Cookies Law: What Website Owners Must Know in 2026
Learn what the cookies law requires for your website. Covers EU ePrivacy, GDPR, and global cookie law rules with compliance steps and penalties.
The cookies law governs how websites collect, store, and use data through cookies and similar tracking technologies. If your website sets any cookies beyond those strictly necessary for basic functionality, you are almost certainly subject to cookie law requirements in at least one jurisdiction.
This guide explains what the cookies law requires, which laws apply depending on your audience, how to achieve compliance, and what happens when you get it wrong. This content is educational and does not constitute legal advice. Consult a qualified attorney for guidance specific to your business.
What Is the Cookies Law?
The cookies law is not a single statute. It is a collection of regulations across multiple jurisdictions that control how websites use cookies and comparable tracking technologies such as pixels, local storage, and device fingerprinting.
The term most commonly refers to the EU's ePrivacy Directive (Directive 2002/58/EC), specifically Article 5(3), which states that storing or accessing information on a user's device requires prior informed consent unless the cookie is strictly necessary to provide a service the user requested. The GDPR (Regulation 2016/679) reinforces this by requiring a lawful basis for processing personal data that cookies collect.
In practical terms, the cookies law requires three things from website operators:
- Transparency: Tell visitors what cookies your site uses, what data they collect, and why
- Consent: Obtain freely given, specific, informed, and unambiguous consent before placing non-essential cookies
- Control: Give visitors the ability to accept, reject, and withdraw consent at any time
A website that drops analytics or advertising cookies before a visitor has actively consented violates the cookies law, regardless of whether a consent banner is displayed.
Key Cookie Law Regulations by Region
Multiple laws create cookie compliance obligations depending on where your visitors are located. Understanding which laws apply to your site is the first step toward compliance.
EU ePrivacy Directive
Article 5(3) of the ePrivacy Directive is the original cookie law. It requires clear and comprehensive information about cookie usage and prior consent before non-essential cookies are set. Each EU member state has transposed this directive into national law, which means enforcement varies. France's CNIL, Ireland's DPC, and Italy's Garante have been among the most active enforcers.
The proposed ePrivacy Regulation, intended to replace the directive, has been under negotiation since 2017 and remains unfinished as of 2026. The directive still applies.
GDPR (EU and EEA)
The GDPR does not specifically mention cookies, but it governs the personal data that cookies collect. Under Articles 6 and 7, consent must be freely given, specific, informed, and unambiguous. Article 7(3) requires that withdrawing consent be as easy as giving it. The European Data Protection Board (EDPB) has issued guidelines confirming that cookie walls, which block access unless all cookies are accepted, generally do not produce valid consent.
Penalties under the GDPR for cookie-related violations can reach up to 20 million EUR or 4% of global annual turnover, whichever is higher.
UK PECR and UK GDPR
After Brexit, the UK retained equivalent rules through the Privacy and Electronic Communications Regulations (PECR) and the UK GDPR. The requirements mirror the EU framework: informed consent before non-essential cookies, a clear opt-out mechanism, and transparent cookie information. The ICO enforces these rules and can issue fines up to 17.5 million GBP.
California (CCPA/CPRA)
California's cookie law takes a different approach. The CCPA and its amendment, the CPRA, do not require opt-in consent for cookies. Instead, they give consumers the right to opt out of the sale or sharing of personal information, which includes data collected through advertising cookies and tracking pixels. Websites must provide a "Do Not Sell or Share My Personal Information" link if they use cookies that qualify as selling or sharing data.
Violations carry penalties of $2,500 per unintentional violation and $7,500 per intentional violation under CCPA enforcement.
Brazil (LGPD)
Brazil's Lei Geral de Protecao de Dados requires a legal basis for processing personal data, including data collected through cookies. Consent is one of several valid bases. The ANPD (Brazilian data protection authority) has published guidance confirming that cookie banners and policies are expected for websites targeting Brazilian users.
Other Jurisdictions
South Africa's POPIA, Canada's PIPEDA, Japan's APPI, and South Korea's PIPA all include provisions that affect cookie usage. The trend globally is toward requiring consent or at minimum transparency for non-essential cookies.
What Cookies Require Consent
Not every cookie on your site requires consent. The ePrivacy Directive creates a narrow exemption for cookies that are strictly necessary to deliver a service the visitor explicitly requested.
