Every country treats cookies differently. Some demand explicit permission before a single tracking pixel loads; others only ask that visitors have a way to say no after the fact. If your website attracts traffic from more than one jurisdiction, a single consent banner configured for one market will not cut it. This guide maps the major privacy regimes by consent model and explains what each one requires.
Opt-In vs Opt-Out: Two Fundamentally Different Models
Before diving into specific countries, it helps to understand the two dominant consent models that shape cookie consent worldwide.
Opt-in means you must get a visitor's active, informed agreement before setting any non-essential cookies. No pre-ticked boxes, no implied consent from continued browsing. The cookie does not fire until the visitor clicks Accept. This is the model used across the European Union, the UK, Brazil, and several Asian jurisdictions.
Opt-out means cookies can load by default, but visitors must have a clear, accessible way to refuse. The US state privacy laws follow this approach, requiring a "Do Not Sell or Share My Personal Information" link rather than prior consent. The practical difference is significant: under opt-in regimes, your analytics data collection starts at zero until someone agrees; under opt-out, it starts at full and shrinks as visitors decline.
European Union: The Strictest Opt-In Regime
All 27 EU member states plus the three EEA countries (Norway, Iceland, Liechtenstein) enforce opt-in consent for non-essential cookies. The legal foundation is Article 5(3) of the ePrivacy Directive, which requires prior consent before storing or accessing information on a user's device. The GDPR then defines what counts as valid consent: freely given, specific, informed, and unambiguous.
Enforcement intensity varies between member states, though the baseline requirements are identical. France's CNIL is the most active enforcer on cookie-specific violations. In September 2025, the CNIL fined Google EUR 325 million and SHEIN EUR 150 million for placing cookies without valid consent - the largest cookie-related penalties ever issued. Over 2025 as a whole, the CNIL imposed EUR 486 million in cookie and tracking fines, a ninefold increase on 2024's EUR 55 million total.
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) has also ramped up enforcement. In April 2025, it warned 50 organisations - online retailers, media companies, insurers - for misleading cookie banners or placing tracking cookies without consent. The DPA now monitors roughly 10,000 Dutch websites annually and plans to warn 500 organisations per year.
| EU Requirement | What It Means in Practice |
|---|---|
| Prior opt-in consent | No non-essential cookies fire until the visitor actively agrees |
| Granular choice | Visitors must be able to accept or reject cookie categories separately |
| Equal prominence | The Reject button must be as visible and accessible as Accept |
| No dark patterns | Manipulative design that nudges visitors toward acceptance invalidates consent |
| Revocable consent | Withdrawing consent must be as easy as giving it |
United Kingdom: PECR and the Data Use and Access Act
The UK GDPR and the Privacy and Electronic Communications Regulations (PECR) currently require opt-in consent for non-essential cookies, mirroring the EU approach. The ICO reviewed the UK's top 1,000 websites throughout 2025 and reported by year-end that over 95% met its cookie compliance standards, up from a much lower baseline. Websites that failed initial checks received warning letters, and 17 cases escalated to preliminary enforcement notices.
The Data Use and Access Act 2025, which received Royal Assent in June 2025, introduced five narrow exemptions for low-risk cookies. Core analytics and advertising cookies still require prior consent, but strictly functional cookies such as those for website security or load balancing gained clearer exemptions. PECR penalty caps also rose to align with UK GDPR levels - up to GBP 17.5 million or 4% of global turnover.
Businesses operating in both the EU and UK face potentially divergent regimes, making multi-site consent management more complex as the UK edges toward a slightly lighter approach than the EU.
United States: Opt-Out with a Patchwork of State Laws
The US has no federal cookie law. Instead, a growing patchwork of state privacy laws governs how websites handle tracking data. By January 2026, over 20 states had enacted comprehensive privacy statutes, with Indiana, Kentucky, and Rhode Island joining the list on 1 January 2026.
The dominant model is opt-out. Cookies can load by default, but visitors must have a clear mechanism to refuse data sales or sharing. California's CCPA/CPRA requires a "Do Not Sell or Share My Personal Information" link and mandates that websites honour Global Privacy Control (GPC) browser signals automatically.
California remains the strictest US jurisdiction, with the CPPA wielding full enforcement power and civil penalties of USD 7,500 per intentional violation. Sensitive data - health, financial, geolocation, minors' data - requires opt-in consent in most state laws, even where the general model is opt-out.
Brazil: LGPD and Mandatory Portuguese-Language Consent
Brazil's LGPD follows an opt-in consent model for non-essential cookies, borrowing heavily from the GDPR's structure. Consent must be free, informed, and unambiguous, and can be revoked at any time. The LGPD also recognises legitimate interest as a legal basis, though it does not extend to marketing cookies aimed at profiling or behavioural advertising without explicit consent.
The ANPD (Brazil's data protection authority) has intensified enforcement through targeted audits in 2025 and 2026, focusing on pre-ticked boxes, grouped consent without purpose-specific options, and failure to honour withdrawal requests. Portuguese-language consent interfaces are mandatory for websites targeting Brazilian users - a requirement that trips up many international businesses who assume an English-language banner is sufficient.
