Skip to main content
Back to Guides
Compliance6 min read

Cookie Consent Laws Around the World: 2026 Guide

More than 140 countries now have a data protection law, and they split into two broad camps on cookies: opt-in and opt-out. Here's a country-by-country map of who requires what, and how to run one site across all of them.

More than 140 countries now have a data protection law on the books, and the number keeps climbing. For a website that gets traffic from more than one country, that raises a practical question: whose rules apply, and can one banner satisfy all of them? The short answer is that most laws sort into two camps, and once you see the split, a single region-aware setup can cover the world.

This is a country-by-country reference. For the mechanics of serving different rules from one banner, read running one banner across a global audience. This guide maps who requires what.

Two models: opt-in and opt-out

Almost every cookie regime falls into one of two shapes.

Opt-in (consent first). Non-essential cookies stay off until the visitor actively agrees. This is the GDPR model, and it has spread far beyond Europe. Brazil, South Korea, Thailand, Turkey, South Africa and many others follow it. A compliant banner here blocks analytics and advertising by default and offers a real reject option.

Opt-out (notice and choice). Tracking can run, but you have to tell people and give them a way to say no, usually a "Do Not Sell or Share" link and support for signals like Global Privacy Control. This is the model in California and most other US states. See the Do Not Sell or Share guide and universal opt-out mechanisms for the detail.

A few places sit in between or add their own twist, but knowing which model a country uses tells you most of what you need.

Cookie Consent by Region: The Short Version

RegionLawRegulatorModel
European UnionGDPR + ePrivacyEDPB / national DPAsOpt-in
United KingdomUK GDPR + PECRICOOpt-in
BrazilLGPDANPDOpt-in
South AfricaPOPIAInformation RegulatorOpt-in
ThailandPDPAPDPCOpt-in
South KoreaPIPAPIPCOpt-in
TurkeyKVKKKVKK AuthorityOpt-in
Switzerlandrevised FADPFDPICOpt-in (with nuance)
SingaporePDPAPDPCConsent / deemed consent
CanadaPIPEDA / Law 25OPC / CAIOpt-in (meaningful)
United StatesState laws (CCPA etc.)State AGs / CPPAOpt-out
AustraliaPrivacy ActOAICNotice-based

Europe and the UK: the strictest baseline

The EU's GDPR and ePrivacy Directive set the high-water mark: prior consent for non-essential cookies, equal accept and reject prominence, and granular categories. The UK runs a close parallel through UK GDPR and the older PECR rules, enforced by the ICO. If your banner satisfies the EU, it satisfies most opt-in regimes elsewhere with only wording changes. See the GDPR cookie compliance checklist and how UK GDPR differs.

Latin America and Africa: opt-in, rising enforcement

Brazil's LGPD, enforced by the ANPD, mirrors the GDPR's consent model. South Africa's POPIA and Nigeria's NDPA both require opt-in for tracking cookies, and both regulators moved into active enforcement across 2024 and 2025. Nigeria's rules even dictate where the banner sits on the page.

Asia-Pacific: a spectrum

Asia is the most varied region. South Korea's PIPA is among the strictest anywhere, with nine-figure fines against Google and Meta. Thailand's PDPA and China's PIPL require explicit consent. Singapore's PDPA allows deemed consent for some cookies. Japan's APPI leans on notice and purpose limitation. Australia's Privacy Act is notice-based and under reform. One region, several different bars to clear.

North America: the opt-out block

The United States has no single federal privacy law. Instead, a growing set of state laws led by California's CCPA use the opt-out model: you can run tracking, but you have to offer a "Do Not Sell or Share My Personal Information" link and honour opt-out signals. Canada is different again, requiring meaningful consent under PIPEDA, with Quebec's Law 25 adding stricter, GDPR-like rules.

Running One Site Across Every Region

  • Default to the strictest model

    Start from opt-in (block non-essential cookies) and relax per region where the law allows.

  • Detect location and switch behaviour

    Serve opt-in banners to EU, Brazil, Korea and similar visitors, and opt-out controls to US-state visitors.

  • Honour Global Privacy Control

    US opt-out laws increasingly require respecting the GPC browser signal, beyond the on-page link alone.

  • Localise the wording

    Translate the banner and match each region's legal terms, even where the underlying model is the same.

  • Log consent per purpose

    Keep a timestamped record of what each visitor accepted, which every opt-in regime expects as evidence.

Where CookieBeam Fits

CookieBeam's regional rules match each visitor to their location and switch the banner's text, buttons and behaviour to fit, so an EU visitor sees an opt-in flow while a California visitor sees an opt-out control, from one setup. Per-purpose consent logging keeps a timestamped record of what each visitor chose. You define the regions and categories once; the banner adapts per visit.

The map keeps growing

New regimes come online almost every year, which is why a fixed, hard-coded banner ages badly. India's Digital Personal Data Protection Act brings a consent model to the world's most populous country as its rules phase in. The Gulf has moved too, with Saudi Arabia's PDPL and the UAE's federal data law both now in force, and more Middle Eastern and Asian countries drafting their own. The practical takeaway is the same each time: the two-model split (opt-in or opt-out) usually holds, so a setup built to switch behaviour by region absorbs a new country by adding a rule, not by rebuilding the banner.

Where to go next

Pick the countries you actually serve and read the specific guides: POPIA, Thailand PDPA, Singapore PDPA, Nigeria NDPA, and Turkey KVKK. Then wire them together with one region-aware banner.

Primary sources: European Data Protection Board (edpb.europa.eu); UK ICO (ico.org.uk); Brazil ANPD (gov.br/anpd); South Africa Information Regulator (inforegulator.org.za); Thailand PDPC (pdpc.or.th); Singapore PDPC (pdpc.gov.sg); Nigeria NDPC (ndpc.gov.ng); Turkey KVKK (kvkk.gov.tr); Korea PIPC (pipc.go.kr); Switzerland FDPIC (edoeb.admin.ch).

Cookie Consent Laws Around the World 2026: Country Guide | CookieBeam | CookieBeam