The Global Privacy Landscape
If your website has visitors from Europe, California, or the UK, multiple privacy laws may apply simultaneously — each with different requirements for how you collect consent. Understanding these differences is essential for building a compliant consent management strategy.
The three most impactful regulations for cookie consent are GDPR (EU/EEA), CCPA/CPRA (California, USA), and PECR (UK). Let's compare them directly.
GDPR vs CCPA vs PECR — Quick Reference
| Aspect | GDPR (EU/EEA) | CCPA/CPRA (California) | PECR (UK) |
|---|---|---|---|
| Geographic scope | EU/EEA residents globally | California residents globally | UK users and UK-based orgs |
| Consent model | Opt-in required | Opt-out (right to say no) | Opt-in required (aligned with GDPR) |
| Cookie consent required | Yes, for non-essential cookies | No banner required, but must offer opt-out of sale | Yes, mirrors GDPR requirements |
| Max fine | €20M or 4% of global turnover | $7,500 per intentional violation | £500,000 (ICO enforcement) |
| Right to delete | Yes (Right to Erasure) | Yes | Yes |
| Applies to SMEs | Yes — no minimum size | Only if >$25M revenue or 100K+ consumers | Yes — no minimum size |
| Enacted | May 2018 | Jan 2020 (CCPA), Jan 2023 (CPRA) | 2003, updated post-Brexit |
GDPR: The Global Standard for Privacy
The General Data Protection Regulation (GDPR) applies to any organisation processing the personal data of EU/EEA residents, regardless of where the organisation is based. For cookies, this means:
- Opt-in consent is mandatory for all non-essential cookies before they are set
- Consent must be freely given, specific, informed, and unambiguous
- Pre-ticked boxes and implied consent are explicitly invalid
- Users must be able to withdraw consent as easily as they gave it
- You must keep records proving consent was obtained
The GDPR is enforced by national Data Protection Authorities (DPAs). Major fines include Meta (€1.2B), Amazon (€746M), and Google (€150M).
CCPA/CPRA: California's Privacy Rights Act
The California Consumer Privacy Act (CCPA), amended by CPRA in 2023, takes a fundamentally different approach: rather than requiring opt-in consent for cookies, it gives consumers the right to opt out of the sale or sharing of their personal information.
- No cookie banner required by default
- Must display a 'Do Not Sell or Share My Personal Information' link
- Must honour Global Privacy Control (GPC) browser signals automatically
- Applies to for-profit businesses meeting certain size thresholds
- CPRA added a right to limit use of sensitive personal information
While a full opt-in banner isn't legally required, many companies use a unified banner for all jurisdictions as it's simpler to manage.
PECR: UK Cookie Law Post-Brexit
The Privacy and Electronic Communications Regulations (PECR) is the UK's implementation of the EU's ePrivacy Directive. Following Brexit, the UK retained PECR while diverging from the EU's GDPR (now UK GDPR).
- Requires opt-in consent for analytics and marketing cookies
- Practically identical to EU GDPR requirements for cookie consent
- Enforced by the ICO (Information Commissioner's Office)
- UK government has consulted on reforms but PECR remains in force
- Companies serving both EU and UK users can typically use one compliant banner for both
Which Laws Apply to Your Website?
You may need to comply with more than one regulation simultaneously. Use this guide:
- EU/EEA visitors: GDPR applies — opt-in consent required
- UK visitors: PECR + UK GDPR applies — opt-in consent required
- California visitors: CCPA/CPRA applies — opt-out mechanism required
- Global website: Best practice is to implement GDPR-level opt-in consent globally, as it satisfies all three regimes simultaneously
Geolocation-Based Consent Rules
CookieBeam supports geolocation-based consent rules. You can configure different consent requirements for different regions — stricter opt-in for EU/UK visitors, opt-out-only for US visitors — all managed from one dashboard without code changes.
Multi-Jurisdiction Compliance Checklist
Identify all user geographies that generate significant traffic
Use GA4 or your server logs to determine which countries represent more than 5% of your traffic.
Implement opt-in consent for EU/EEA and UK visitors
This satisfies GDPR and PECR. Default all non-essential cookies to blocked until consent is given.
Add a 'Do Not Sell or Share' mechanism for California visitors
Required under CCPA/CPRA. CookieBeam can display this automatically for US-CA visitors.
Honour Global Privacy Control (GPC) signals
California law requires automatic opt-out when users enable GPC in their browser. CookieBeam detects and handles this automatically.
Maintain consent records
Store a log of when each user consented, to which categories, and which version of the policy was shown. Required under GDPR.
Update your Privacy Policy to reflect all applicable laws
Reference each regulation, your legal basis for processing, and users' rights under each regime.
