Cookie handling and consent collection regulations: what you need to know to be compliant

Q: If the company is based in the USA or in another non-EU country, must it adopt a CMP compliant with the GDPR?

Certainly ! Website owners based in the USA or anywhere else in the world, even outside the European Community, who offer goods or services to users located in the European Union, must comply with the GDPR and therefore must implement a compliant CMP (Consent Management Platform). The GDPR and all other applicable data processing regulations for websites apply not only to companies based in Europe but also to those outside the EU that: offer goods or services to individuals in the EU (even if free of charge), or monitor the behavior of users in the EU (e.g., through cookies, analytics, tracking, profiling). This is defined in Article 3, Paragraph 2 of the GDPR. So, what should the owner of a U.S. website operating in Europe do? If a U.S. company (or any other non-EU country): sells products or services to European customers, has a website in a European language (e.g., Italian, German, etc.), accepts orders or ships to the EU, displays prices in euros, uses cookies or tracking technologies for European users (Google Analytics, Facebook Pixel, etc.) then it falls under the scope of the GDPR and must display a GDPR-compliant CMP, including: preemptive blocking of non-essential cookies, granular consent collection and recording (consent log), option to withdraw/modify consent (easily), clear, transparent and compliant banner. Use CookieMan for your websites, no matter where you are or what you do online, and you’ll be sure to do the right thing!

Q: The ePrivacy Directive and the ePrivacy Regulation, what is the difference?

The ePrivacy Regulation was adopted in 2017 but for reasons of waiting for entry into force it has been postponed several times and is currently still awaiting entry into force. The ePrivacy Directive (2002/58/EC, amended in 2009) is still in force. The ePrivacy Directive continues to regulate the use of cookies, electronic communication, and other privacy issues until the Regulation comes into force The ePrivacy Regulation is expected to supplement and replace the ePrivacy Directive, but the delay in coming into force causes a regulatory situation in transition.

A clear and comprehensive overview of the main European and global regulations: find out how CookieMan helps you easily comply with them, ensuring your website’s compliance thanks to a single version, available at an advantageous price.

Start free trial

14-day free trial | No login information required | Cancel anytime

CookieMan compliant with GDPR and cookies regulations from around the world

Compliance as an essential element in protecting your business

Complying with cookie management regulations, such as GDPR, CCPA and other European and global laws, is not just a legal matter, but a real duty to ensure transparency and trust for your visitors. Being compliant means protecting the personal data of your site visitors, building a solid reputation, and reducing the risk of penalties that can reach considerable amounts.

With the increasing focus on privacy, users want to know how their data is being used. Providing a transparent experience not only improves trust, but also increases engagement. Non-compliance, on the other hand, can lead to fines of up to 4 percent of annual global revenue or 20 million euros, whichever is higher (GDPR).

The right solution for complying with these regulations must be simple, effective, and able to adapt to ongoing legislative changes. With CookieMan, you can automate consent management, ensuring compliance with global regulations without additional effort. With input from our privacy experts, CookieMan provides a tool that will allow you to create privacy policies for your website based on the services you have chosen to enable (e.g., Google Analytics, Meta, re-marketing activities, etc.) and will check if there is anything that needs to be corrected on your site to make it compliant.

With CookieMan, you view real-time regulatory compliance with each change in settings. So you're sure your site is compliant forever.

Key European and global regulations

GDPR (EU)

Cookie Law (EU)

DMA (EU)

CCPA (USA)

LGPD (Brazil)

CNIL (France)

What is GDPR

GDPR is the European Data Protection Regulation, which came into effect in 2018. This law protects the personal data of EU citizens by establishing clear rules on how companies must collect, store and use such information.

What it protects

The GDPR protects sensitive information such as names, email addresses, IP addresses and other personal identifications.

How to be GDPR compliant

To comply with GDPR, companies must obtain explicit consents to collect data, provide users with the ability to revoke consent at any time, and ensure that data are stored securely.

How CookieMan can help you

CookieMan offers automated consent management, a compliant consent log, and tools to easily update user preferences. With our platform, your site will comply with GDPR requirements without technical complications.

What is the Cookie Law?

The Cookie Law is European legislation introduced to regulate the use of cookies on websites, ensuring the protection of users’ privacy. Introduced initially with the ePrivacy Directive and later supplemented by the GDPR, the Cookie Law requires sites to obtain users’ explicit consent before using nonessential cookies, such as tracking or marketing cookies.

