New data protection regulations and privacy frameworks are emerging all over the world.
Many countries have now established rules and guidelines for cookies and consent, and how you are to manage the personal information most cookies collect on your website.
To help you navigate this new landscape, we have collected practical information about national and international privacy laws and cookie guidelines, and how your business can comply with them.
Find further information on country specific rules and guidelines in the sections below.
Many of the cookies – and tracking technologies – which websites use today, collect their visitors’ personal information which is processed by third parties for marketing purposes.
This is typically IP-addresses, geo-location and other online identifiers which can track user behavior across the web.
When using cookies which collect personal information, you must collect valid consent from your user to be able to use the cookies. This applies even though the cookies are set by third parties like Google, Facebook, Amazon etc. through your website.
Read more in this in-depth article on how you – as a business – collect valid consent for using cookies.
The ePrivacy Directive (Privacy and Electronic Communications Directive 2002/58/EC) is a European decree from 2002. The goal of the ePrivacy Directive is to standardize rules for data protection and privacy in electronic communications in the European Union (EU).
This is mostly why we see an increasing number of cookie banners on the internet today.
The directive is not a binding law in itself – like the GDPR – but is an instruction for the member states to approve their own national law on the topic. Many EU countries have done just that, which is why national guidelines to cookies exist.
Ratified in 2002, revised in 2009, the ePrivacy Directive will eventually be replaced by the ePrivacy Regulation.
The ePrivacy Regulation (Regulation on Privacy and Electronic Communications) is to replace the ePrivacy Directive, better known as the European cookie law.
The purpose of the regulation is to standardize electronic privacy laws in Europe that will apply to all European member states.
The goal is to expand online consumer privacy to better reflect the world we live in. The predecessor, the ePrivacy Directive, was enacted in 2002 in a time where tracking and personal data was at an infant stage.
The ePrivacy Regulation will apply to all communication service providers and businesses that collect, store and process European citizen’s data whether on websites or apps using cookies or any other tracking technology (e.g., fingerprinting, beacons, pixels).
The California Consumer Privacy Act (CCPA) is a data privacy law meant to enhance privacy rights and consumer protection for residents of California, United States.
Taking effect from January 1st, 2020, the CCPA regulates how businesses may collect, share, and process personal information (PI) of Californian residents.
For businesses, the CCPA means respecting consumer privacy rights as described in the law. Businesses must evaluate data collection and use (processing) and make necessary arrangements to meet the strict demands in the CCPA.
The link enables visitors to opt-out of advertising and data collection from cookies through your website.
Failure to comply with the CCPA may result in penalties of up to $7500 for each violation and $750 for each affected user in civil damages.
Discover if your business is impacted by the CCPA and how you can become CCPA compliant.
The Californian Privacy Rights Act (CPRA) produces several additions to the Californian Consumer Privacy Act (CCPA).
The CPRA takes effect January 1, 2023 but is in force from July 1, 2022. However, businesses must already comply one year before (from January 1, 2022). The CPRA expands on the CCPA by increasing consumer rights and strengthening privacy protection for consumers and employees.
Furthermore, the CPRA establishes an enforcement agency to protect Californian consumers more effectively. The CPRA requires businesses in California or businesses collecting and processing personal data from Californian citizens to understand fully what data they process and for what purpose.
The General Data Protection Law (Lei Geral de Proteção de Dados Pessoais or LGPD) is a Brazilian data privacy law which came into effect on August 15, 2020.
The LGPD brings clarity to Brazil’s legal framework as it tries to unite over 40 different statues governing the use of personal data.
Inspired by the European General Data Protection Regulation (GDPR), the LGPD establishes rules on how businesses and organizations are allowed to collect, handle, store and share personal data of citizens of Brazil.
Like the GDPR, the LGPD requires website owners to collect valid consent to cookies if these cookies collect visitors’ personal information like IP-address, geo-location, user-ID, cookie-ID etc.
Read more in this in-depth article on how you – as a business – collect valid consent for using cookies in Brazil.
The Thailand Personal Data Protection Act (PDPA) was published in the Royal Thai Government Gazette on May 27, 2019, and is the first law governing data protection in Thailand.
The main purpose of the Thai PDPA is to regulate the processing of personal data for commercial uses thereby protecting Thai citizens from unlawful collection and use of their personal data.
The PDPA applies to any business or organization located in Thailand and for any company doing business in Thailand.
The Cabinet of Thailand has postponed the enforcement of the PDPA to May 31, 2022, because of the effects of Covid-19.
Read more in this in-depth article on how you – as a business – collect valid consent for using cookies.
POPIA is South Africa’s Protection of Personal Information Act. POPIA defines personal information broadly to ensure the South African population’s privacy rights, yet the law is modeled after the European General Data Protection Regulation (GDPR).
POPIA applies to any organization or business that wish to process the personal information of South African citizens regardless of the whether the business is located inside or outside of South Africa.
POPIA defines consent as: “any voluntary, specific and informed expression of will in terms of which permission is given for the processing of personal information”.
Collecting valid consent can be done using a cookie consent pop-up that informs of your website cookies, collects and stores all users’ consents.
POPIA came into effect on July 1st, 2020, and enforcements began on July 1st, 2021. Non-compliance with POPIA can lead to fines of up to 10 million ZAR (€500.000).
The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada’s privacy law for collecting, using, and processing personal information when carrying out commercial activities.
That means, if you have a website and you use services that set cookies through your site (e.g., Google Analytics, Facebook, YouTube, or any other third-party provider), you must collect valid consent for cookies before any cookies are stored on your visitor’s computer/phone.
Collect valid consent using a cookie consent pop-up which informs users of your website cookies, collects and stores their valid consents.
