Cookies Compliance

A Complete Guide to Cookie Laws

Apr 11, 2025 | Time to read 10 min read
A Complete Guide to Cookie Laws
By purchasing through the links on this page, you are giving us the opportunity to earn a commission. Your support is greatly appreciated!

All websites that use cookies to collect or track the personal data of their site visitors must comply with relevant cookie laws. The usual requirements include informing users about cookie usage, obtaining their consent, and giving the option to opt out.

The EU’s ePrivacy Directive became one of the first comprehensive cookie laws in 2009. However, its requirements were further strengthened by the General Data Protection Regulation (GDPR) in 2018. The regulation defined stricter consent management requirements, setting a standard for other privacy laws across the world.

In this article, we’ll guide you through the importance of cookie laws. We’ll introduce you to their main compliance requirements to help you prevent hefty non-compliance fines and build user trust.

Ensure Shopify cookie law compliance
CheckmarkFree plan available
CheckmarkOne-click setup
Try TinyCookie free

Cookie laws are regulations that require websites to obtain opt-in consent from their users in order to use internet cookies on their devices. One of the most notable cookie laws is the ePrivacy Directive. It went into effect in 2002 as a regulation that ensures data privacy in the European Union (EU).

The reason cookie laws are important is because they give users more control over their data privacy. According to a study by Tableau, 48% of consumers stopped buying from a company if they had privacy concerns. Since cookie laws require consent to be informed, site visitors can easily familiarize themselves with transparent information and provide granular consent.

Although not many regions have cookie laws, they still have privacy regulations or state laws in place that cover the use of cookies. The most notable laws include:

Region

Privacy law

Is cookie consent required?

California, US

California Consumer Privacy Act (CCPA)

❌ (must include a “Do not sell or share my personal information” link)

Connecticut, US

Connecticut Data Privacy Act (CTDPA)

Virginia, US

Virginia Consumer Data Protection Act (VCPDA)

UK

Privacy and Electronic Communications Regulations (PECR)

South Korea

Personal Information Protection Act (PIPA)

Brazil

Brazilian General Data Protection Law (LGPD)

Japan

Act on the Protection of Personal Information (APPI)

✅ (if data is shared with third parties)

Now, let’s look through the different region privacy laws in detail.

US cookie laws

While the US doesn’t have federal laws that regulate cookie usage for websites, many of its state laws govern cookie usage for collecting personal information. Here are some of the privacy laws across the US that deal with cookies and their consent requirements:

  • The California Consumer Privacy Act (CCPA). Updated with the California Privacy Rights Act (CPRA), the law encompasses cookies under the “personal information” definition. It doesn’t require user consent (except for minors), but businesses must allow users to opt out of data selling and sharing.
  • The Connecticut Data Privacy Act (CTDPA). The CTDPA requires obtaining user consent for data collection but users have the right to opt out of it, including when data is used for targeted advertising and profiling purposes.
  • The Virginia Consumer Data Protection Act (VCPDA). The VCPDA regulates the usage of cookies that collect personal data and requires user consent. If your business uses cookies for targeted advertising or profiling, you must allow users to opt out of it.

Whether you’ll need to provide opt-in or opt-out consent depends on the law. While most US privacy laws require explicit and freely given consent, the CCPA doesn’t require consent for processing data (except for minors).

UK cookie law

Cookie usage in the UK is regulated by the Privacy and Electronic Communications Regulations (PECR). It’s similar to the EU’s ePrivacy Directive as it covers similar areas, including electronic communications, cookies, and trackers.

The PECR and the ePrivacy Directive are also similar in compliance requirements. Both regulations require obtaining cookie consent from users before using third-party cookies and providing easy options to opt out.

South Korea’s cookie law

There’s no law in South Korea that covers cookies directly. However, the Personal Information Protection Act (PIPA) handles data processing practices and includes cookies that collect user data. Just like with the GDPR, you must acquire consent for cookie usage.

Brazil’s cookie law

Brazil doesn’t have laws that directly deal with cookies, but it has the Brazilian General Data Protection Law (LGPD). It’s very similar to the GDPR in terms of requirements for cookies. You need to inform users about cookie usage and obtain informed and clear consent.

Japan’s cookie law

Like many other regions, Japan doesn’t have cookie laws, only the Act on the Protection of Personal Information (APPI). This act regulates cookies that can collect personal information used to identify a person. Consent is only required if the collected data is being shared with a third party.

The ePrivacy Directive (ePD) was first introduced in 2002 and amended in 2009. It became known as the “EU cookie law” because it focused on enhancing privacy for users on websites that use cookies.

However, the original ePD document didn’t mention cookies – they were introduced in the amendment. That’s because prior to cookie law and data protection regulations like the GDPR, websites used cookies carelessly and often without informing users about it.

So, the EU cookie law’s main goal was to make businesses more transparent about cookie usage and obtain consent. Users are given more control over their privacy and better understand what and how their personal data is used.

The GDPR was influenced by the ePrivacy Directive and helped set stricter standards for user data protection and privacy. The regulation focuses on any personal data that can be used to identify a user, which includes the data collected using cookies. However, it also has more specific requirements. They include:

  • Strict consent. According to the GDPR, “consent must be freely given, specific, informed and unambiguous.” So, the website must inform users about cookie usage and obtain consent through affirmative action.
  • Cookie management. GDPR Article 7 states if consent shall be given for multiple matters, the user must give distinguishable consent for them. In terms of cookies, this usually refers to cookie consent management – letting users choose what types of cookies to consent to.
  • Consent proof. The GDPR Article 7 also requires keeping records of user consent for compliance proof.

