Cookie compliance refers to adhering to the emerging laws and regulations governing the use of cookies and similar website tracking technologies. These laws aim to protect user privacy and give individuals control over their personal data. Navigating the complex landscape of online cookie compliance, including cookie banners and consent, as well as more nuanced points such as choice architecture, can be overwhelming. As a law firm focused on laws concerning privacy, marketing, e-commerce, and targeted advertising, we provide comprehensive legal services to ensure your website or other digital platforms comply with all relevant cookie consent requirements across various jurisdictions.
Understanding Cookie Compliance
Laws concerning cookies are varied and dynamic, with new regulatory guidance coming out regularly and new laws being passed at a dizzying pace. The relevance of particular laws will depend on the type of business involved and other details, such as the jurisdictions where products or services are offered.
Key Laws and Regulations
European Union and United Kingdom: GDPR
The General Data Protection Regulation (GDPR) sets strict requirements for cookie consent in the EU and its respective version in the UK:
- Explicit Consent: Websites must obtain clear, affirmative consent before setting non-essential cookies.
- Granular Control: Users must be able to accept or reject specific categories of cookies.
- Easy Withdrawal: Consent must be as easy to withdraw as it is to give.
- No Pre-Ticked Boxes: Consent must be actively given, not assumed.
United States: CCPA/CPRA and Numerous Other State Privacy Laws
The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) were the first movers, and now several other states with comprehensive state privacy laws, such as Colorado’s Privacy Act (CPA), generally take an opt-out approach for cookies that contrasts with the general opt-in approach required in GDPR jurisdictions:
- Opt-Out Model: Explicit consent is not required for most cookies, though certain kinds of processing, such as when sensitive personal information is involved, may require consent.
- Notice Requirement: Websites must inform users about cookie usage and data collection.
- Right to Opt-Out: Users must have the ability to opt out of the sale or sharing of their personal information.
- Special Rules for Minors: Opt-in consent is required for users under a certain age.
Other Relevant Laws and Considerations
Numerous other relevant laws come into play in the context of cookies, including the following:
- ePrivacy Directive (EU): This complements GDPR with specific rules on electronic communications.
- LGPD (Brazil): Similar to GDPR, LGPD requires consent for cookies.
- PIPEDA (Canada): Emphasizes transparency and user choice in data collection.
- Privacy Rights Compliance: Cookie consent plays an instrumental role in the overall operationalization of compliance with privacy rights.
- Private Actions: Cookie consent can help mitigate risk from private actions based on a variety of legal theories, such as California’s Invasion of Privacy Act (CIPA), among other laws that are being used as a basis for “litigious” complaints.
Our Services
Cookie Audit and Assessment
We conduct thorough audits of your website’s cookie usage to identify compliance gaps and potential risks.
Customized Compliance Strategies
Our team develops tailored strategies to ensure your cookie practices align with relevant laws in your target markets.
Cookie Policy Development
We craft clear, comprehensive cookie policies that explain your data collection practices to users in conjunction with privacy policies and terms and conditions.
Consent Management Solutions
We advise on and help implement appropriate consent management platforms and related data governance tools to meet legal requirements, such as OneTrust, among other vendors.
Ongoing Compliance Monitoring
Our team stays up-to-date with evolving regulations to keep your cookie practices compliant.
Why Choose RICHT?
- Privacy Law Focus: We focus on data privacy and cookie compliance laws.
- Global Perspective: We understand requirements across multiple jurisdictions.
- Practical Solutions: We balance legal compliance with business needs.
- Ongoing Support: We provide continuous guidance as laws and your business evolve.
Cookie compliance is not just about avoiding regulatory enforcement action – it’s about building trust with your users and protecting their privacy. Let us help you navigate this complex landscape and turn compliance into a competitive advantage.