Other Global Privacy Laws to Know
While GDPR, CCPA, and PECR cover the largest share of global web traffic, a growing wave of national privacy legislation means that comprehensive compliance increasingly requires awareness of laws in Brazil, China, Canada, Australia, and beyond. If your website serves a genuinely global audience, these four additional regimes deserve attention.
Major Privacy Laws Beyond GDPR, CCPA, and PECR
LGPD — Brazil
The Lei Geral de Proteção de Dados (LGPD) came into force in August 2020 and closely mirrors GDPR. It requires a legal basis for processing personal data, grants data subjects rights of access, correction, deletion, and portability, and mandates opt-in consent for non-essential data processing. The ANPD (Autoridade Nacional de Proteção de Dados) is the enforcement authority and can impose fines of up to 2% of Brazilian revenue, capped at BRL 50 million per violation. Websites with Brazilian visitors that use analytics or marketing cookies need an opt-in consent mechanism equivalent to GDPR.
PIPL — China
China's Personal Information Protection Law (PIPL) took effect in November 2021 and is one of the world's strictest data protection regimes. It requires explicit, separate consent for each distinct processing purpose, prohibits bundling consent, and imposes strict data localisation requirements for 'critical information infrastructure operators'. Cross-border data transfers require a government security assessment. For cookie consent, PIPL requires the same opt-in standard as GDPR, with the additional requirement that consent be purpose-specific — a single 'accept analytics and marketing' checkbox may not be sufficient.
PIPEDA — Canada
Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) has been in force since 2001 and requires meaningful consent for collection, use, and disclosure of personal information. Unlike GDPR, PIPEDA does not require explicit opt-in consent by default — implied consent is acceptable for many low-risk processing activities. However, the proposed Bill C-27 (Consumer Privacy Protection Act) would significantly strengthen Canadian privacy law to a GDPR-like standard. For cookie consent today, implied consent (clear notice with an opt-out mechanism) is the minimum requirement for analytics under PIPEDA.
Privacy Act 1988 — Australia
Australia's Privacy Act 1988, enforced by the Office of the Australian Information Commissioner (OAIC), applies to organisations with annual turnover above AUD 3 million (though the government has proposed removing this threshold). The Act requires reasonable notice about data collection and use, but does not mandate opt-in consent for cookies in the way GDPR does. However, proposed 2024 reforms would introduce a 'fair and reasonable' standard for data collection and stronger enforcement powers. Websites targeting Australian audiences should ensure their privacy notices are accurate and that they do not collect more data than stated.
Enforcement Examples and Fines
Understanding real enforcement actions provides concrete evidence of regulatory priorities and helps organisations calibrate their compliance investments. The following table documents notable fines and enforcement decisions across the major privacy regimes — all of which have implications for cookie consent and data collection practices.
| Organisation | Regulator | Law | Fine | Issue |
|---|---|---|---|---|
| Meta (Facebook) | Irish DPC | GDPR | €1.2 billion | Unlawful data transfers to the US without adequate safeguards |
| Amazon | Luxembourg CNPD | GDPR | €746 million | Advertising targeting system and cookie consent failures |
| WhatsApp (Meta) | Irish DPC | GDPR | €225 million | Lack of transparency about data sharing between Meta group companies |
| Google LLC | French CNIL | GDPR + ePrivacy | €150 million | Cookie consent banner made it harder to refuse than to accept cookies |
| Facebook (Meta) | French CNIL | GDPR + ePrivacy | €60 million | Same cookie consent dark pattern — reject button harder to find than accept |
| Sephora | California AG | CCPA | $1.2 million | Failure to disclose sale of personal data and honour opt-out requests |
| DoorDash | California AG | CCPA | $375,000 | Sharing consumer data with marketing cooperative without proper disclosure |
| British Airways | UK ICO | UK GDPR | £20 million | Data breach due to inadequate security measures affecting 400,000 customers |
| Marriott International | UK ICO | UK GDPR | £18.4 million | Failure to implement adequate security, resulting in breach of 339M guest records |
| TikTok | UK ICO | UK GDPR | £12.7 million | Unlawful processing of children's data without appropriate parental consent |
Several patterns emerge from reviewing enforcement data. First, regulators consistently target consent mechanics as a proxy for broader compliance maturity — an organisation that manipulates consent UI is signalling to regulators that it prioritises data extraction over user rights. Second, the CNIL's actions against Google and Facebook over cookie banners (€150M and €60M respectively) specifically cited the asymmetric difficulty of declining vs accepting cookies: the reject path required more clicks than the accept path. Third, CCPA enforcement is accelerating: the California Privacy Protection Agency (CPPA), established by CPRA in 2023, has significantly expanded enforcement capacity and announced an audit programme targeting companies in the retail, healthcare, and data broker sectors.
Choosing the Right Consent Strategy for Your Business
There is no single 'right' consent strategy — the optimal approach depends on your traffic geography, business model, and risk appetite. Here is a framework for making the decision.
