Cookie Compliance Laws Explained: How To Write a Website Cookie Policy in 2026

Cookies are small text files stored in the web browser that help websites remember visitor data. Despite how common they are, cookies make many internet users uneasy. The idea of websites "remembering" you — storing login details, tracking browsing habits, or sharing data with third parties — raises real questions about privacy. 

Those concerns are widespread but don't always translate into careful behavior. Our cookies survey found that 1 in 4 people blindly accept cookies without reviewing what they're agreeing to — which is precisely why cookie compliance laws require websites to make those disclosures clear and meaningful in the first place.

Cookie compliance requirements vary significantly depending on where you and your users are located. Read on for a breakdown of how the rules work across different regions, what your website needs to do to comply, and how to put a cookie policy together.

How do you comply with cookie law?

To bring your website into compliance with the EU cookie law, you'll need to take a few steps. 

• First, you should perform a "cookie audit" to determine which cookies you are using and what data they track. There are many programs that provide cookie audits.
• Next, install a cookie banner on your site. A cookie banner is just a message that informs visitors to your site that you're using cookies.
• You should also spell out, in clear, easy-to-understand terms, exactly what each cookie on your site does. Link to a page with this information on the cookie's terms or settings - for example, make a clickable link saying "More Information" or "Find Out More".
• If you're providing an "opt-out" option, make sure it's simple for users to opt out of cookies at any time. 

However, you don't have to inform users of or obtain consent for cookies deemed necessary for your site to function. For example, a shopping cart cookie is something users expect when they're on an e-commerce site, so the normal rules of cookie compliance don't apply to these cookies.

Cookie policy must-haves

1. Users must know you're using cookies
2. Users must know precisely what cookies you're using and what they do
3. Users must have the option to use your website even if they don't want to use all of your cookies
4. You must store users' consent to having cookies installed

It's really that simple!

How Termly helps with cookie compliance

Termly is a compliance solution that helps you manage your privacy policy, cookie consent, and other compliance requirements. 

Its consent management platform allows you to get consent for cookie usage and personal data collection in line with international privacy laws. Termly will scan your site for all trackers and cookies and will automatically block them based on user consent.

Termly will also generate a cookie policy for you based on your website scan. Termly ensures this policy will stay up to date with the latest privacy laws.

What is cookie compliance?

Cookie compliance refers to the legal requirements that govern how websites must handle cookies — including disclosing their use, explaining what data is collected, and in many cases obtaining user consent before setting non-essential cookies on a visitor's device.

Our research found that fewer than 2 in 5 people feel confident they understand what cookies are and how they work — meaning legalese buried in a privacy policy isn't enough. Compliance laws exist in part to ensure that real people, not just lawyers, can understand what they're consenting to.

A cookie-compliant website will inform visitors that it uses cookies, explain what types of cookies are in use and what they do, and give users a meaningful choice about whether to accept them. Importantly, users must be able to access the site even if they decline non-essential cookies — and if they change their mind later, opting out should be just as simple as opting in.

We found that 13% of users have no idea what cookies are for. To address user concerns and help people browse with confidence, governments around the world have introduced cookie compliance laws — rules that require websites to be transparent about how they use cookies and give users meaningful control over their data. 

Services like Termly can help website owners meet these requirements with tools including a cookie policy generator, automatic cookie scanning, and a consent management platform.

The specific requirements depend on where your website operates and where your visitors are located. A US-based business that serves EU customers, for example, needs to meet EU standards for those users — not just domestic ones. The sections below break down how cookie compliance works in the EU, UK, Australia, Canada, and the United States.

The European Union cookie laws

The EU pioneered the concept of cookie compliance and still has some of the most rigorous rules in the world. The primary law governing cookies is the ePrivacy Directive (2002) — often called simply "the cookie law" — which, alongside the General Data Protection Regulation (GDPR), governs how websites handle user data.

As experts note, the two laws are distinct: the ePrivacy Directive governs the access part — meaning if you store or retrieve any user data, including a tracking pixel or session ID, you need consent before you even get to GDPR. The GDPR then applies to how that data is processed once it's collected. Most non-EU businesses with EU website traffic need to comply with both.

Under these rules, website operators must obtain users' consent before setting non-essential cookies. Users must be able to access your site even if they decline certain cookies, and they should be able to withdraw consent just as easily as they gave it. Operators must also document and store evidence of received consent.

Note that a proposed ePrivacy Regulation has been in discussion for years but has not yet been passed — the 2002 directive remains the operative cookie law in the EU.