Cookies exempt from consent
- Session cookies that maintain a logged-in state
- Shopping cart cookies in e-commerce stores
- Load balancer cookies that distribute server traffic
- CSRF tokens that protect form submissions
- Cookies that store the visitor's own consent preferences
Cookies that require consent
- Analytics cookies: Google Analytics, Matomo, Hotjar, and similar tools that track visitor behavior
- Advertising cookies: Google Ads, Meta Pixel, LinkedIn Insight, and retargeting platforms
- Social media cookies: Share buttons, embedded content, and social login widgets
- Functional cookies: Language preferences, theme settings, and region selectors (these are debated, but the safer approach is to require consent)
If you are unsure whether a specific cookie requires consent, the safe default is to treat it as requiring consent. Regulators have consistently interpreted the "strictly necessary" exemption narrowly.
How to Comply With the Cookies Law
Compliance with cookie law involves several concrete steps. Cutting corners on any of them creates enforcement risk.
Step 1: Audit your cookies
Before you can disclose your cookies, you need to know what they are. Scan your website to identify every cookie and tracking technology in use, including those set by third-party scripts. Record each cookie's name, domain, purpose, category, and expiration period.
Manual audits are unreliable because third-party scripts frequently update the cookies they set. Automated scanning tools provide a more accurate and current picture. TermsBox's compliance scanner can identify cookies across your site and categorize them automatically.
Step 2: Create a cookie policy
A cookie policy is a standalone document that lists all cookies your site uses, explains their purpose, identifies the third parties involved, and describes how visitors can manage their preferences. It must be linked from your consent banner and accessible from your site footer.
Your cookie policy should include:
- A plain-language definition of cookies
- A table or list of all cookies organized by category
- The name, purpose, provider, and duration of each cookie
- The legal basis for each cookie category (consent or strictly necessary exemption)
- Instructions for managing cookies through your consent tool and browser settings
- Your contact information and last updated date
Step 3: Implement a consent banner
A consent management platform (CMP) or cookie consent banner is the mechanism through which visitors give or withhold consent. Under the cookies law, the banner must meet specific standards:
- Present accept and reject options with equal prominence
- Not use pre-ticked checkboxes or default-on toggles for non-essential cookies
- Not load non-essential cookies before the visitor makes a choice
- Allow granular consent by cookie category (analytics, marketing, functional)
- Record proof of consent for compliance documentation
Banners that use dark patterns, such as making the "accept all" button visually dominant while hiding the reject option, have been specifically targeted by regulators. The CNIL, EDPB, and ICO have all published guidance rejecting manipulative consent interfaces.
Step 4: Block cookies until consent is given
Technical implementation matters as much as the banner design. Your site must not fire non-essential cookies or tracking scripts until the visitor has actively consented. This requires script-level blocking, where analytics and advertising tags only load after consent is recorded for their category.
Cookie Policy Generator
Create a cookie policy for GDPR compliance. Create yours in minutes with TermsBox.
Generate NowMany consent tools support tag management integration, allowing you to control which scripts fire based on consent status. Without this blocking mechanism, your consent banner is cosmetic and does not satisfy the cookies law.
Step 5: Document and maintain compliance
Keep records of your consent rates, cookie audits, and policy updates. Regulators expect you to demonstrate that your consent mechanism works correctly and that your cookie inventory is current. Automated rescanning on a regular schedule helps ensure your policy does not fall out of date when third-party scripts change.
Common Cookies Law Violations
Enforcement actions and regulatory guidance reveal patterns of non-compliance that website operators should avoid.
Pre-loaded cookies
Setting analytics or advertising cookies before the visitor interacts with the consent banner is the most common violation. The cookie law requires that non-essential cookies are blocked until consent is obtained, not merely until the banner is dismissed.
Cookie walls
Blocking access to website content unless the visitor accepts all cookies generally does not produce valid consent under the GDPR. The EDPB's guidelines state that consent must be freely given, which means the visitor must have a genuine choice. Some regulators allow cookie walls in limited circumstances (paid alternatives), but the safest approach is to avoid them.
Missing reject option
A consent banner that offers only an "accept" button, with no equally accessible option to decline, does not meet the standard for informed consent. The CNIL fined Google 150 million EUR and Facebook 60 million EUR in 2022 partly because their cookie banners required multiple clicks to reject cookies while offering a single click to accept.
Outdated cookie inventories
Your cookie policy must accurately reflect the cookies currently on your site. If you add a new third-party integration that sets its own cookies, your policy needs to be updated before those cookies go live. Regulators have cited inaccurate cookie policies as evidence of non-compliance.