Canada: PIPEDA, CASL, and Provincial Variations
PIPEDA governs most of Canada's private-sector data handling. It allows implied consent for low-risk, well-explained purposes but requires express consent for anything sensitive or unexpected. Canadian regulators also classify most cookies as "computer programs" under CASL, meaning non-essential cookies need consent before installation.
Quebec's privacy law (Law 25) adds a stricter layer, requiring express opt-in. The safest approach for websites serving Canadian visitors is to treat non-essential cookies as requiring opt-in, especially in Quebec.
Asia-Pacific: Rapid Regulatory Growth
Asia-Pacific is the fastest-moving region for privacy legislation, with several major economies introducing or tightening cookie-related rules.
India's Digital Personal Data Protection Act (DPDPA) is phased in through May 2027, with Consent Manager registration opening in November 2026. Only locally incorporated companies meeting minimum net worth criteria qualify as registered Consent Managers - a requirement that effectively excludes most foreign consent management platforms. Consent must be available in more than 22 official languages and must be as easy to withdraw as to give.
China's Personal Information Protection Law (PIPL) mandates separate, explicit consent for tracking and profiling. Cross-border data transfers require security assessments, and the Cyberspace Administration of China conducts high-profile audits with severe penalties.
Japan's APPI requires consent before providing personal data to third parties and restricts cross-border transfers, though its cookie requirements are less prescriptive than the EU model. Singapore's PDPA requires consent for the collection, use, and disclosure of personal data, with a "Do Not Call" registry and practical guidance on cookies from the Personal Data Protection Commission.
Middle East and Africa
The UAE's PDPL (in force since 2023) broadly requires consent for processing personal data, including data collected through cookies. South Africa's POPIA follows an opt-in model similar to the GDPR, with the Information Regulator progressively increasing enforcement. Other African nations are drafting privacy frameworks, though most lack cookie-specific rules.
Quick Reference: Cookie Consent Models by Region
| Region / Country | Consent Model | Key Law | Enforcement Trend (2025-2026) |
|---|---|---|---|
| EU / EEA (30 countries) | Opt-in | GDPR + ePrivacy Directive | Heavy - CNIL EUR 486M in 2025 fines alone |
| United Kingdom | Opt-in | UK GDPR + PECR | Active - ICO reviewed top 1,000 sites |
| United States (20+ states) | Opt-out | CCPA/CPRA, state laws | Growing - coordinated multi-state enforcement |
| Brazil | Opt-in | LGPD | Intensifying - ANPD targeted audits |
| Canada | Implied / Express | PIPEDA + CASL | Moderate - Quebec stricter (opt-in) |
| India | Opt-in | DPDPA (phased to 2027) | Emerging - Consent Manager registration Nov 2026 |
| China | Explicit consent | PIPL | Heavy - CAC conducts audits |
| Japan | Consent for third parties | APPI | Moderate |
| Singapore | Consent | PDPA | Moderate |
| UAE | Consent | PDPL | Growing |
| South Africa | Opt-in | POPIA | Maturing |
How to Handle Multi-Country Compliance
A banner that works for US opt-out requirements will violate EU opt-in rules. The practical solution is geo-targeted consent - a CMP that detects visitor location and serves the correct consent model per jurisdiction. If geolocation fails, default to the strictest applicable standard (typically EU opt-in).
Three essentials: run a cookie scan to identify every cookie your site sets, configure your banner to block non-essential cookies until consent is granted in opt-in jurisdictions, and keep auditable consent records that prove consent was collected correctly.
Frequently Asked Questions
Do US websites need a cookie banner?
There is no federal US law requiring a cookie banner, but over 20 state privacy laws require opt-out mechanisms when cookies are used to sell or share personal information. If your site uses advertising or analytics cookies that share data with third parties, you likely need at least a "Do Not Sell or Share My Personal Information" link plus GPC signal recognition.
Which countries require opt-in cookie consent?
All EU and EEA member states, the UK, Brazil, South Africa, India (under the DPDPA), and China (under the PIPL) require some form of opt-in consent for non-essential cookies. Canada's Quebec province also mandates express opt-in.
Can I use a single cookie banner for all countries?
Technically yes, but it would need to meet the strictest standard - EU opt-in with granular category controls. This works for compliance but may reduce consent rates among visitors from less regulated regions who find the banner unnecessarily complex. Geo-targeted banners that adapt by jurisdiction perform better for both compliance and user experience.
What happens if my website does not comply with another country's cookie law?
Most privacy laws apply based on where the visitor is located, not where the website is hosted. The GDPR, LGPD, and PIPL all have extraterritorial scope, meaning they can apply to foreign websites that process data of their residents. Penalties vary but can reach 4% of global annual turnover under the GDPR and UK GDPR.
Are analytics cookies treated differently from marketing cookies?
Under most opt-in regimes, both analytics and marketing cookies require consent. The UK's Data Use and Access Act 2025 introduced limited exemptions for certain low-risk analytics cookies, and the ICO may further relax enforcement in this area. The EU, however, continues to require prior consent for analytics cookies unless they are configured to be strictly anonymous and first-party only, as some DPAs allow for audience measurement tools meeting specific criteria.
Start Managing Cookie Consent Across Borders
If your website attracts visitors from multiple countries, a single-region consent setup leaves compliance gaps. Kukie.io detects visitor location, serves the correct consent model per jurisdiction, and blocks non-essential cookies until consent is granted where required.