What it protects

The Cookie Law protects the privacy of online users by regulating the collection and use of their personal information through cookies.

How to be Cookie Law compliant

To comply with the ePrivacy Directive, it is necessary to adopt a Consent Management Platform (CMP) that uses a compliant cookie banner, transparent cookie disclosures, and allows users to withdraw and change consent at any time.

How CookieMan can help you

With CookieMan, you can manage consents easily and effectively, ensuring that your site is fully compliant with the Cookie Law and reducing the risk of penalties.

What is DMA

The DMA is a European regulation designed to regulate large digital platforms, ensuring transparency and fairness in online markets.

What it protects

The legislation protects competition and consumers by limiting the monopoly of large digital platforms and promoting ethical data management practices.

How to be DMA compliant

Companies must ensure transparency in data collection processes, respect users’ rights, and offer fairly accessible alternatives.

How CookieMan can help you

CookieMan supports companies in implementing transparent practices, simplifying consent management and adapting to DMA requirements.

What is CCPA

CCPA is a California regulation that came into effect in 2020. It is designed to protect consumer privacy by giving individuals control over the personal data collected by businesses.

What it protects

The CCPA covers personal information such as identification data, browsing history, online purchases, and more.

How to be CCPA compliant

Companies must provide clear notice of the data collected, offer the option to opt out of the sale of data, and guarantee consumers the right to access and delete data.

How CookieMan can help you

CookieMan makes it easy to implement customized consent banners and provides tools to comply with consumer data access or deletion requests, ensuring CCPA compliance.

What is LGPD

The LGPD is Brazil’s data protection legislation, inspired by the GDPR and in effect since 2020.

What it protects

The LGPD protects the personal data of all individuals in Brazil, including sensitive information such as name, address and other digital identifications.

How to be LGPD compliant

Companies must obtain valid consents, manage data transparently, and allow users to revoke consent or access their information.

How CookieMan can help you

CookieMan supports LGPD compliance by offering tools to collect explicit consents and audit logs that demonstrate compliance.

What is CNIL

The CNIL is the French data protection authority and plays a key role in the implementation of the GDPR in France.

What it protects

The CNIL oversees the collection and management of personal data, ensuring that the rights of French citizens are respected.

How to be CNIL compliant

Companies must comply with CNIL’s guidelines on explicit consent, transparency and the use of cookies and tracking technologies.

How CookieMan can help you

CookieMan provides banners in accordance with CNIL guidelines, ensuring that consents are collected and documented appropriately.

In order for your CMP to comply with regulations, it is essential that you have an integrated consent log.

CookieMan compliant to GDPR and cookies regulations for peace of mind

What are the main requirements for site owners?

Privacy and Cookie Policy

Must be prepared and made available to the visitor the Privacy Policy the Cookie Policy in which the Data Controller must explain what processing it performs with the site, what the purposes are, and why these treatments are made lawful (legal basis).

ePrivacy Regulation

Each relevant market has its own directive to regulate compliance in relation to cookie management. In the European Union, it is necessary to display a directive-compliant banner and allow the visitor to decide which processing can be put in place and which cannot, acquiring consent and recording it so it can later be shown as evidence.

Terms and Conditions

In many cases (e-commerce, service provision, appointment management, etc.), it is necessary to prepare a document stating the terms and conditions of use of the service to make it clear to the visitor what his or her rights and obligations are.

Consent log

The Owner (i.e., website owner) must be able to demonstrate that it has acquired consent when it implements processing that relies on that legal basis.

Frequently asked questions – Regulations

CookieMan Is it GDPR compliant?

Yes, our solution meets European and many global standards and is constantly being updated.

How can my website get users’ consent?

Using a consent management platform (CMP) on your website can help you obtain the granular, GDPR-compliant consent your visitors need for your website to process personal data.
The cookie banner must comply with the applicable regulations on the handling of personal data but also with the Directives that define certain physical characteristics of the same.
Also, if your website uses Google tools, you might consider adopting a CMP certified for Google Consent Mode v2.
If you integrate advertising tools, such as Google Ads, you might consider adopting a CMP certified for IAB’s TCF v.2.2.

How does the Digital Markets Act (DMA) affect consent?

