physical or mental health conditions, biometric information and sexual orientation.
What happens if you don't have a cookie banner?
You need to be sure that you are complying with the law in the regions where you operate. In some cases, the law might not require that you have a cookie banner, provided that you give the information required in a suitably clear format and obtain the appropriate level of consent. A cookie banner tends to be the best format to achieve this.
Do I need a cookie consent if I don't use cookies?
Even if you don’t use cookies, as a website owner it’s still a good idea to have a cookie consent policy.
Services and plugins from third parties on your website may use cookies (e.g. Google Analytics or Google AdSense), so requiring consent and setting it out in a cookies policy is a smart idea. A consent management platform can give you clarity and control.
If you need help managing your cookie policy and consents, CookieHub can help. Our cookie checker tool scans your site and gives a clear picture of what cookies are in use. Get in touch now to discuss your requirements.