Personal information can only be used for the purposes for which it was collected. If an organization is going to use it for another purpose, they must obtain consent again.
PIPEDA applies to any business or organization within the boundaries of the Canadian territory but also for anyone outside doing business with Canadian citizens.
The Interactive Advertising Bureau (IAB) launched their updated version of the Transparency and Consent Framework (TCF 2.0) on August 15, 2020.
The purpose of the TCF 2.0 is to standardize the processes for obtaining consent from website visitors for the collection and processing of their personal data.
The TCF 2.0 aims to increase transparency about how users’ data is being processed and by who, so businesses, publishers and AdTech vendors can continues to run programmatic advertising in compliance with the General Data Protection Regulation (GDPR).
In July 2020, the European Court of Justice ruled in the Schrems II case, immediately canceling the EU-US Privacy Shield agreement of which many companies relied on to transfer personal data between the two territories.
The Privacy Shield was invalidated because of European concerns that EU citizen’s data could be subject to surveillance by the US state and intelligence agencies.
The ruling is colloquially known as Schrems II after Austrian lawyer and activist Max Schrems who began legal complaints against Facebook and their transfer of personal data methods.
On June 4, 2021, the European Commission replaced the old Privacy Shield with Standard Contractual Clauses (SCCs) for the transfer of personal data between the EU and unsecure third countries (incl. the US).
Start by getting an overview of what data your organization transfers out of the EU/EEA.
Next, examine the basis of transfer, that could in this case be the Standard Contractual Clauses.
If SCCs are not possible, here are the following approaches:
The Personal Information Protection Law of the People’s Republic of China (PIPL) is the first national data privacy law passed in China.
The PIPL took effect on November 1, 2021, and will dramatically impact how businesses and organizations collect, manage and process Chinese citizen’s personal data.
The PIPL is modeled after Europe’s General Data Protection Regulation (GDPR) and imposes strict restrictions on data collection, processing, and transfer. The law focuses mainly on websites and apps’ use of personal data to target users for marketing purposes, and to inhibit the transfer of personal information to unsecure countries.
The goal of the PIPL is to protect the rights and interests of the Chinese people and to regulate personal information processing activities.
Consent under the PIPL is defined much like the strict consent requirements in the GDPR. Consent must be informed, freely given, specific and unambiguous.
Google Consent Mode is an API by Google announced in September 2020 as a way for Google to maintain its robust digital-ad business while attending to the growing need for consumer privacy.
The API allows websites to obtain data for their Google services like Google Analytics and Google Ads while maintaining GDPR compliance.
The rules for how to collect valid consent to cookies and other tracking technologies are becoming ever more aligned across the world.
More and more countries are updating or implementing data protection laws to provide businesses with clear guidelines for how to collect and use people’s personal data.
Rules for collecting valid consent and other aspects of data protection laws can be complex and there are a lot of different interpretations on how to stay compliant.
This section will help you understand the rules that apply to collecting consent for cookies, website analytics and other tracking technologies in your specific country.
In Denmark, the rules on cookies are declared in the Danish cookie law (“Cookiebekendtgørelsen”) administered by the Danish Business Authority (“Erhvervsstyrelsen”).
However, the processing of personal data that most cookies and tracking technologies collect are administered by the Danish Data Protection Authority (“Datatilsynet”), and the rules are aligned with the rules for data processing in the General Data Protection Regulation (GDPR).
In Norway, the rules on cookies can be found in the Norwegian Law on Electronic Communication (Lov om Elektronisk Kommunikasjon – EKOM).
In 2013, a new decision was added to the EKOM law regarding the use of information stored in cookies, the so-called ”cookie paragraph” §2-7b.
In November 2019, The Norwegian National Communication Authority (Nasjonale Kommunikasjonsmyndighet – NKOM) who administers the law, explicitly stated that consent is needed before any cookies can be set on a website.
If cookies collect and process personal data, the rules for consent should be the definition set forth by the General Data Protection Regulation (GDPR), the Norwegian Data Protection Authority (”Datatilsynet”) adds.
Here we go in-depth with the guidelines for collecting valid consent to cookies in Norway.
In addition, the website is required to obtain the visitor’s consent for placing the cookies.
In this post, we go in-depth with the guidelines for collecting valid consent to cookies in Sweden.
The long-awaited update brings an end to the Finnish cookie saga as the guidelines now align with rules for consent declared by the General Data Protection Regulation (GDPR).
Consent to cookies can no longer be given via browser settings but must meet the requirements in the GDPR.
Consent to cookies must be freely given, specific, informed, and unambiguous. The new decision is expected to impact thousands of business websites and change practices for how cookie consent is obtained.
In this post, we go in-depth with the guidelines for collecting valid consent to cookies in Finland.
The French guidelines for cookies are administered by the Commission Nationale de l’Informatique et des Libertés (CNIL) and they are highly aligned with rules for consent in the General Data Protection Regulation (GDPR).
With the newest French cookie guidelines, the CNIL determines that websites are not allowed to place cookies to track visitors before the visitor has given their explicit consent.
The CNIL revised their cookie guidelines on October 1, 2020, and carved the rules for consent in stone. Four quick takeaways from the CNIL guidelines are:
The Italian cookie guidelines are administered by the Italian Data Protection Authority “Il Garante”. On July 10th, 2021, Il Garante released a new set of guidelines for using cookies on websites.
The Italian Data Protection Authority highlights a number of requirements for collecting valid consent to cookies, which are aligned with recently published guidelines from France’s CNIL, Spain’s AEPD and Denmark’s Datatilsynet.
In this post, we go in-depth with the guidelines for collecting valid consent to cookies in Italy.