INTERNATIONAL PRIVACY LAWS

Regulations &
Frameworks

Discover the data privacy rules that apply to your business and how they may affect your operations in other countries. Here’s a walkthrough of the most important international data privacy laws.

Why privacy matters to cookies

New data protection regulations and privacy frameworks are emerging all over the world. Many countries have now established rules and guidelines for cookies and consent, and how you are to manage the personal information most cookies collect on your website.

To help you navigate this new landscape, we have collected practical information about national and international privacy laws and cookie guidelines, and how your business can comply with them.

Find further information on country specific rules and guidelines in the sections below.

GDPR – General Data Protection Regulation

The General Data Protection Regulation (GDPR) is a law on data protection and privacy in the European Union. It came into force on May 25, 2018, in all European member states and is designed to harmonize data privacy laws across Europe. The GDPR aims to protect EU citizens’ data privacy and to reshape organizations’ approach to the collection of personal data.

The GDPR specifically works to ensure that personal data is collected and processed under a lawful basis. This includes the use of cookies and other tracking technologies.

Collecting and processing EU citizens’ personal information requires you to collect valid consent.

Many of the cookies – and tracking technologies – which websites use today, collect their visitors’ personal information which is processed by third parties for marketing purposes.

This is typically IP-addresses, geo-location and other online identifiers which can track user behavior across the web.

When using cookies which collect personal information, you must collect valid consent from your user to be able to use the cookies. This applies even though the cookies are set by third parties like Google, Facebook, Amazon etc. through your website.

Read more in this in-depth article on how you – as a business – collect valid consent for using cookies.

ePrivacy Directive (European cookie law)

The ePrivacy Directive (Privacy and Electronic Communications Directive 2002/58/EC) is a European decree from 2002. The goal of the ePrivacy Directive is to standardize rules for data protection and privacy in electronic communications in the European Union (EU).

The ePrivacy Directive regulates the use of cookies, email marketing permissions and other areas of data privacy concerning EU citizens.

Also called the European ‘cookie law’, the ePrivacy Directive states that all websites must inform users of cookies and ask for the consent to use cookies.

This is mostly why we see an increasing number of cookie banners on the internet today.

The directive is not a binding law in itself – like the GDPR – but is an instruction for the member states to approve their own national law on the topic. Many EU countries have done just that, which is why national guidelines to cookies exist.

Ratified in 2002, revised in 2009, the ePrivacy Directive will eventually be replaced by the ePrivacy Regulation.

ePrivacy Regulation (the upcoming European law on cookies)

The ePrivacy Regulation (Regulation on Privacy and Electronic Communications) is to replace the ePrivacy Directive, better known as the European cookie law.

The purpose of the regulation is to standardize electronic privacy laws in Europe that will apply to all European member states.

The goal is to expand online consumer privacy to better reflect the world we live in. The predecessor, the ePrivacy Directive, was enacted in 2002 in a time where tracking and personal data was at an infant stage.

The ePrivacy Regulation will apply to all communication service providers and businesses that collect, store and process European citizen’s data whether on websites or apps using cookies or any other tracking technology (e.g., fingerprinting, beacons, pixels).

The ePrivacy Regulation was supposed to come into effect together with the GDPR in 2018 but has been delayed multiple times in the European Parliament.

CCPA - California Consumer Privacy Act

The California Consumer Privacy Act (CCPA) is a data privacy law meant to enhance privacy rights and consumer protection for residents of California, United States.

Taking effect from January 1st, 2020, the CCPA regulates how businesses may collect, share, and process personal information (PI) of Californian residents.

For businesses, the CCPA means respecting consumer privacy rights as described in the law. Businesses must evaluate data collection and use (processing) and make necessary arrangements to meet the strict demands in the CCPA.

When you use cookies on your website that collect (and eventually process) the personal information of Californian residents, you must use a customized cookie consent pop-up which includes a “do not sell” link.

The link enables visitors to opt-out of advertising and data collection from cookies through your website.

Failure to comply with the CCPA may result in penalties of up to $7500 for each violation and $750 for each affected user in civil damages.

Discover if your business is impacted by the CCPA and how you can become CCPA compliant.

CPRA - California Privacy Rights Act

The Californian Privacy Rights Act (CPRA) produces several additions to the Californian Consumer Privacy Act (CCPA).