You can learn more about the main GDPR requirements in our GDPR compliance checklist.

Since the EU cookie law requires obtaining user consent for cookies, one of the most popular ways to do it is with a cookie banner. It’s easy to implement and is usually the first thing users see on a website. Here are the main ePrivacy Directive requirements you need to know:

  • Inform users about the use of cookies as soon as they enter the site
  • Provide users with a way to give consent that would involve affirmative action, like an “Accept” button
  • Allow users to manage which types of cookies they want to accept
  • Avoid pre-ticking boxes in the cookie management window
  • Make opting out of cookie usage as easy as it was to consent, like adding a “Reject” button
  • Record and store user consent in a secure place for compliance proof
  • Block third-party cookie usage until the user grants consent
  • Treat the “close” button or continuing scrolling as a cookie rejection (they do not constitute an affirmative action)
  • Avoid using cookie walls as users have the right to non-discrimination for not giving their consent
Adopt a custom cookie banner on Shopify
Checkmark7-day free trial
CheckmarkCustomizable
Try TinyCookie

How does Shopify navigate cookie law compliance?

Being one of the biggest eCommerce platforms, Shopify understands that its client stores leverage cookies for different purposes. That's why Shopify cookie law compliance isn't challenging to achieve. Here's how you can implement cookie banners on the platform:

  1. Shopify's cookie banner. The platform gives you a basic cookie banner functionality that lets you edit the content and provide granular consent.
  2. Cookie banner app. Dedicated Shopify cookie banner apps, like TinyCookie, are more customizable, letting you create a design that fits your brand. You may also leverage translations so all users are aware of what they're agreeing to and record consent.
  3. Theme cookie banner. Some themes come with a premade cookie banner but it's usually very basic and not always compliant. Make sure you test if the banner is customizable and allows granular consent or keeps records of user consent.

As the ePrivacy Directive was amended in 2009, it pushed website owners to obtain user consent for using cookies. However, the requirements left a lot for interpretation.

Fast forward to 2018, the GDPR came into effect with more precise rules that also apply to cookies that collect personal data. For example, website owners must provide clear choices for users and consent has to be informed and unambiguous.

This led to the widespread adoption of cookie banners and pop-ups. They provided an easy setup method even for non-tech website owners thanks to consent management platforms (CMPs). 

Here’s an example of what a cookie banner made with TinyCookie on Shopify looks like:

TinyCookie cookie banner example

Cookie banners also created a straightforward way to implement requirements, including:

  • Informing users about cookie usage
  • Adding “accept cookies” and rejection buttons
  • Allowing granular consent
  • Providing links to legal documents, like the cookie policy

The ePrivacy Directive doesn’t specify fine sizes – it’s set by the EU member state that enforces it. However, it’s often enforced together with the GDPR.

For minor violations that didn’t cause any harm to users, businesses may just get a warning. Other GDPR fines and penalties include:

  • Fine for non-severe violations – up to €10 million, or 2% of the firm’s global annual revenue (whichever is higher)
  • Fine for severe violations – up to €20 million, or 4% of the firm’s global annual revenue (whichever is higher)
  • Ban on processing (in case of unlawful data practices)

Meanwhile, the CCPA fines may seem lower at first but they can quickly add up to hundreds of thousands or even millions since they’re counted per violation. The fine sizes include:

  • Fine for non-intentional violations – up to $2,500 per single violation
  • Fine for intentional violations – up to $7,500 per single violation

Cookie law compliance can be challenging at first glance but it’s quite straightforward once you get a hang of it. So, here are the main cookie law requirements:

1. Conduct a cookie audit. Check what cookies your website uses and understand their types to provide transparent information and manage consent effectively. You can perform a cookie audit using a cookie scanner (like TinyCookie on Shopify) or check it manually through your browser’s developer tools.

2. Write a cookie policy. You need to write a cookie policy explaining what cookies, for how long, and for what reason you’re using. You can use a free generator, like the Shopify privacy policy generator, to save time.

3. Adopt a cookie banner. Add a cookie banner on your website and customize it to fit compliance requirements. This includes adding consent approval and rejection buttons, transparent information about cookie usage, and cookie management options.

Cookie banner example

4. Store user consent. You must keep records of user consent in one secure place in case you need proof of compliance.

Add a free Shopify cookie banner
× Enlarged Image

Frequently asked questions

If your organization has a website or mobile app that uses cookies to collect personal data, you must comply with relevant cookie laws. Cookie laws and privacy regulations are usually extraterritorial, meaning they protect users in the region where the law was passed.

For example, if you operate your website in the US but collect the data of EU users, you must comply with the ePrivacy Directive and GDPR.

Cookie law compliance is essential for every business because it ensures higher transparency by providing information on how user data is used, building consumer trust. It also helps avoid the large fines that come with non-compliance.

To write an effective and compliant cookie policy, include the following information:

  • The definition of the term “cookies”
  • A list of cookies used on your website (including their purpose and duration)
  • Information on how to manage cookie consent
  • Company contact details

About the author
Kristina Jaruseviciute
Kristina Jaruseviciute
Kristina is a Senior Writer at TinyCookie, where she specializes in providing educational content for readers interested in web cookies and compliance. She covers an extensive scope of subjects, from cookie types, definitions, and tutorials to compliance tips for website owners.