Featured Cookie Compliance Video
Cookie Scanning Tools
Online Cookie Consent Legal Developments
- Training Marketing Teams on Cookies: Marketing departments must understand the legal distinction between essential and non-essential cookies to ensure compliance. Proper training helps teams balance effective digital tracking with global data privacy regulations. OUR TAKEAWAY: Investing in cross-departmental privacy education mitigates the risk of costly regulatory fines while maintaining marketing efficacy. Read More →
- State Privacy Laws, Plaintiffs Target Websites as Danger of ‘Cookie Monsters’ Grows: A surge in class-action litigation is targeting companies over the use of third-party tracking technologies, alleging that “cookie monsters”—unauthorized or undisclosed trackers—violate stringent state privacy laws like the CIPA and CCPA. Legal experts warn that businesses must conduct rigorous audits of their digital footprints to identify hidden data-scraping tools, as plaintiffs’ attorneys increasingly pivot from traditional data breaches to “wiretapping” claims based on how personal information is captured and shared in real time. Read More →
- Judge Sides Against Burger King In Suit Over Online Tracking: A California federal judge ruled that a website visitor can proceed with claims that Burger King’s parent company ignored his request to reject tracking cookies and continued sharing his browsing data with third parties like Google, Meta, and Microsoft. The plaintiff alleges the site’s cookie banner promised an effective opt-out from targeted advertising and data sharing, but tracking persisted anyway, amounting to a loss of control over his personal information and an intrusion on privacy. The court found those allegations sufficient to show concrete injury and allowed invasion of privacy and intrusion-upon-seclusion claims to move forward, while dismissing some other causes of action with leave to amend. Read More →
- CNIL Fines VanityFair.fr Publisher 750,000 Euros Over Unlawful Cookies: France’s data protection authority CNIL fined LES PUBLICATIONS CONDE NAST 750,000 euros for placing cookies on vanityfair.fr users’ devices without valid consent, in breach of Article 82 of the French Data Protection Act. CNIL found that non-essential cookies were dropped on arrival before any user choice, some trackers were mislabelled as “strictly necessary” without clear purpose information, and “Refuse all” and withdrawal options were ineffective because new consent‑based cookies were still set and existing ones continued to be read. The penalty reflects repeat noncompliance following an earlier order to comply and the large number of affected users, underscoring CNIL’s focus on truthful cookie categorization and working reject/withdrawal mechanisms. Read More →
- Dollar Tree Set to Fight Privacy Claims Over False Cookie Banner: Dollar Tree faces a class action lawsuit alleging that its website did not operate an effective cookie banner, violating user privacy expectations. The suit claims that despite users rejecting advertising cookies via the banner, Dollar Tree continued to collect data through these cookies. This lawsuit follows a recent ruling by the U.S. District Court for the Northern District of California, which emphasized the company’s obligation to honor users’ cookie preferences. Dollar Tree is actively contesting these privacy claims as the litigation progresses. Read More →
- Why Cookie Governance Keeps CTOs Up at Night: Cookie governance is increasingly a top concern for Chief Technology Officers (CTOs), as managing tracking technologies on digital properties involves complex infrastructure decisions, vendor oversight, and compliance risks. The challenge lies in identifying who owns and controls pixels, managing risks from vendor “piggybacking,” and overseeing agency access, all while staying compliant with aggressive privacy regulations. Failing to govern cookies properly can lead to significant security vulnerabilities, regulatory fines, and operational risks. Effective cookie governance requires clear ownership designation, regular scanning for tracking technologies, robust vendor contracts with cookie governance clauses, and strict control over agency access. CTOs must integrate cookie governance into overall IT and privacy programs to mitigate risks, ensure compliance, and support business needs. Read More →
- ICO Review of UK Websites’ Cookie Compliance: What You Need to Know: The UK’s Information Commissioner’s Office (ICO) launched a 2025 campaign assessing the top 1,000 UK websites for compliance with UK GDPR and the Privacy and Electronic Communications Regulations (PECR) regarding cookie usage and consent. The audit targets cookie configurations, adequacy of consent notices, and the availability of lawful withdrawal mechanisms. Key compliance failures include placing non-essential cookies before consent, unequal prominence of accept/reject buttons, and insufficient disclosures. Non-compliance may lead to warning letters, strict deadlines for remediation, and potentially heavy fines up to £17.5 million under UK GDPR or £500,000 under PECR. Organizations must provide clear, informed consent options with an easy-to-use withdrawal process and ensure transparency about cookie use to avoid enforcement.
Read More → - Swiss FDPIC Updates Cookie Guidelines: Key Clarifications and Practical Additions:
The Swiss Federal Data Protection and Information Commissioner (FDPIC) released an updated version of its cookie guidelines as of January 22, 2025. The update aims to enhance clarity and practical understanding of cookie use under Swiss data protection law. It provides detailed explanations intended to help organizations better comply with consent requirements and transparency obligations, making cookie management more straightforward and legally sound. These clarifications support businesses in aligning cookie practices with evolving privacy standards.
Read More → - Closure of the Injunction Issued Against ORANGE:
On September 11, 2025, CNIL closed the injunction against ORANGE, originally issued in November 2024 alongside a €50 million fine for placing ads without user consent and continuing to read cookies after consent withdrawal. ORANGE demonstrated compliance by removing first-party cookies upon consent withdrawal and preventing further reading or writing of third-party cookies on its website, though the third-party cookies themselves were not removed from users’ browsers due to lack of direct control. CNIL held that tracking by third-party cookies outside ORANGE’s site exceeded its responsibility and, recognizing ORANGE’s efforts to coordinate with partners, decided not to impose additional fines and closed the injunction.
