Cookie Compliance:
Which Privacy Law Applies to You?
Three major privacy laws govern how websites use cookies. GDPR requires opt-in. CCPA requires opt-out. PIPEDA requires meaningful consent. Here is what each one means for your website.
Which Cookie Consent Law Do You Need to Follow?
Most websites need to comply with more than one framework. Start with where your visitors are located.
Our cookie banner handles all three frameworks automatically. Build once, comply everywhere.
What Does Each Privacy Law Require for Cookies?
Each law takes a different approach to cookie consent. Here is what matters for your website.
GDPR
General Data Protection Regulation · European Union / EEA
The strictest cookie consent law in the world. If anyone in the EU visits your site, GDPR applies to you regardless of where your business is based. Requires explicit opt-in before any non-essential cookies load.
- Explicit opt-in consent required before cookies load
- Right to withdraw consent at any time
- Cookie banner must not use dark patterns
- Granular consent by cookie category required
Consent Model
Opt-in
Users must actively consent before any non-essential cookies are set. Pre-checked boxes and implied consent are not valid.
Maximum Fines
Up to €20M or 4% of global annual revenue
Applies When
Any EU/EEA visitor accesses your site
CCPA / CPRA
California Consumer Privacy Act · California, USA
California's privacy law uses an opt-out model for cookies. Cookies can load by default, but you must provide a "Do Not Sell or Share" link and honor Global Privacy Control signals from browsers.
- "Do Not Sell or Share My Personal Information" link required
- Must honor Global Privacy Control (GPC) browser signals
- Right to know what data is collected and request deletion
- No pre-consent needed but opt-out must be available
Consent Model
Opt-out
Cookies can load by default, but users must be able to opt out of data sale and sharing at any time.
Maximum Fines
Up to $7,500 per intentional violation
Applies When
For-profit business serves CA residents and meets revenue or data thresholds
PIPEDA
Personal Information Protection and Electronic Documents Act · Canada
Canada's federal privacy law requires meaningful consent for collecting personal information through cookies. Quebec's Law 25 adds GDPR-like opt-in requirements for Quebec residents.
- Meaningful consent required (not just a click)
- Quebec Law 25 requires GDPR-like opt-in consent
- Bilingual support (EN/FR) recommended for Quebec
- Enforced by the Office of the Privacy Commissioner
Consent Model
Meaningful consent
Users must understand what they are consenting to. Implied consent is acceptable for non-sensitive data with clear notice.
Maximum Fines
Up to $100K per violation (PIPEDA) / $25M or 4% (Quebec Law 25)
Applies When
Commercial activities across Canada
GDPR vs CCPA vs PIPEDA: Cookie Requirements Compared
See how the three major privacy frameworks differ at a glance.
| Requirement | GDPR | CCPA | PIPEDA |
|---|---|---|---|
| Consent Model | Opt-in (explicit) | Opt-out | Meaningful consent |
| Cookie Banner Required? | Recommended | ||
| Pre-consent Blocking | Depends on sensitivity | ||
| Right to Withdraw | |||
| GPC Signal Required | |||
| Maximum Fines | Up to €20M / 4% | Up to $7,500/violation | Up to $100K / $25M (QC) |
| Applies To | Any site with EU visitors | Businesses meeting CA thresholds | Canadian commercial activity |
Cookie Compliance FAQ
Common questions about privacy laws and cookie consent requirements.
Which privacy law applies to my website?
It depends on where your visitors are located, not where your business is. If you have visitors from the EU, GDPR applies. If you serve California residents and meet revenue or data thresholds, CCPA applies. If you conduct commercial activity in Canada, PIPEDA applies. Most websites with international traffic need to comply with multiple laws simultaneously.
Do I need a cookie banner if my website only uses analytics?
Under GDPR, yes. Analytics cookies like Google Analytics are non-essential and require explicit opt-in consent before loading. Under CCPA, analytics cookies generally do not trigger the "Do Not Sell" requirement unless the data is shared with third parties. Under PIPEDA, implied consent with clear notice may be sufficient for basic analytics.
Can one cookie banner comply with all three laws?
Yes. A well-configured cookie banner can detect visitor location and apply the correct consent model automatically. EU visitors get opt-in (GDPR), California visitors get opt-out with Do Not Sell (CCPA), and Canadian visitors get meaningful consent (PIPEDA) with opt-in for Quebec. Our banner handles this geo-detection automatically.
What happens if I do not have a cookie banner?
The consequences depend on the law. GDPR fines can reach 20 million euros or 4% of global revenue. CCPA penalties are up to $7,500 per intentional violation, and each consumer interaction can be a separate violation. PIPEDA violations can result in $100,000 CAD fines, and Quebec Law 25 penalties reach $25 million CAD. Beyond fines, non-compliance creates legal liability and damages trust.
Are essential cookies exempt from consent requirements?
Yes, across all three frameworks. Cookies that are strictly necessary for the website to function (session cookies, shopping cart cookies, security tokens, load balancers) do not require consent. However, you must still disclose them in your cookie policy. Analytics, marketing, and advertising cookies are never considered strictly necessary.
Compliance Shouldn't Be Complicated
Our cookie banner detects visitor location and applies the right consent model automatically. GDPR opt-in for Europe. CCPA opt-out for California. PIPEDA meaningful consent for Canada. Build once, stay compliant everywhere.
Build Your Cookie Banner