Ignoring non-EU laws
Websites that focus exclusively on EU cookie law compliance while ignoring CCPA, LGPD, or PECR requirements face risk from multiple directions. A site serving visitors in California must provide a "Do Not Sell or Share" mechanism in addition to a consent banner for EU visitors.
Cookie Law and Your Privacy Policy
Your cookie policy and privacy policy are related but distinct documents. The privacy policy covers all personal data processing across your business. The cookie policy focuses specifically on cookies and tracking technologies.
Under the GDPR, your privacy policy must reference cookies as a data collection method and link to your detailed cookie policy. Under the CCPA, your privacy policy must disclose categories of personal information collected, which includes cookie-collected data, and explain the consumer's right to opt out.
Best practice is to maintain both documents and cross-link them. Your consent banner should link directly to the cookie policy, and your cookie policy should reference your privacy policy for broader data processing details.
Cookies Law Enforcement Trends
Cookie law enforcement has accelerated significantly since 2020. Understanding the direction of enforcement helps prioritize compliance efforts.
European regulators have shifted from warnings to substantial fines. The CNIL's 2022 enforcement actions against Google and Facebook for cookie consent violations totaled 210 million EUR. The Italian Garante has issued guidelines requiring that reject buttons be on the first layer of the consent banner, not hidden behind a "manage preferences" link.
The trend toward automated enforcement is growing. Some regulators now use web crawlers to check cookie compliance at scale, flagging sites that load tracking cookies before consent is given. This means that technical compliance, not just having a banner, is what matters.
In the United States, the CCPA has been joined by state-level privacy laws in Colorado, Connecticut, Virginia, Texas, Oregon, Montana, and others. Several of these laws include specific cookie and tracking provisions. The patchwork of state laws makes compliance more complex for sites serving U.S. visitors across multiple states.
Steps to Stay Compliant Long Term
Cookie law compliance is not a one-time project. Websites change, third-party scripts update, and new regulations take effect.
- Scan regularly: Run automated cookie scans at least monthly to catch new cookies introduced by updated third-party scripts
- Review your policy quarterly: Ensure your cookie policy reflects your current cookie inventory
- Monitor regulatory updates: Follow guidance from the EDPB, CNIL, ICO, and your relevant national authority
- Test your consent mechanism: Verify that non-essential cookies are actually blocked when a visitor declines consent
- Train your team: Ensure developers understand that adding a new analytics or marketing tool requires updating the cookie policy and consent configuration
- Keep consent records: Store proof of consent with timestamps, consent version, and the categories accepted
TermsBox provides automated cookie scanning and a consent management platform that handles cookie detection, categorization, and consent collection across jurisdictions, reducing the manual burden of ongoing compliance.
Frequently Asked Questions
What is the cookies law?
The cookies law refers to a set of legal requirements that regulate how websites use cookies and similar tracking technologies. In the EU, it originates from Article 5(3) of the ePrivacy Directive (2002/58/EC), which requires informed consent before placing non-essential cookies on a visitor's device. The GDPR reinforces these rules by requiring a lawful basis for processing personal data collected through cookies. Similar laws exist in the UK, California, Brazil, and other jurisdictions.
Do all websites need to comply with cookie law?
Any website that uses cookies and is accessible to visitors in jurisdictions with cookie legislation must comply. This includes the EU, UK, California, Brazil, South Africa, and several other regions. Even if your business is based outside these areas, serving visitors from regulated jurisdictions triggers compliance obligations. The only websites exempt are those that use no cookies at all, which is rare.
What cookies are exempt from consent under the cookies law?
Strictly necessary cookies are exempt from the consent requirement under the ePrivacy Directive. These include session cookies that maintain login state, shopping cart cookies, load balancer cookies, CSRF protection tokens, and cookies that store the visitor's consent preferences. The exemption is narrow: the cookie must be essential for providing a service the visitor explicitly requested. Analytics, advertising, and functional preference cookies all require consent.
What are the penalties for violating cookie law?
Penalties vary by jurisdiction. Under the GDPR, violations related to cookie consent can result in fines of up to 20 million EUR or 4% of global annual turnover, whichever is higher. The French CNIL fined Google 150 million EUR and Facebook 60 million EUR for cookie consent violations in 2022. Under California's CCPA, violations carry penalties of $2,500 per unintentional violation and $7,500 per intentional violation. The UK ICO can issue fines up to 17.5 million GBP.