Cookies, GDPR and Global Privacy Compliance.

Cookies are tiny text files that have become the connective tissue of the modern web — powering shopping carts, remembering preferences, measuring campaign performance and feeding the targeting engines that finance most of the open internet. They are also the single most regulated piece of front-end code on your website. If you build or market digital products that reach users across borders, the cookie banner is no longer a checkbox; it is a legal interface that determines whether you can lawfully run analytics, retargeting, A/B tests or even some session-management features.

This guide explains, in practical terms, what developers and marketers must understand about cookie law in the European Union, North Africa and the United States — and how to ship a site that is compliant, performant and trusted.

1. Why Privacy Laws Exist and Why Cookies Are at the Centre

Modern privacy laws — from the EU's GDPR to California's CPRA — rest on a simple premise: personal data belongs to the person it describes. Cookies and similar technologies (local storage, pixels, SDKs, fingerprinting) routinely collect identifiers that, alone or combined, can identify a user. Regulators therefore treat most non-essential cookies as personal-data processing, with all the consent, transparency and security duties that implies.

Types of cookies and the consent rule

• Strictly necessary (login, cart, CSRF tokens, load balancing) — no consent required, but must still be disclosed.
• Functional / preference (language, dark mode) — consent usually required in the EU.
• Analytics / performance (Google Analytics, Hotjar) — consent required in the EU under the ePrivacy Directive; some "low-risk" first-party analytics now allowed in the UK under the Data (Use and Access) Act 2025 with an opt-out.
• Marketing / advertising (Meta Pixel, Google Ads, retargeting) — explicit, opt-in consent required in the EU/UK; opt-out treatment in most US states.

2. The European Union: GDPR + the ePrivacy "Cookie Law"

The General Data Protection Regulation (GDPR), in force since 25 May 2018, governs all processing of EU residents' personal data. Its scope is extraterritorial under Article 3: any organisation worldwide that offers goods or services to people in the EU, or monitors their behaviour, falls within reach — whether or not it has an EU office.

GDPR's six lawful bases (consent, contract, legal obligation, vital interests, public task, legitimate interests) sit alongside a tight catalogue of data-subject rights (access, rectification, erasure, portability, objection, restriction, rights around automated decisions). Personal data breaches must be reported to the competent supervisory authority within 72 hours of the controller becoming aware of them.

The ePrivacy Directive (2002/58/EC, amended in 2009) — informally the "cookie law" — sits on top of GDPR for electronic communications. Article 5(3) is the operative cookie rule: information may be stored on or read from a user's device only with prior, informed consent, with a narrow exemption for cookies "strictly necessary" to deliver a service the user has requested. The European Commission formally withdrew the long-stalled ePrivacy Regulation in February 2025, so the Directive (as transposed by each member state) remains the law for the foreseeable future. Crucially, the ePrivacy Directive operates outside GDPR's "one-stop-shop" — meaning national regulators such as France's CNIL can sanction a global company directly for cookie violations affecting their citizens.

GDPR penalties: the headline numbers

Article 83 sets a two-tier maximum: up to €10 million or 2% of global annual turnover for procedural violations, and up to €20 million or 4% of global annual turnover for breaches of core principles, consent, data-subject rights or international transfers — whichever is higher. According to the DLA Piper GDPR Fines and Data Breach Survey (January 2026), cumulative GDPR fines since 2018 have exceeded €7.1 billion, with €1.2 billion issued in 2025 alone; Ireland's Data Protection Commission accounts for roughly €4.04 billion of the cumulative total.

Notable enforcement actions:

• Meta — €1.2 billion (Irish DPC, 22 May 2023) for unlawful EU-to-US Facebook data transfers under Standard Contractual Clauses post-Schrems II — the largest GDPR fine ever issued.
• Amazon — €746 million (Luxembourg CNPD, 2021) for unlawful behavioural-advertising processing.
• TikTok — €530 million (Irish DPC, 2 May 2025) — €485 million for unlawful transfers of EEA user data accessible from China and €45 million for transparency failures. A €345 million fine had already been imposed in September 2023 over children's data.
• Uber — €290 million (Dutch AP, 2024) for transferring European drivers' data to US servers without appropriate safeguards.
• Google — €325 million and SHEIN — €150 million (CNIL, 3 September 2025) for cookie-consent failures: cookies dropped before consent, "reject all" not honoured, and asymmetric "six clicks to refuse vs two to accept" patterns. CNIL also ordered penalty payments of €100,000 per day of continued non-compliance.

3. The United Kingdom Post-Brexit

The UK GDPR, sitting alongside the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations (PECR), is substantively close to EU GDPR. The European Commission renewed the UK's adequacy decision on 19 December 2025, extending it to 27 December 2031.

