Cookie consent rules vary dramatically around the world. The EU requires opt-in consent before any non-essential cookies. The US generally uses opt-out. Many countries have no specific cookie legislation at all. This guide maps the requirements for 30+ countries so you know exactly what to implement.
Global Cookie Consent Models
There are three main approaches to cookie regulation worldwide:
- Opt-in (prior consent): No non-essential cookies until the user explicitly agrees. Used in the EU/EEA.
- Opt-out (notice + choice): Cookies can load by default, but users must be able to opt out. Used in most US states.
- No specific legislation: General data protection laws may apply, but no cookie-specific rules exist.
European Union / EEA — Opt-In Required
The ePrivacy Directive (2002/58/EC, amended by 2009/136/EC) requires prior consent for storing or accessing information on a user's device — except for "strictly necessary" cookies. Combined with GDPR, this creates the strictest cookie regime in the world.
| Country | Model | Regulator | Key Requirement |
|---|---|---|---|
| France | Opt-in | CNIL | Reject button same level as Accept; guidelines updated 2024 |
| Germany | Opt-in | State DPAs | TTDSG requires consent; Planet49 ruling sets precedent |
| Italy | Opt-in | Garante | Cookie wall ban; scroll does not equal consent |
| Spain | Opt-in | AEPD | Cookie guide updated 2024; fines up to €20M |
| Netherlands | Opt-in | AP | Strict enforcement; cookie wall ban |
| Belgium | Opt-in | APD | IAB TCF ruling — consent framework found non-compliant |
| Austria | Opt-in | DSB | TKG 2021; Google Analytics rulings 2021-2022 |
| Ireland | Opt-in | DPC | Hosts many Big Tech HQs; high-profile enforcement |
| Poland | Opt-in | UODO | Telecom law + GDPR; moderate enforcement |
| Sweden | Opt-in | IMY | Active enforcement; Google Analytics rulings |
All 27 EU member states + EEA (Norway, Iceland, Liechtenstein) require opt-in consent. Variations exist in enforcement intensity and specific guidance, but the core requirement is the same.
United Kingdom — Opt-In (With Potential Relaxation)
The UK currently follows the EU approach under PECR (Privacy and Electronic Communications Regulations). The DPDI Act may relax consent requirements for analytics cookies, but as of 2026, the ICO still expects prior consent for non-essential cookies.
- Model: Opt-in (PECR Regulation 6)
- Regulator: ICO
- Key point: The ICO has been lenient on enforcement but is expected to increase activity in 2026
United States — Mostly Opt-Out
The US has no federal cookie law. Requirements come from state privacy laws and the FTC Act:
| State | Law | Cookie Requirement | GPC Required? |
|---|---|---|---|
| California | CCPA/CPRA | Opt-out of sale/sharing; "Do Not Sell" link | Yes |
| Colorado | CPA | Opt-out of targeted advertising | Yes |
| Connecticut | CTDPA | Opt-out of targeted advertising | Yes |
| Virginia | VCDPA | Opt-out of targeted advertising | No |
| Texas | TDPSA | Opt-out of sale and profiling | Yes |
| Oregon | OCPA | Opt-out of targeted advertising | Yes |
| Montana | MCDPA | Opt-out of targeted advertising | Yes |
For US compliance, you typically need a "Do Not Sell/Share My Information" link and must honor theGlobal Privacy Control signal.
Canada — Implied Consent Model
- Law: PIPEDA + CASL (anti-spam law)
- Model: Implied consent for non-essential cookies (with notification); express consent for marketing
- Quebec: Quebec Law 25 (2023) requires express consent, closer to EU model
Brazil — General Consent Model
- Law: LGPD
- Model: Consent is one of 10 legal bases; legitimate interest can be used for analytics
- Practice: Cookie banners are common but enforcement is still maturing
Asia-Pacific
| Country | Law | Cookie Model | Notes |
|---|---|---|---|
| Japan | APPI | Opt-out (with 2022 amendments) | Cookie data = personal info when combinable |
| South Korea | PIPA + IT Network Act | Opt-in for marketing | Strict; similar to EU approach |
| China | PIPL | Consent for non-essential | Broad scope; separate consent for sensitive data |
| Australia | Privacy Act 1988 | No specific cookie law | Proposed reforms may change this |
| India | DPDPA 2023 | Consent-based | Still implementing; rules pending |
| Singapore | PDPA | Notification + opt-out | No specific cookie provisions |
| Thailand | PDPA | Consent for non-essential | Similar to GDPR approach |
Other Regions
| Country | Cookie Model | Notes |
|---|---|---|
| Switzerland | Opt-in trending | nDSG + FDPIC guidance; move towards EU alignment |
| Turkey | Consent-based | KVKK 2024 amendments; explicit consent for cookies |
| South Africa | Consent for processing | POPIA; cookies processing personal info need consent |
| Israel | No specific law | General privacy law applies; minimal enforcement |
| UAE | No specific law | DIFC/ADGM have GDPR-like rules for free zones |
| Nigeria | Consent-based | NDPR requires consent for data processing |
Practical Recommendations
- Global audience: Default to EU opt-in model (strictest) to ensure compliance everywhere
- US-only: Implement opt-out with "Do Not Sell" link + GPC support
- EU + US: Use geo-targeted banners — opt-in for EU visitors, opt-out for US visitors
- Use a CMP: A consent management platform handles geo-targeting automatically
- Document your approach: Record why you chose your consent model for each jurisdiction
Next Steps
Check if your current cookie banner meets the requirements for your audience's countries.PrivacyChecker scans your cookie consent banner for compliance issues, detects all cookies on your site, and verifies that non-essential cookies don't load before consent.