Published:

Updated:

What laws require websites to have a cookie consent banner?

Cookie Consent Banner

Canada, CCPA, ePrivacy Directive, European Union, GDPR, PIPEDA, UK DPA 2018, United Kingdom

Photo of author

Donata Stroink-Skillrud

Co-founder and President of Termageddon

What laws require websites to have a cookie consent banner?

You see it on almost every website – the cookie consent banner that asks you to agree to cookies being placed on your device. While some websites give you an actual choice to agree or deny, others ask you to just agree, and others just say that cookies are being placed on your website without you having the ability to disagree, there is no doubt that the cookie consent banner is everywhere in every form imaginable. This feature helps websites obtain consent for the placement of cookies on a user’s device. So, whether you call it a cookie consent banner, a cookie consent tool, or a cookie management platform, you may be wondering if your website needs to have one as well. In this article, we will help you understand which privacy laws require websites to have a cookie consent banner and determine whether your website needs one too.

What are cookies?

While we all normally think of cookies as a delicious treat, when it comes to websites, cookies (also called tracking technologies) are a small piece of code is put on a user’s device or browser and that tracks them as they use that website (to determine what pages they clicked on, for example) or as they go from your website to different websites (to show Facebook advertisements, for example). Usually, cookies are put on a user’s device automatically.

Why are website cookies regulated?

While certain cookies are used for purposes that a website visitor would expect such as protecting the website from hacking, displaying images, or displaying the website in general, other cookies can be more intrusive by tracking website visitors to show them advertisements or to send them marketing messages. Many consumers are not aware of the fact that advertising cookies can track the products that they viewed online and then use that data to show them Facebook advertisements for those same products. Regulators have passed multiple privacy laws that require certain websites to obtain the consent of the user for placing cookies on their device that were not strictly required for the proper operation of the website. A website cookie consent banner does just that – helps websites obtain the consent of the website user to the collection of certain types of cookies.

The first step to determine whether your website needs a cookie consent banner is to determine whether your website has cookies (or other tracking technologies that act as cookies). You can use this complimentary cookie scanner from Usercentrics to determine if your website collects cookies. If your website does not have cookies, then you do not need to have a cookie consent banner as there is nothing that the users of your website have to consent to. If your website does collect cookies, then you should consider adding a cookie consent banner to your website to gather the consent of your website’s users as you may be required to provide one by law.

The main reason as to why websites have a cookie consent banner is because they are required by law to have one. The following privacy laws require websites to obtain consent to the use of cookies and tracking technologies that are not strictly necessary to the operation of the website: 

  • ePrivacy Directive 2002/58/EC (also called the “Cookie Law”): this Directive requires European Union countries to create laws that state that websites need to provide information about cookies and tracking technologies and obtain the consent of users before putting such cookies or technologies on their devices. The laws passed by EU countries under this Directive protect the privacy of residents of the European Union so they can apply to websites of businesses outside of the EU. The ePrivacy Directive will soon be replaced by the ePrivacy Regulation 2021, which, when finalized, will update these rules. 
  • General Data Protection Regulation (GDPR): requires the consent of website users for the collection of personal data, which includes the data collected by certain types of cookies. GDPR applies to you if you:
    • Have an establishment in the European Union; 
    • Offer goods or services to European Union residents, regardless of your location; 
    • Monitor the behavior of European Union residents, regardless of your location. 
  • United Kingdom’s Data Protection Act 2018 (UK DPA): requires the consent of website users for the collection of personal data, which includes the data collected by certain types of cookies. UK DPA applies to you if you:
    • Have an establishment in the United Kingdom; 
    • Offer goods or services to United Kingdom residents, regardless your location; 
    • Monitor the behavior of United Kingdom residents, regardless of your location. 
  • California Privacy Rights Act (CPRA): requires websites that sell personal information to provide users with a means to opt out of such sales. This is usually done through the cookie consent banner that asks users whether they would like to opt out of sales of their personal information. CPRA applies to for-profit entities that collect and process the personal information of California consumers, that do business in California and that meet one of the following thresholds:
    • Has annual gross revenues in excess of $25,000,000; 
    • Annually buys, receives, sells or shares the personal information of 50,000 or more California consumers, households or devices; 
    • Derives 50% or more of its annual revenue from selling the personal information of California consumers. 
  • Personal Information Protection and Electronic Documents Act (PIPEDA): this Canadian privacy law requires website users to consent prior to the collection of personal data, which can be the data that is collected through cookies and other tracking technologies (e.g. IP addresses). PIPEDA applies to private companies across Canada that collect, use or disclose personal information in the course of a commercial activity. In addition, PIPEDA can also apply to businesses outside of Canada if they collect the personal information of Canadians in the course of a commercial activity.
  • Quebec Law 25 (previously Quebec Bill 64) — Quebec’s Law 25 applies to persons who collect, hold, use or share personal information in the course of carrying on an enterprise within the meaning of Article 1525 of the Civil Code. Article 1525 of the Civil Code defines “enterprise” as “the carrying on by one or more persons of an organized economic activity, whether or not it is commercial in nature, consisting of producing, administering or alienating property, or providing a service.” This new law will apply to anyone participating in an economic activity, even if that activity is not commercial, meaning that nonprofit organizations will need to comply with this law, as well as for-profit organizations.
  • California Invasion of Privacy Act (CIPA) — If your business uses tracking technologies, you may be required to comply with CIPA. CIPA was originally created to prevent recording phone calls of California residents without consent, but has lately been interpreted to apply to tracking cookies as well. Numerous lawsuits have recently been filed recently regarding this.

If any of the above privacy laws apply to you, then you need to obtain consent for the use of cookies on your website through a cookie consent banner.

Now that you know what laws require websites to have a cookie consent banner, you are probably wondering where you can get one for your website. The Termageddon/Usercentrics integration means that all Termageddon accounts include a cookie consent banner that you can enable right from your license.

Photo of author
About the Author
Donata Stroink-Skillrud

Donata is the Co-founder and President of Termageddon and a licensed attorney and Certified Information Privacy Professional. She serves as the Vice-Chair of the American Bar Association's ePrivacy Committee and the Chair of the Chicago Chapter of the International Association of Privacy Professionals.

Search the Site
Popular Articles
Browse by Category

Comparing Policy Generators

Cookie Consent Banner

Cookie Policy

Culture

Disclaimer

EULA

How To's

Privacy Policy

Terms of Service

Subscribe for Updates
  • This field is for validation purposes and should be left unchanged.