If your website uses cookies to collect personal data for processing, chances are that you need a cookie notice.

Whether you need it or not, however, depends on where you operate and where your website visitors are from.

This article will delve into the essentials of cookies and privacy laws. You’ll learn the following:

• What are cookies, what do they mean for online privacy, and why do privacy laws regulate them;
• How to determine what data protection laws apply to your business;
• What does the General Data Protection Regulation (GDPR) require from website owners;
• What does the California Consumer Privacy Act (CCPA) require from website owners;
• How to collect cookie consent properly by installing a cookie consent banner on your website.
  

What Are Cookies, and Why Are Cookie Laws Enforced?

Cookies are small text files that websites send to users’ devices to collect data. The collected data may sometimes be used to identify a person, and that’s where cookie laws become relevant.

Websites use cookies to collect personal information that can be used to improve website functionality and user experience, collect website analytics data, serve customized ads, let users share website content on social media using social media plugins, and for other reasons.

Cookies may be first-party cookies that your website injects into users' devices or third-party cookies that third parties that have access to your website, such as the ads you place there, fire.

Read our comprehensive article here to learn more about cookies and how they work.

The next step is to determine what data protection laws apply to your website, so you’ll know where to look for the rules.

What Data Privacy Laws Apply to Your Website?

All the data privacy laws worldwide apply to:

• Businesses that operate within their jurisdiction, and
• Businesses targeting users in their jurisdiction.

In practice, this means that you must comply with the laws of your country and state and the laws of the countries and states that apply to your website visitors.

If your business is based in Germany and you sell to people in Europe, the US, or Canada, you must follow the following laws:

• The GDPR and the German national law because you are a German entity or individual, and
• The GDPR and the national laws of the European users
• The state laws of the US users, if any
• The Canadian laws for interaction with Canadian users

If you run a website from California and target website visitors throughout the United States, the CCPA and CPRA apply if you meet the thresholds prescribed in the laws. For interactions with users from a state where a statewide privacy law is in place, it applies as long as you meet the requirements for applicability prescribed there.

What Does the GDPR Require from Websites?

The GDPR and the ePrivacy Directive are based on the "opt-in" principle. This means you can't send cookies to users' devices until they give explicit consent that meets GDPR standards.

The GDPR consent requirements mean that the consent must be:

• Freely given, which means that the consent must not be conditional on anything;
• Informed, which means that the consent is valid only if you informed them about the details of processing upfront;
• Specific, which requires obtaining consent for each processing purpose separately, and
• Unambiguous requires you to restrain from using cookies until the user consents to their own unambiguous action. "You agree to the use of cookies by browsing this website" is illegal in the European Union and many countries.

GDPR requires prior consent for all the cookies and identifiers that help process personal data but are not essential for the website’s functioning. This includes website performance cookies, functionality cookies, Google Analytics cookies, tracking pixels, and others.

Only essential cookies are allowed without consent, i.e., the cookies without which the website wouldn’t work.

The upcoming ePrivacy Regulation, which would be the new EU cookie law to replace the ePrivacy Directive, may change how GDPR-compliant websites use cookies. Until then, you must comply with the GDPR.

To learn more about what each EU member state requires regarding website cookies, read our one-stop guide to EU cookie guidelines.

What Do the CCPA and CPRA Require from Websites?

CCPA and CPRA are not as strict as the EU cookie laws. They rely on the "opt-out" principle, which means you can use cookies to collect user data until the user opts out of the processing. Moreover, the user can opt out only from the processing for targeted advertising purposes and from the sale or sharing of personal information.

If the CCPA and CPRA apply to you, your website must give site visitors a privacy notice on arrival. The processing must be disclosed to them in the privacy notice. It could also point to the privacy policy page on the website, where users could get detailed information about the processing practices of the website.

CalOPPA, one of California’s privacy laws, requires websites to inform visitors how they react to the "Do Not Track" signals from web browsers. However, website operators are not obliged to comply with such signals.

Here is all you need to know about CPRA consent.

Why Do You Need a Cookie Banner for Your Website?

A cookie banner will help you comply with the applicable data protection laws in a few clicks. Pop-up consent banners are still the best way to collect users’ consent on websites.

Whether you run an e-commerce website, a SaaS, sell courses, or run a blog, you must ask users for consent before setting cookies and other trackers. You must also ensure that your cookie consent solution records consent properly and allows users to adjust their cookie preferences.

The best way to achieve CCPA/CPRA and GDPR compliance regarding cookies is to use a consent management platform like Secure Privacy. Our SaaS is aligned with the IAB Framework and has all the global legal requirements embedded in the solution. It comes with a privacy policy generator, too.