Cookie Consent Requirements
Cookie consent rules vary significantly across jurisdictions. This guide compares the requirements under GDPR, CCPA, and PIPEDA, and provides a practical implementation checklist.
GDPR Cookie Requirements
Under the GDPR and the ePrivacy Directive, the EU applies the strictest cookie consent rules in the world. Key requirements include:
- •Prior consent required: Non-essential cookies must not be placed until the user has given explicit, affirmative consent.
- •No pre-ticked boxes: Consent must be an active opt-in. Implied consent from scrolling or continued browsing is not valid.
- •Granular choices: Users must be able to consent to different categories of cookies independently.
- •Easy withdrawal: It must be as easy to withdraw consent as it is to give it.
- •Strictly necessary exemption: Cookies that are essential for the basic functioning of the website (e.g., session cookies, shopping cart) do not require consent.
CCPA Cookie Requirements
The CCPA takes a different approach from the GDPR. Rather than requiring prior consent for cookies, it focuses on transparency and opt-out rights:
- •Opt-out model: Businesses may set cookies by default but must provide a clear opt-out mechanism for the sale or sharing of personal information.
- •"Do Not Sell or Share" link: Websites must display a prominent link allowing consumers to opt out if cookies are used for cross-context behavioural advertising.
- •Honour GPC signals: Under CPRA regulations, businesses must treat the Global Privacy Control browser signal as a valid opt-out request.
- •Disclosure required: Your privacy policy must disclose what categories of cookies and trackers are used and for what purposes.
PIPEDA Cookie Requirements
PIPEDA's approach to cookies is based on the principle of meaningful consent. The OPC has published guidance on obtaining consent for online tracking:
- •Meaningful consent: Organisations must ensure individuals understand what they are consenting to. A cookie banner should clearly explain what cookies do and why they are used.
- •Implied consent for low-sensitivity: For less sensitive data collection like basic analytics, implied consent (e.g., a notice with an opportunity to opt out) may be acceptable.
- •Express consent for tracking/profiling: Cookies used for detailed profiling, cross-site tracking, or targeted advertising require express (opt-in) consent.
- •Right to withdraw: Individuals must be able to withdraw consent at any time, subject to legal or contractual restrictions.
Implementation Checklist
Display a cookie consent banner on first visit
Show a clear, visible banner that informs visitors about cookie use before any non-essential cookies are set.
Block non-essential cookies until consent is given
Implement prior consent by ensuring analytics, advertising, and social media cookies are not loaded until the user opts in (required for GDPR).
Provide granular consent options
Allow users to accept or reject cookies by category (e.g., analytics, marketing, functional) rather than offering only an all-or-nothing choice.
Include a clear "Reject All" option
Make it equally easy for users to decline non-essential cookies as it is to accept them. Do not use dark patterns.
Store and manage consent records
Log when consent was given, what was consented to, and the version of the consent notice. Be prepared to demonstrate valid consent.
Allow users to change their preferences at any time
Provide an accessible way (such as a persistent link in the footer) for visitors to revisit and update their cookie settings.
Keep your cookie inventory up to date
Regularly scan your website for new or changed cookies, especially after deploying third-party scripts or updating integrations.
Tailor the banner to the visitor's jurisdiction
Consider geolocation-based consent flows that apply stricter rules for EU visitors while providing appropriate notices for California or Canadian visitors.
Check Your Compliance Now
Use Pryvii to automatically scan your website and get a compliance score with actionable recommendations.