The Data (Use and Access) Act 2025 (DUAA), whose main data-protection provisions commenced on 5 February 2026, introduces a new "recognised legitimate interest" lawful basis, codifies "stop the clock" rules for subject access requests, narrows automated-decision-making restrictions, and — critically — aligns PECR penalties with UK GDPR, raising the cap to £17.5 million or 4% of global turnover. It also permits a narrow set of "low-risk" analytics cookies without prior consent, provided users can opt out.

4. North Africa: A Fast-Maturing but Uneven Landscape

North African regulators are catching up rapidly. Each country still has distinct procedural quirks that developers and marketers must respect.

Tunisia — Law No. 2004-63 (and the 2025 reform)

Tunisia was the first Arab and Maghreb country to enact a comprehensive data-protection law and the 51st state to accede to Council of Europe Convention 108 (November 2017). Organic Act No. 2004-63 requires written consent, prior declaration of processing to the INPDP, and explicit authorisation for sensitive data and cross-border transfers. Penalties include up to one year of imprisonment and a TND 5,000 fine for unauthorised foreign transfers. A modernised Fundamental Bill on the Protection of Personal Data (2025), comprising 123 articles and explicitly aligned with GDPR and Convention 108+, was examined by the Assembly of People's Representatives' Rights and Freedoms Committee but has not yet been adopted as of early 2026. Enforcement remains modest but real: in July 2023 the INPDP referred approximately 30 cases to the public prosecutor for processing without prior declaration.

Morocco — Law 09-08 and the CNDP

Law 09-08 (2009) is enforced by the Commission Nationale de contrôle de la protection des Données à caractère Personnel (CNDP). All processing must be declared in advance; sensitive data and international transfers require prior authorisation. Sanctions range from MAD 10,000 to MAD 300,000, plus three months to two years of imprisonment, with fines doubling for repeat offences. In 2025 the CNDP shifted from education to enforcement — issuing public warnings (notably after the April 2025 CNSS social-security breach by threat actor "Jabaroot DZ," which exposed the personal data of 1,996,026 employees according to Resecurity's verified analysis) and rolling out compliance roadmaps starting with healthcare (~3,000 pharmacists) and extending to banking, insurance, telecoms and e-commerce.

Egypt — Law No. 151 of 2020 (PDPL)

Egypt's first comprehensive privacy law entered into force on 17 October 2020 and is among the most stringent globally, with criminal sanctions. Fines run from EGP 100,000 to EGP 5 million; sensitive-data or unlawful-transfer offences can attract imprisonment of three to six months. The Executive Regulations (Prime Ministerial Decree No. 816 of 2025) were issued on 1 November 2025, beginning a one-year grace period before full enforcement around 1 November 2026. The law applies extraterritorially to any organisation processing data of individuals located in Egypt; the Personal Data Protection Center's guidelines confirm consent must be explicit, in Arabic, separated from general terms, and require a clear affirmative action.

Algeria — Law 18-07 and the 2025 Amendment

Law No. 18-07 of June 2018 became enforceable on 10 August 2023 and is policed by the ANPDP. Most processing requires prior declaration; sensitive data and cross-border transfers require authorisation. Law No. 25-11 of 24 July 2025 modernised the regime: mandatory Data Protection Officers, processing registers, Data Protection Impact Assessments, a five-day breach-notification deadline, and expanded ANPDP oversight. Sanctions reach DZD 1,000,000 and up to five years' imprisonment. The ANPDP began its first private-sector field inspections on 28 February 2024 but has yet to publish named fines.

5. The United States: A Patchwork, Not a Federal Law

The US has no federal omnibus privacy law. According to the IAPP Westin Research Center, 19 states (20 counting Florida's narrower law) had comprehensive consumer privacy laws in effect as of January 2026, with Indiana, Kentucky and Rhode Island joining on 1 January 2026. Most follow an opt-out model — the opposite of the EU's opt-in default.

• California CCPA/CPRA — Enforced by the California Privacy Protection Agency. Civil penalties up to $2,500 per violation or $7,500 per intentional violation or violation involving a minor; per-consumer accumulation can scale into the millions. California requires honouring the Global Privacy Control (GPC) browser signal.
• Virginia VCDPA — Effective 1 January 2023; AG-only enforcement, $7,500 per violation.
• Colorado CPA — Effective 1 July 2023; recognises Universal Opt-Out Mechanisms; cure period expired 1 January 2025.
• Texas TDPSA — Effective 1 July 2024; no revenue threshold (small-business exemption only), penalties up to $25,000 per violation. Texas filed its first TDPSA enforcement action against Allstate/Arity in January 2025 over precise geolocation data from 45+ million drivers.
• COPPA (federal) — Strict parental-consent rules for sites knowingly collecting data from children under 13; the FTC published final amendments in April 2025.

Note also the Texas Attorney General's $1.4 billion settlement with Meta in July 2024 over biometric violations — a reminder that state-level enforcement now reaches GDPR-style amounts.