Companies with visitors in the European Union must already obtain valid consent from users under the GDPR before collecting their data. The DMA (which covers users from the EU and the European Economic Area) strengthens the definition of consent under the GDPR. It imposes strict obligations on gatekeepers-who will set the rules for third-party companies to continue using their services-to achieve compliance.

Companies using gatekeeper platforms will need to follow these rules and align their data privacy policies with the DMA in order to continue using them.

How is Google Consent Mode used for compliance with the Digital Markets Act?

The Digital Markets Act (DMA) requires prior consent or opt-in consent from consumers before website operators can collect their personal data. Third-party companies using Google’s platforms and services can use Google Consent Mode to notify Google of users’ consent status so that Google’s services do not collect their data in the absence of explicit consent.

This helps achieve compliance with the DMA so that companies can enjoy uninterrupted access to Google’s platforms and services.

If the company is based in the USA or in another non-EU country, must it adopt a CMP compliant with the GDPR?

Certainly! Website owners based in the USA or anywhere else in the world, even outside the European Community, who offer goods or services to users located in the European Union, must comply with the GDPR and therefore must implement a compliant CMP (Consent Management Platform).
The GDPR and all other applicable data processing regulations for websites apply not only to companies based in Europe but also to those outside the EU that:

offer goods or services to individuals in the EU (even if free of charge),
or monitor the behavior of users in the EU (e.g., through cookies, analytics, tracking, profiling).

This is defined in Article 3, Paragraph 2 of the GDPR.
So, what should the owner of a U.S. website operating in Europe do?
If a U.S. company (or any other non-EU country):

sells products or services to European customers,
has a website in a European language (e.g., Italian, German, etc.),
accepts orders or ships to the EU,
displays prices in euros,
uses cookies or tracking technologies for European users (Google Analytics, Facebook Pixel, etc.)

then it falls under the scope of the GDPR and must display a GDPR-compliant CMP, including:

preemptive blocking of non-essential cookies,
granular consent collection and recording (consent log),
option to withdraw/modify consent (easily),
clear, transparent and compliant banner.

Use CookieMan for your websites, no matter where you are or what you do online, and you’ll be sure to do the right thing!

Is consent the only legal basis for data processing under the GDPR?

No, there are several legal bases that make the processing of personal and special data of the data subject lawful. Consent is one of the legal bases.
The data controller should first look for other legal bases for which the processing it is implementing is possible. Lacking the support of other bases, it can rest the processing on consent.
The acquisition of consent must respond to precise rules because only then is it lawful.
For this reason, it is essential to have a CMP that can manage the acquisition of consents in a lawful and compliant manner.

Is Google Analytics cookie data compliant with the GDPR?

All cookies can be processed in a compliant way or not, it depends on how you configure CMP.
There are different types of cookies: cookies that can be registered without asking the visitor for consent and cookies that can be registered only after asking for consent. If the visitor gives consent they can be registered with personal data, if not they cannot be registered or cannot contain personal data of the visitor.
Google Analytics (GA) cookies are no exception: they are cookies that can be registered and contain personal data of the visitor only if the visitor has given consent. If he or she does not, these cookies cannot be registered.
Google, with Consent Mode v2, has evolved its tools and even when the visitor does not give consent, through the use of modeling techniques and artificial intelligence, without processing personal data, it infer some characteristics and thus makes the statistics much more reliable and accurate.

The ePrivacy Directive and the ePrivacy Regulation, what is the difference?

The ePrivacy Regulation was adopted in 2017 but for reasons of waiting for entry into force it has been postponed several times and is currently still awaiting entry into force.
The ePrivacy Directive (2002/58/EC, amended in 2009) is still in force.

The ePrivacy Directive continues to regulate the use of cookies, electronic communication, and other privacy issues until the Regulation comes into force
The ePrivacy Regulation is expected to supplement and replace the ePrivacy Directive, but the delay in coming into force causes a regulatory situation in transition.

Why does my website need users’ consent to use cookies?

The EU General Data Protection Regulation (GDPR) stipulates that websites that have users in Europe must request and obtain their explicit consent before processing their personal data.
Cookies and trackers used for statistical and advertising purposes on your website process visitors’ personal data, such as unique IDs, IP addresses, search and browser history, which is why you are required to inform users and ask for their consent in order to activate them.