Other geographic areas are preparing their own data protection laws, meaning cookie policies are likely to become mandatory there soon, too.
Do I need a cookie consent on my website?
A cookies policy is a more specific document that explains which cookies are used on your site, a description of what they do, and details of the types of cookies used on your site by you and third parties. It should give information about how cookies are used, how site users can opt out and the routes for contacting your organization about the cookies.
Which countries require me to have a cookies policy?
There is no single federal data protection law for the USA, although some states have individual laws. The most far-reaching of these is CCPA, which applies to California consumers. CCPA gives individuals rights to know what information is being collected about them, how it is used or whether it is sold on. They also have the right to opt out of data being sold, to access and delete personal information.
CCPA requires explicit notification of consumers where data is sold or shared with third parties, including giving consumers the right to opt out from non-essential cookies. This information should all be contained in a cookies policy.
In addition to California, Colorado, Connecticut, Utah and Virginia have introduced data privacy laws. Many other US states are in the process of introducing their own legislation, so it’s vital to be on top of cookies requirements in the regions where you operate.
The Personal Information Protection and Electronic Documents Act (PIPEDA) covers rules on data consent in Canada for private sector organizations. The law requires businesses to seek consent for the collection, disclosure and use of personal information, and make reasonable efforts to inform individuals of the purposes for collecting information.
A separate law, the Canada Anti-Spam Law (CASL) allows organizations to infer consent for cookies in some situations.
As a member of the EU, the UK introduced GDPR in 2018. When the UK left the EU, the rules set out in GDPR were kept in place and these are expected to be retained until at least 2025. However, new legislation (Data Protection and Digital Information (No 2) Bill) is being prepared that would see the UK begin to diverge from EU rules.
One of the proposals includes introducing a list of categories of data that could be collected using cookies without express consent being required, for example where data is used solely to improve website performance.
There is no Indian legislation that explicitly covers cookies, but the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (SPDI) state that sensitive personal data should be subject to higher compliance, including written consent for data collection. Where cookies are used to collect this data, consent must be sought before their use.
Sensitive personal data includes information such as passwords, financial information, and data about physical or mental health conditions, biometric information and sexual orientation.
What happens if you don't have a cookie banner?
You need to be sure that you are complying with the law in the regions where you operate. In some cases, the law might not require that you have a cookie banner, provided that you give the information required in a suitably clear format and obtain the appropriate level of consent. A cookie banner tends to be the best format to achieve this.