The CPRA takes effect January 1, 2023 but is in force from July 1, 2022. However, businesses must already comply one year before (from January 1, 2022). The CPRA expands on the CCPA by increasing consumer rights and strengthening privacy protection for consumers and employees.

Furthermore, the CPRA establishes an enforcement agency to protect Californian consumers more effectively. The CPRA requires businesses in California or businesses collecting and processing personal data from Californian citizens to understand fully what data they process and for what purpose.

LGPD – Brazil’s data protection law

The General Data Protection Law (Lei Geral de Proteção de Dados Pessoais or LGPD) is a Brazilian data privacy law which came into effect on August 15, 2020.

The LGPD brings clarity to Brazil’s legal framework as it tries to unite over 40 different statues governing the use of personal data.

Inspired by the European General Data Protection Regulation (GDPR), the LGPD establishes rules on how businesses and organizations are allowed to collect, handle, store and share personal data of citizens of Brazil.

If you are a Brazilian business – or a business beyond Brazil’s boarders doing business on the Brazilian market – and you use cookies on your website, the LGPD applies to you.

Like the GDPR, the LGPD requires website owners to collect valid consent to cookies if these cookies collect visitors’ personal information like IP-address, geo-location, user-ID, cookie-ID etc.

Read more in this in-depth article on how you – as a business – collect valid consent for using cookies in Brazil.

PDPA – Thailand Personal Data Protection Act

The Thailand Personal Data Protection Act (PDPA) was published in the Royal Thai Government Gazette on May 27, 2019, and is the first law governing data protection in Thailand.

The main purpose of the Thai PDPA is to regulate the processing of personal data for commercial uses thereby protecting Thai citizens from unlawful collection and use of their personal data.

The PDPA applies to any business or organization located in Thailand and for any company doing business in Thailand.

If your website uses cookies, the PDPA requires you to obtain consent before collecting or processing any personal data obtained with cookies or any other tracking technology.

The Cabinet of Thailand has postponed the enforcement of the PDPA to May 31, 2022, because of the effects of Covid-19.

Read more in this in-depth article on how you – as a business – collect valid consent for using cookies.

POPIA - South Africa’s Protection of Personal Information Act

POPIA is South Africa’s Protection of Personal Information Act. POPIA defines personal information broadly to ensure the South African population’s privacy rights, yet the law is modeled after the European General Data Protection Regulation (GDPR).

POPIA applies to any organization or business that wish to process the personal information of South African citizens regardless of the whether the business is located inside or outside of South Africa.

If you use cookies on your website that collect and process the visitors’ personal information (e.g., using Google Analytics, Facebook, Instagram), you must collect valid consent.

POPIA defines consent as: “any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information”.

Collecting valid consent can be done using a cookie consent pop-up that informs of your website cookies, collects and stores all users’ consents.

POPIA came into effect on July 1st, 2020, and enforcements began on July 1st, 2021. Non-compliance with POPIA can lead to fines of up to 10 million ZAR (€500.000).

PIPEDA - Canada’s Personal Information Protection and Electronic Documents Act

The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada’s privacy law for collecting, using, and processing personal information when carrying out commercial activities.

The most important aspect of PIPEDA is to obtain consent for collecting and processing personal data.

That means, if you have a website and you use services that set cookies through your site (e.g., Google Analytics, Facebook, YouTube, or any other third-party provider), you must collect valid consent for cookies before any cookies are stored on your visitor’s computer/phone.

Collect valid consent using a cookie consent pop-up which informs users of your website cookies, collects and stores their valid consents.

Personal information can only be used for the purposes for which it was collected. If an organization is going to use it for another purpose, they must obtain consent again.

PIPEDA applies to any business or organization within the boundaries of the Canadian territory but also for anyone outside doing business with Canadian citizens.

IAB Transparency & Consent Framework TCF 2.0

The Interactive Advertising Bureau (IAB) launched their updated version of the Transparency and Consent Framework (TCF 2.0) on August 15, 2020.

The purpose of the TCF 2.0 is to standardize the processes for obtaining consent from website visitors for the collection and processing of their personal data.

The TCF 2.0 aims to increase transparency about how users’ data is being processed and by who, so businesses, publishers and AdTech vendors can continues to run programmatic advertising in compliance with the General Data Protection Regulation (GDPR).

If your website uses cookies, and you follow IAB standards, there are specific requirements you need to implement into your cookie consent pop-up before it complies.