The United Kingdom cookie laws

Although the UK left the EU, it retained similar cookie regulations through the Privacy and Electronic Communications Regulations (PECR). However, the UK is now actively diverging from EU rules following the passage of the Data (Use and Access) Act 2025, which came into law on 19 June 2025.

The key changes under this new legislation include:

• Broader scope: The rules now extend beyond cookies to cover any form of online tracking, including device fingerprinting and email tracking pixels.
• New consent exemptions: Websites can now use certain cookies without requiring opt-in consent, including analytics cookies to measure site performance, preference cookies to remember user settings, and security or fraud-detection cookies. However, websites must still clearly inform users and provide a simple opt-out.
• Significantly higher fines: The maximum penalty for PECR violations has risen from £500,000 to £17.5 million or 4% of annual global turnover — bringing it in line with UK GDPR enforcement.

If you operate a website that targets UK users, you can no longer simply mirror your EU compliance setup and assume it covers the UK. The ICO is updating its guidance to reflect these changes, so it's worth monitoring developments as they unfold through 2025 and 2026.

Australia cookie laws

Australia doesn't have a cookie-specific law, but the Privacy Act 1988 and the Australian Privacy Principles (APPs) apply whenever cookies collect personal information. At minimum, you must inform users that cookies are collecting their data — and if you're collecting sensitive information through cookies or tracking tools, you need to obtain consent first.

Australia's privacy framework has recently undergone its most significant update since the Privacy Act was introduced. The Privacy and Other Legislation Amendment Act 2024 received Royal Assent on 10 December 2024 and is now in effect. Key changes relevant to cookie compliance include strengthened enforcement powers for the Office of the Australian Information Commissioner (OAIC) and new transparency obligations for websites using automated decision-making tools.

In November 2024, the OAIC also published guidance clarifying that tracking pixels — not just traditional cookies — fall under the Privacy Act, meaning websites using pixels for ad tracking or analytics must also meet privacy notice and consent obligations. Further reforms are expected as part of a second wave of legislation in the coming years, so Australian website operators should review their cookie and tracking practices proactively.

Canada cookie laws

Canada's federal privacy law, PIPEDA (the Personal Information Protection and Electronic Documents Act), requires that users be informed about cookie usage and consent to it. In practice, this has traditionally been interpreted as "implied consent"—if a user continues browsing your site after being notified that you use cookies, that's generally considered sufficient.

However, the picture is more complex at the provincial level. Quebec's Law 25 (Bill 64), which has been phased in since 2022 and came into full effect in 2023, is significantly stricter. It requires explicit opt-in consent — not just notification — for any cookies that aren't strictly necessary. Websites targeting Quebec residents or that have a meaningful Quebec audience need to meet this higher standard.

If your site reaches Canadian users broadly, it's worth building your consent mechanism to meet Quebec's stricter rules as a baseline, since that approach will also cover you federally.

Cookie laws in the United States

There is no federal cookie law in the United States, but the compliance picture has changed significantly at the state level over the past few years. California has the most comprehensive rules, and its laws apply to any business collecting data from California residents — regardless of where the business is based.

California operates under two overlapping laws:

• California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA): The CCPA, which took effect in 2020, requires businesses to disclose what data they collect and give consumers the right to opt out of having their data sold. The CPRA (sometimes called CCPA 2.0) expanded these rights further and took effect in 2023. Together, they require websites to obtain consent before setting non-essential cookies on California residents' devices and to provide a clear opt-out mechanism.
• California Online Privacy Protection Act (CalOPPA): This older law still requires commercial websites to post a privacy policy detailing how information is collected. Since any US commercial website is likely to have California visitors, including your cookie usage in your privacy policy is a practical baseline requirement.

Beyond California, a growing number of states now have their own privacy laws with cookie-related obligations, including Virginia (VCDPA), Colorado, Connecticut, and Texas. While the specifics vary, most require transparency about data collection and the ability for users to opt out of targeted advertising.

Additionally, the Children's Online Privacy Protection Act (COPPA) applies to websites that are directed to children under 13. If your site targets young children, you need verifiable parental consent to use cookies, which, in practice, means most child-directed sites avoid cookies altogether.

If you collect data from consumers in the EU or California, you must comply with the GDPR and CCPA/CPRA, respectively — regardless of where your business is located.

Bottom line

Overall, it's not too difficult to make your website cookie-compliant, especially with tools like Termly that handle the technical setup for you.

If you're in a country that enforces cookie compliance and don't follow the steps above, you'll usually receive a notice to make the necessary changes within a set timeframe. In extreme cases, you might even have to pay a fine.

Even if you're not in a country that requires user consent for cookies, drawing inspiration from their regulations can help ensure visitors to your website see it as transparent and trustworthy.

FAQs