For businesses with predominantly EU/UK traffic (60%+): Implement full GDPR-standard opt-in consent globally. This is simpler to manage than a geo-segmented approach and ensures your highest-risk jurisdictions are fully covered. Use CookieBeam's Advanced Consent Mode integration to minimise the ad performance impact of consent refusals.
For businesses with predominantly US traffic and no EU presence: A CCPA-compliant opt-out mechanism (a 'Do Not Sell or Share My Personal Information' link) may be the minimum legal requirement. However, consider implementing opt-in consent for analytics as a future-proofing measure — many US states are passing GDPR-like laws, and retrofitting consent management later is more expensive than building it correctly from the start.
For global businesses with significant traffic from multiple jurisdictions: Use a geolocation-based consent strategy. Show opt-in consent banners to EU, UK, and Brazilian visitors; show opt-out mechanisms to US visitors; show notice-only banners to visitors from jurisdictions without specific cookie requirements. CookieBeam's geolocation rules engine supports this multi-regime configuration from a single dashboard, with no code changes required when new jurisdictions are added.
For businesses in regulated industries (healthcare, financial services, children's platforms): Apply the most conservative consent standard to all users regardless of geography. Sector-specific regulations (HIPAA, FCA rules, COPPA/KOSA) often impose stricter consent requirements than general privacy law, and the reputational risk of a data incident in these sectors makes a permissive consent approach inadvisable.
One common mistake when choosing a consent strategy is treating compliance as a binary pass/fail. In reality, regulators apply a proportionality principle: a small SaaS company with 10,000 monthly users will be assessed differently than a Fortune 500 company with 50 million users, even if both have identical consent implementations. What matters is that your approach is reasonable, documented, actively maintained, and genuinely respects user choices — not that it is perfect. CookieBeam's compliance score dashboard gives you a structured view of where your current implementation stands and what the highest-priority improvements are for your specific risk profile.
Global Privacy Compliance: Practical Action Plan
Audit your current cookie and tracking technology inventory
Before you can comply with any privacy law, you need to know what you are complying with. Run a full cookie scan on your website using CookieBeam's automatic scanner. Document every cookie and tracking script: its name, purpose, storage duration, data destination, and whether it qualifies as 'strictly necessary'. This inventory is the foundation of your Privacy Policy, your Cookie Policy, and your consent categories. Update it every time you add or remove a vendor or change your tech stack.
Identify which privacy laws apply to your traffic
Use your analytics data to determine the geographic distribution of your traffic. Any country or region representing more than 1% of your traffic and with a specific privacy law warrants a tailored compliance response. At minimum: EU/EEA (GDPR), UK (PECR + UK GDPR), California (CCPA/CPRA), and Brazil (LGPD). If you have significant traffic from China, consult a specialist in PIPL before deploying any analytics or personalisation on those sessions.
Implement a Consent Management Platform with geolocation support
Deploy CookieBeam with geolocation-based consent rules configured for each applicable jurisdiction. Set EU/UK/Brazil to opt-in mode, US states with CCPA equivalents to opt-out mode, and configure automatic GPC (Global Privacy Control) signal detection for California visitors. Verify that the correct banner variant displays for each geography using CookieBeam's geo-testing tool in the dashboard.
Update your Privacy Policy and Cookie Policy
Your written policies must accurately reflect your actual data practices. Ensure your Privacy Policy references each applicable law by name, lists the legal bases for each processing activity, describes user rights under each regime, and explains how to exercise those rights. Your Cookie Policy must list all cookies by category, including third-party cookies. CookieBeam's auto-generated Cookie Policy pulls directly from your scanned cookie inventory and updates automatically when your cookie usage changes.
Implement consent record storage and audit logging
GDPR requires you to be able to demonstrate that valid consent was obtained. This means storing a record of: when consent was given, by which user (via a non-PII anonymous ID), which categories were accepted, which version of your consent notice was displayed, and the user's IP address (hashed or truncated for GDPR compliance). CookieBeam stores all consent records automatically and provides an exportable audit log that can be submitted to regulators as evidence of consent in the event of a complaint or investigation.
Establish a consent renewal and change management process
Compliance is not a one-time project. Create a process for: reviewing and updating your cookie inventory when you add new vendors or change your tech stack; refreshing user consent when your cookie purposes change materially; reconsenting users after a defined period (12 months is widely recommended); and monitoring regulatory guidance updates from the EDPB, ICO, CNIL, and CPPA. Subscribe to CookieBeam's compliance alert service to receive notifications when guidance relevant to your configuration changes.
Test your consent mechanism regularly
Set a calendar reminder to test your consent banner quarterly. Verify that: the banner displays correctly on all target devices and browsers; all six Google Consent Mode signals update correctly on accept and reject; the preference centre loads and saves correctly; the floating icon allows users to change their preferences; and no cookies are set before consent is granted. CookieBeam's automated compliance monitor can run these checks continuously and alert you to regressions introduced by site updates or third-party script changes.