Schrems II – data to unsecure third countries

In July 2020, the European Court of Justice ruled in the Schrems II case, immediately canceling the EU-US Privacy Shield agreement of which many companies relied on to transfer personal data between the two territories.

The Privacy Shield was invalidated because of European concerns that EU citizen’s data could be subject to surveillance by the US state and intelligence agencies.

The ruling is colloquially known as Schrems II after Austrian lawyer and activist Max Schrems who began legal complaints against Facebook and their transfer of personal data methods.

The Schrems II verdict now requires European businesses to conduct individual assessments of data transfers to countries not considered secure.

On June 4, 2021, the European Commission replaced the old Privacy Shield with Standard Contractual Clauses (SCCs) for the transfer of personal data between the EU and unsecure third countries (incl. the US).

The Schrems II judgement is relevant to you as a data controller if you:

Transfer personal data out of the EU/EEA to countries that are not declared ‘secured third-party countries’ by the European Commission.

Start by getting an overview of what data your organization transfers out of the EU/EEA.

Next, examine the basis of transfer, that could in this case be the Standard Contractual Clauses.

If you have a website that uses cookies which are set by services based in the US or that share data with US companies, you should:

Find out which cookies share data outside of the EU/EEA.
Once you find them, contact the cookie vendors, and ask them to switch to SCC use.

If SCCs are not possible, here are the following approaches:

The data processer stops the data transfer and lets the data stay within the EU/EEA.
The data controller collects consent from the end-user to transfer the data to the US
The data controller stops the data transfer by switching to another vendor.

PIPL – Personal Information Protection Law of the People’s Republic of China

The Personal Information Protection Law of the People’s Republic of China (PIPL) is the first national data privacy law passed in China.

The PIPL took effect on November 1, 2021, and will dramatically impact how businesses and organizations collect, manage and process Chinese citizen’s personal data.

The PIPL is modeled after Europe’s General Data Protection Regulation (GDPR) and imposes strict restrictions on data collection, processing, and transfer. The law focuses mainly on websites and apps’ use of personal data to target users for marketing purposes, and to inhibit the transfer of personal information to unsecure countries.

The goal of the PIPL is to protect the rights and interests of the Chinese people and to regulate personal information processing activities.

To collect and process personal information in China or when targeting Chinese customers, you need to collect valid consent.

This means, if you use cookies on your website, you must collect a valid consent.

Visitors must be informed of the cookies you use, and consent to your use of cookies even though the cookies are set by third-party providers like Taobao, Tmall or any other service within or outside Chinese territory.

Consent under the PIPL is defined much like the strict consent requirements in the GDPR. Consent must be informed, freely given, specific and unambiguous.

Google Consent Mode

Google Consent Mode is an API by Google announced in September 2020 as a way for Google to maintain its robust digital-ad business while attending to the growing need for consumer privacy.

The API allows websites to obtain data for their Google services like Google Analytics and Google Ads while maintaining GDPR compliance.

Google Consent Mode is integrated with a website’s Consent Management Platform to deliver data based on the consent choice of website visitors.

This allows you to measure website traffic and conversions more effectively while respecting your visitors’ consent choices for analytics and ads cookies.

Here’s how to get Google Consent Mode for your business website.

The rules for how to collect valid consent to cookies and other tracking technologies are becoming ever more aligned across the world.

More and more countries are updating or implementing data protection laws to provide businesses with clear guidelines for how to collect and use people’s personal data.

Rules for collecting valid consent and other aspects of data protection laws can be complex and there are a lot of different interpretations on how to stay compliant.

This section will help you understand the rules that apply to collecting consent for cookies, website analytics and other tracking technologies in your specific country.

Rules on cookies and consent in Denmark – a quick guide

In Denmark, the rules on cookies are declared in the Danish cookie law (“Cookiebekendtgørelsen”) administered by the Danish Business Authority (“Erhvervsstyrelsen”).

However, the processing of personal data that most cookies and tracking technologies collect are administered by the Danish Data Protection Authority (“Datatilsynet”), and the rules are aligned with the rules for data processing in the General Data Protection Regulation (GDPR).

If you use cookies or other technologies to collect and process your website visitors’ personal data, you have to obtain valid consent before you place any cookies on your visitor’s computer.

The guidelines for obtaining valid consent in Denmark are quite strict and have recently been updated by the Danish Data Protection Authority.