6. Other Notable Regimes

Brazil's LGPD mirrors GDPR closely; the ANPD can fine up to 2% of Brazilian revenue, capped at BRL 50 million per violation. The European Commission adopted Brazil's adequacy decision (Implementing Decision (EU) 2026/179) on 26 January 2026 — described by Commissioner Michael McGrath as creating "the world's largest area for safe, cross-border data flows, covering over 670 million people." Canada's PIPEDA applies to commercial activities and retains EU adequacy. China's PIPL imposes penalties up to 5% of annual revenue and has GDPR-like extraterritorial scope, with significant data-localisation obligations.

7. Why Compliance Is a Business Asset, Not Just a Cost

• Market access. You cannot lawfully operate in the EU/EEA without GDPR compliance. Adequacy and self-certification (e.g., the EU-US Data Privacy Framework, adopted 10 July 2023) literally unlock cross-border data flows.
• Trust and conversion. 2025 consumer research finds that 76% of consumers would switch brands for meaningful transparency about data practices, and Deloitte separately reports that trusted companies see customers spend roughly 50% more on connected products and services.
• Data quality. Consented data is cleaner, better attributed and usable in modelling without legal risk.
• Avoiding fines and reputational damage. The CNIL's "six clicks to refuse vs two to accept" finding against Google shows that even minor UX asymmetries are now expensive.
• Competitive advantage. Enterprise buyers increasingly require GDPR/CCPA attestations during procurement.

8. Practical Implementation for Developers and Marketers

Geo-aware consent

Detect the user's location at the edge and serve the appropriate banner: opt-in granular consent for EU/UK/EEA, opt-out "Do Not Sell or Share" for California and similar US states, opt-in for Brazil, and a Convention-108-style notice for Tunisia, Morocco, Egypt and Algeria. If you cannot reliably geolocate, default to the strictest standard.

Use a certified Consent Management Platform (CMP)

A CMP captures, stores and signals user choices. For ad-funded sites in the EEA or UK, you must use a Google-certified CMP that supports IAB Europe's Transparency & Consent Framework (TCF) v2.2 — without it, Google AdSense, AdMob and Ad Manager will not serve personalised ads. Pair this with Google Consent Mode v2, which uses the ad_storage, ad_user_data, ad_personalization and analytics_storage signals to adjust tag behaviour to the user's choice — and, in "advanced" mode, recovers modelled conversions from non-consenting users without setting identifiers.

Run a cookie audit

Inventory every cookie, pixel and SDK; classify by purpose; identify the controller and the legal basis; document retention. Re-run quarterly and whenever you add a tag.

Don't load non-essential scripts before consent

Tags like Meta Pixel, GA4 or TikTok Pixel must be gated behind the consent state. Use Google Tag Manager's Consent Initialization trigger and the built-in consent commands rather than hand-rolled IF statements.

Log consent with timestamps

Store the consent string, version, IP-hash, user agent, banner version and timestamp — the burden of proof is on the controller. IAB TCF strings and Google's Additional Consent (AC) string make this auditable out of the box.

International transfers

For EU → US, prefer recipients certified under the EU-US Data Privacy Framework; otherwise rely on the 2021 Standard Contractual Clauses with a Transfer Impact Assessment. For transfers to North Africa, China or other non-adequate countries, SCCs (and frequently local authorisations such as INPDP/CNDP/ANPDP approval) are needed.

Privacy policies — multilingual and specific

Cover identity of the controller, purposes, lawful basis, recipients, third-country transfers, retention periods, rights and complaint routes. Egypt's PDPC explicitly requires consent requests in Arabic; France, Italy and Spain expect local-language equivalents; Morocco and Tunisia operate principally in French and Arabic.

9. Sensible Defaults and Best Practices

• Banner with three equally prominent buttons: Accept all, Reject all, Manage preferences. Asymmetry is the most-cited violation in 2024–2025 CNIL decisions.
• Block all non-essential tags by default until consent is given.
• Honour the GPC and any Universal Opt-Out signal automatically.
• Make withdrawal as easy as consent — a persistent "Cookie settings" link in the footer.
• Set realistic cookie lifetimes (≤13 months in line with CNIL guidance).
• Train marketing teams not to deploy pixels through GTM without privacy review.
• Appoint a DPO where required (EU public bodies, large-scale monitoring or sensitive-data processing; Algeria's Law 25-11, Tunisia's draft law and Egypt's PDPL all increasingly require one).
• Review breach playbooks against the 72-hour GDPR window — and the new five-day clock in Algeria's amended law.

Conclusion

Privacy law is no longer a purely European concern. From California's GPC obligations to Tunisia's INPDP declarations and Egypt's incoming PDPL enforcement, the regulatory perimeter now encircles every globally accessible website. The companies that win are those that treat consent as a product surface — engineered, tested, instrumented and respected — rather than as a legal annoyance. Done well, it protects users, unlocks markets and produces better data. Done badly, it produces nine- and ten-figure fines that even the world's largest platforms can no longer absorb quietly.