Cookie Consent Laws What Websites Must Tell You Before Tracking Your Activity

Quick answer: In the EU and UK, websites must get your permission before placing any non-essential cookies on your device. In the US, the rules are looser most states let sites set cookies first and give you the option to say no afterward. Either way, every cookie banner you see exists because of a law requiring it.

Cookie consent laws 2026 affect nearly every website you visit and yet most people click “Accept All” without a second thought. That pop-up box isn’t a suggestion. It’s a legal requirement in most of Europe and a growing number of US states. But what the law demands depends on where you live and where the website operates.

If a company tracks you through cookies without following the rules, it may face fines reaching millions. And if you’re wondering what GDPR has to do with those pop-ups, here’s what GDPR actually means in plain English.

The Short Version

  • In the EU, the ePrivacy Directive and GDPR work together to require consent before placing non-essential cookies.
  • In the UK, PECR and UK GDPR set similar opt-in rules, with limited new exceptions added in February 2026.
  • In the US, there is no federal cookie law. State laws like California’s CCPA/CPRA follow an opt-out model — cookies load by default, but you can tell sites to stop selling your data.
  • Across all three regions, “strictly necessary” cookies (those keeping a website functional) are generally exempt.

What Cookie Consent Laws Actually Require Under the Law

The EU: ePrivacy Directive + GDPR

The ePrivacy Directive formally Directive 2002/58/EC, amended in 2009 created the cookie consent requirement most people recognize today. It’s often called the “EU Cookie Law.”

In practice, websites must get your informed, freely given consent before placing any cookie that isn’t strictly necessary. Analytics trackers, advertising pixels, and social media cookies all require a “yes” from you first.

The GDPR (in effect since 2018) doesn’t mention cookies by name, but it treats them as personal data when they can identify a user. So any cookie that tracks your behavior falls under GDPR rules too.

What counts as valid consent under both laws? Pre-ticked boxes don’t count you have to actively click something. Scrolling or continuing to browse is not consent, as the Court of Justice of the EU confirmed in 2019. “Accept All” and “Reject All” must be equally visible hiding “Reject” behind extra clicks isn’t valid. And you must be able to withdraw consent just as easily as you gave it.

Each EU country translates the Directive into its own national law, so enforcement varies. France’s CNIL is famously strict in September 2025, it fined Google €325 million and Shein €150 million in a single day for cookie violations. The proposed ePrivacy Regulation that would have created uniform EU-wide rules was formally withdrawn in February 2025 after eight years of stalled negotiations.

The UK: PECR + UK GDPR

After Brexit, the UK kept its own version of cookie law through the Privacy and Electronic Communications Regulations (PECR) and UK GDPR.

The rules are similar to the EU: websites need your consent before setting non-essential cookies. But the Data (Use and Access) Act 2025, which came into force on 5 February 2026, introduced three new exceptions where consent is not needed:

  • Statistical purposes cookies used solely to measure how visitors use a website, as long as the data is only used by the site operator to improve the service.
  • Appearance preferences cookies that remember display settings like dark mode or language selection.
  • Emergency assistance cookies used to determine a user’s location for emergency services.

Even with these new exceptions, marketing and advertising cookies still require full opt-in consent in the UK.

The same Act raised the maximum fine for PECR violations from £500,000 to £17.5 million or 4% of global annual turnover matching UK GDPR penalties. The ICO (Information Commissioner’s Office) finalized its updated cookie guidance on 29 April 2026 and has been actively monitoring top UK websites for compliance since 2023.

The US: State-by-State Rules

The United States has no federal cookie law. Instead, privacy is covered by a patchwork of state laws, and the approach is fundamentally different from Europe.

Most US state privacy laws follow an opt-out model. That means websites can set cookies by default when you visit, but they must give you a clear way to say “stop” particularly if cookies are used to sell or share your personal data with third parties.

The most significant state law is California’s CCPA, as amended by the CPRA. These laws require websites to display a “Do Not Sell or Share My Personal Information” link and honor Global Privacy Control (GPC) signals sent by browsers. Opt-in consent is required before selling or sharing data of children under 16. Violations can result in fines of $2,500 per unintentional violation and $7,500 per intentional violation with each affected consumer counted separately.