In this post, we go in-depth with the guidelines for collecting valid consent to cookies in Denmark.

Rules on cookies and consent in Norway – a quick guide

In Norway, the rules on cookies can be found in the Norwegian Law on Electronic Communication (Lov om Elektronisk Kommunikasjon – EKOM).

In 2013, a new decision was added to the EKOM law regarding the use of information stored in cookies, the so-called ”cookie paragraph” §2-7b.

It states that you need to inform users about cookies
and obtain consent for using cookies.

In November 2019, The Norwegian National Communication Authority (Nasjonale Kommunikasjonsmyndighet – NKOM) who administers the law, explicitly stated that consent is needed before any cookies can be set on a website.

If cookies collect and process personal data, the rules for consent should be the definition set forth by the General Data Protection Regulation (GDPR), the Norwegian Data Protection Authority (”Datatilsynet”) adds.

Here we go in-depth with the guidelines for collecting valid consent to cookies in Norway.

Rules on cookies and consent in Sweden – a quick guide

According to Swedish law on Electronic Communication 2003: 389 (Lag om Elektronisk Kommunikation – LEK), all websites that uses cookies must give the visitors full access to information about the cookies used, who owns them and what data they collect.

In addition, the website is required to obtain the visitor’s consent for placing the cookies.

If your website uses cookies that collect personal data such as IP addresses, device ID, geo-location or other information that can be used directly or indirectly to identify the user, you must obtain consent in accordance with the rules in the GDPR.

In this post, we go in-depth with the guidelines for collecting valid consent to cookies in Sweden.

Rules on cookies and consent in Finland – a quick guide

If your website uses cookies, you must collect a valid consent On May 4th, 2021, the Finnish Transport and Communications Agency Traficom released changes to the Finnish cookie guidelines.

The long-awaited update brings an end to the Finnish cookie saga as the guidelines now align with rules for consent declared by the General Data Protection Regulation (GDPR).

If your website uses cookies, you must collect a valid consent according to the updated Finish cookie guidelines. Consent must be given through a cookie consent pop-up and comply with the rules for consent in the GDPR.

Consent to cookies can no longer be given via browser settings but must meet the requirements in the GDPR.

Consent to cookies must be freely given, specific, informed, and unambiguous. The new decision is expected to impact thousands of business websites and change practices for how cookie consent is obtained.

In this post, we go in-depth with the guidelines for collecting valid consent to cookies in Finland.

Rules on cookies and consent in France – a quick guide

The French guidelines for cookies are administered by the Commission Nationale de l’Informatique et des Libertés (CNIL) and they are highly aligned with rules for consent in the General Data Protection Regulation (GDPR).

With the newest French cookie guidelines, the CNIL determines that websites are not allowed to place cookies to track visitors before the visitor has given their explicit consent.

Using cookies on a website, requires the website to inform users of cookies and obtain their consent for using them.

The CNIL revised their cookie guidelines on October 1, 2020, and carved the rules for consent in stone. Four quick takeaways from the CNIL guidelines are:

Scrolling or swiping is no longer considered consent.
Users must actively give consent by click “I accept”.
Users must be able to refuse cookies (click ‘No’).
All user consents must be stored for documentation.

The CNIL has given some of the biggest GDPR fines to big-tech companies for unlawful use of cookies and processing of website visitors’ personal data.
In this post, we go in-depth with the guidelines for collecting valid consent to cookies in France.

Rules on cookies and consent in Italy – a quick guide

The Italian cookie guidelines are administered by the Italian Data Protection Authority “Il Garante”. On July 10th, 2021, Il Garante released a new set of guidelines for using cookies on websites.

The focal change introduced by Il Garante is the need to obtain explicit consent from website visitors to use cookies that collect and process personal data, i.e., tracking cookies.

In particular, websites must obtain the user’s consent before setting any cookies (except technically necessary cookies).

The Italian Data Protection Authority highlights a number of requirements for collecting valid consent to cookies, which are aligned with recently published guidelines from France’s CNIL, Spain’s AEPD and Denmark’s Datatilsynet.

The purpose of the revised guidelines is to ensure that Italian website owners and businesses are given clear information on how to comply with the GDPR and the ePrivacy Directive (the “European cookie law”) when using cookies and other tracking technologies.

In this post, we go in-depth with the guidelines for collecting valid consent to cookies in Italy.