Frequently Asked Questions
Does GDPR apply to my website if my company is based outside the EU?
Yes — GDPR has explicit extraterritorial scope. Article 3 of the GDPR states that it applies to any organisation processing the personal data of EU/EEA residents, regardless of where that organisation is located. This means a US-based SaaS company with European customers, an Australian e-commerce site that ships to Germany, or a Canadian app with French users all fall under GDPR for processing related to those EU/EEA residents. The practical trigger is whether you are 'offering goods or services' to EU/EEA individuals or 'monitoring their behaviour' within the EU/EEA — placing analytics cookies on the devices of EU visitors constitutes monitoring under GDPR.
What is the difference between CCPA and CPRA?
The California Consumer Privacy Act (CCPA) was passed in 2018 and came into effect in January 2020. The California Privacy Rights Act (CPRA) was a ballot initiative passed in November 2020 that significantly amended and strengthened the CCPA, taking effect in January 2023. Key additions from CPRA include: a right to correct inaccurate personal information; a new category of 'sensitive personal information' with a right to limit its use; restrictions on data retention (data must not be kept longer than reasonably necessary); the creation of the California Privacy Protection Agency (CPPA) as a dedicated enforcement body (replacing the Attorney General as primary enforcer); and the extension of B2B and employment data protections that were previously carved out. When people refer to 'CCPA compliance' today, they typically mean compliance with both CCPA and CPRA.
Can a single consent banner cover GDPR, CCPA, and PECR simultaneously?
Yes, with the right configuration. The key is to implement the most stringent requirements (GDPR's opt-in consent) as the global default and add jurisdiction-specific mechanisms on top. A GDPR-compliant opt-in banner satisfies PECR requirements for UK visitors automatically, as PECR and UK GDPR have identical consent standards. For CCPA, you additionally need a 'Do Not Sell or Share My Personal Information' link or toggle, and you must honour GPC signals from California visitors. CookieBeam's multi-jurisdiction mode handles this automatically: it detects the visitor's location, presents the appropriate consent interface (opt-in modal for EU/UK, opt-out notice for California, or a combined interface), and manages the different consent records required by each regime — all through a single script with no custom code required.
What are the penalties for non-compliance with LGPD in Brazil?
Brazil's LGPD provides for fines of up to 2% of the company's revenue in Brazil from the prior fiscal year, capped at BRL 50 million (approximately USD 10 million) per violation. The ANPD can also impose: warnings with deadlines to correct the violation; daily fines until the violation is remedied; public disclosure of the violation; deletion of the personal data involved in the infraction; partial suspension of database operations; and in serious cases, prohibition of data processing activities for up to six months or permanently. As of 2024, the ANPD has issued its first enforcement decisions and is actively processing complaints, signalling that the law's administrative phase is in full effect. Brazilian users represent a significant share of global internet traffic (5th largest internet user population), making LGPD compliance relevant for most international websites.
Is implied consent still acceptable under any EU privacy law?
No — for non-essential cookies and tracking technologies, implied consent (such as continuing to browse the website) is explicitly invalid under both GDPR and the ePrivacy Directive as interpreted by the CJEU and EDPB. The Planet49 judgment by the Court of Justice of the European Union (October 2019) settled this definitively: continued browsing, pre-ticked checkboxes, and other forms of implied consent do not constitute valid consent under EU law. Valid consent for cookies must be: freely given (no coercion or cookie walls); specific (granular per-purpose, not blanket); informed (clear explanation of what each cookie does); unambiguous (a clear affirmative action — ticking a box, clicking a button); and revocable (as easy to withdraw as it was to give). Only an explicit opt-in action — such as clicking an 'Accept' or 'Allow' button — satisfies all of these requirements.
How does Global Privacy Control (GPC) work and do I have to honour it?
Global Privacy Control (GPC) is a browser-level privacy signal — similar in concept to the old 'Do Not Track' header — that tells websites a user does not want their personal data sold or shared. Unlike Do Not Track, GPC has legal backing: California's CCPA/CPRA explicitly requires businesses to honour GPC signals as a valid opt-out of sale or sharing of personal information, with the same legal force as a user clicking 'Do Not Sell or Share My Personal Information' on your website. Under CCPA/CPRA, honouring GPC is legally mandatory for covered businesses, not optional. Several EU data protection authorities (including the French CNIL) have also indicated that GPC signals should be considered as part of a user's consent expression, though this is not yet a settled legal requirement across all EU member states. CookieBeam automatically detects the GPC header on incoming requests and adjusts the consent state accordingly: California visitors with GPC enabled are immediately placed in opt-out mode, and the consent record reflects the GPC signal as the basis for their preference.