Other states including Colorado, Virginia, Texas, and Minnesota have their own opt-out requirements, but none require EU-style opt-in cookie consent for adult visitors.

Real-World Examples

Scenario 1: A French news website. A cookie banner shows two equally visible buttons: “Accept All” and “Refuse All,” plus a “Customize” option. No cookies load until you choose. This follows the CNIL’s strict interpretation of the ePrivacy Directive and GDPR.

Scenario 2: A US e-commerce site from California. The site loads cookies immediately. A small banner at the bottom links to “Do Not Sell or Share My Personal Information.” Clicking it stops the site from sharing your browsing data with advertisers. This follows the CCPA opt-out model.

Scenario 3: A UK company website after February 2026. The site sets a cookie to remember your language preference without asking that’s now allowed. But before any advertising trackers activate, a consent banner asks for your permission with “Accept” and “Reject” buttons given equal weight. This follows the updated PECR rules.

What People in This Situation Typically Do

Many privacy-conscious users take these steps to control cookie tracking:

  1. Read the cookie banner before clicking. Look for a “Reject All” or “Manage Preferences” option instead of clicking “Accept All” out of habit.
  2. Check browser settings. Most modern browsers let you block third-party cookies by default. Firefox and Safari already do this automatically.
  3. Enable Global Privacy Control. If you’re in California or another US state with opt-out rights, the GPC browser setting sends an automatic “do not sell” signal to every site you visit.
  4. Clear cookies regularly. Under the ePrivacy Directive, persistent cookies are not supposed to last longer than 12 months but some stick around much longer unless you clear them manually.
  5. Try a privacy-focused browser or extension. Brave, DuckDuckGo’s browser, and the Privacy Badger extension can block tracking cookies before they load.

Tools That Can Help

  • Browser-level cookie controls Firefox, Brave, and Safari offer built-in tracker blocking at no cost, working across any website without extra setup.
  • Privacy Badger (free, from the EFF) A browser extension that learns to block invisible trackers based on their behavior.
  • Global Privacy Control A browser setting that sends an automatic opt-out signal to every website. Sites covered by the CCPA/CPRA must honor it.

Related Articles

Frequently Asked Questions

Can I refuse cookies on a website?

Yes. In the EU and UK, websites must give you a way to reject non-essential cookies that is just as easy as accepting them. A site offering only an “Accept” button without an equally visible “Reject” option is not compliant under GDPR or PECR. In the US, most sites let you opt out of cookies that sell or share your data, though other cookies may load by default.

Are cookie banners required by law?

In the EU, the ePrivacy Directive (2002, amended 2009) requires websites to inform users and get consent before setting non-essential cookies and a cookie banner is the most common way to do this. In the UK, PECR requires the same. In the US, cookie banners are not explicitly required by law, but they are the most practical way for businesses to meet notice and opt-out obligations under state laws like the CCPA/CPRA.

What happens if a site doesn’t have a cookie banner?

If a website targets EU or UK visitors and tracks them without consent, it may be violating the ePrivacy Directive, GDPR, or PECR. Penalties reach up to €20 million or 4% of global revenue under GDPR, and up to £17.5 million or 4% of turnover under PECR (as of February 2026). In the US, enforcement focuses more on whether sites give consumers a way to opt out of data sales.

Do cookie consent laws apply to US websites?

US websites don’t need to follow EU-style opt-in rules unless they serve visitors from the EU or UK. If a site places tracking cookies on European visitors, GDPR and the ePrivacy Directive may apply regardless of the company’s location. Within the US, state laws like California’s CCPA/CPRA require disclosure and opt-out mechanisms, but prior consent is generally not needed for adult visitors.

Understanding cookie consent laws 2026 isn’t just about closing pop-ups faster. These laws exist to give you a real say in who tracks your activity online. Whether you’re browsing from Paris, London, or Los Angeles, the rules differ but the core principle is the same: websites owe you transparency about what data they collect and how they use it.

This article is for educational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change frequently. For advice specific to your situation, consult a qualified attorney.

Sources & Further Reading

Leave a Comment