Read More → - Cookies Placed Without Consent: SHEIN Fined €150 Million by CNIL
On September 1, 2025, CNIL imposed a €150 million fine on INFINITE STYLES SERVICES CO. LIMITED, the Irish subsidiary of the SHEIN group, for violations of cookie consent rules on its “shein.com” website. The investigation found that SHEIN placed advertising cookies without user consent upon site arrival, failed to provide clear information on cookie purposes and third-party involvement, and did not allow users to effectively refuse or withdraw consent, resulting in unauthorized cookie placements. The fine reflects the widespread impact on approximately 12 million French users monthly and follows CNIL’s repeated sanctions for similar breaches under the French Data Protection Act and the ePrivacy Directive. SHEIN updated its website during proceedings, avoiding additional compliance orders.
Read More → - California Privacy Protection Agency Announces Joint Investigative Privacy Sweep: CA, CO, and CT Investigate Businesses Refusing to Honor Consumers’ Right to Opt-Out of the Sale of Their Personal Information:
The California Privacy Protection Agency, along with attorneys general from California, Colorado, and Connecticut, announced a multistate regulatory sweep targeting companies that fail to recognize and honor Global Privacy Control (GPC) signals—browser settings or extensions that enable consumers to opt out of the sale or sharing of their personal information. Businesses refusing to process these opt-out requests face compliance notices and the potential for legal action. This coalition marks an expanded nationwide approach to privacy enforcement, with regulators from California, Colorado, and Connecticut highlighting the significance of honoring consumer privacy signals and warning violators of the need for immediate compliance.
Read More → - The ICO’s Cookie Crackdown is Here – Is your site ready?
The UK Information Commissioner’s Office (ICO) is actively reviewing the country’s top 1,000 websites for non-compliance with cookie regulations as part of its 2025 online tracking strategy. The ICO is targeting deceptive or missing cookie choices, pre-selected consent options, missing “reject all” buttons, and requiring cookie acceptance for access. Updated guidance makes clear that “consent or pay” models and dropping non-essential cookies before consent are not compliant. Read More → - The Role of Global Privacy Control in a World of Evolving Privacy Laws: We are always looking for things to make our lives just a bit easier, whether through automation, AI, kitchen gadgets, or the new Global Privacy Control (GPC). GPC is a mechanism that addresses an ongoing annoyance for every consumer: the extra step it takes to notify every website of their privacy preferences. It allows users to download a browser extension that will automatically notify websites of the user’s privacy preferences. Read More →
- AI Cookie Classification: Compliance Just Got a Whole Lot Easier: Osano’s new AI cookie classification feature is the easy way to do the housework to keep your website’s cookies and scripts compliantly categorized. Researching every cookie on your site could take days, and it needs to be done consistently as your organization’s disparate teams add new cookies and scripts over time. Read More →
- Google Abandons the Last Elements of its Cookie Phase-Out Plan: In what may amount to the biggest head fake in digital advertising history, Google has now announced that it won’t be making any changes to cookie tracking in Chrome after all, abandoning the final elements of its years-long “Privacy Sandbox” transparency and privacy push. Read More →
- 4 critical compliance areas companies should review after CPPA’s Honda settlement: The recent California Privacy Protection Agency settlement with American Honda Motor Company over violations of the California Consumer Privacy Act, highlights four key areas companies should review and focus on immediately. Read More →
- Microsoft’s New Cookie Consent Requirement Coming May 5, 2025: Microsoft Advertising has announced that starting May 5, 2025, it will require all websites using its tracking tools to send a “consent signal” whenever someone from the European Union, United Kingdom, or Switzerland visits. Read More →
- Swiss Authority’s New Cookie Guidelines: What You Need to Know: On February 3rd, 2025, the Swiss Federal Data Protection and Information Commissioner (FDPIC) released new guidance on cookie usage in Switzerland. While this is not legally binding, it provides insight into the authority’s intended direction and the future of cookie-consent practices in the country. Read More →
- CPPA Puts the Brakes on Honda’s Data Privacy Practices: On March 7, 2025, the California Privacy Protection Agency (CPPA) issued a settlement order imposing a $632,500 fine on American Honda Motor Co., Inc. for violations of the California Consumer Privacy Act (CCPA). The CPPA alleged four main violations: (a) requesting too much information to process data subject rights requests, (b) failing to provide “symmetrical” data sale choices, (c) requiring too much authorized agent verification, and (d) failing to execute contracts with advertising technology partners. Read More →
- Fined €40,000: A GDPR wake-up call for cookie compliance
- ICO takes action to tackle cookie compliance across the UK’s top 1,000 websites
- DSIR Deeper Dive – The Worst Cookie Recipe
- Avoiding Meta Pixel Lawsuits
- The CNIL Orders Website Publishers to Modify Misleading Cookie Banners
- BeReal Hit with Privacy Complaint Over How It Asks EU Users to Agree to Tracking