Cookie Consent Trends by Country: 2025 Global Compliance Guide

Cookie banners have become privacy’s front line. In 2025, they do more than just compliance. They build trust, set expectations, and define digital transparency. With privacy laws tightening and user awareness at an all-time high, cookie consent isn’t uniform across borders. What’s allowed in California might be illegal in Germany. This guide breaks down what global cookie consent trends look like and what your business needs to do next.

There’s no one-size-fits-all approach to cookie consent. While EU countries enforce strict opt-in regimes, other regions, such as the United States, rely on opt-outs.

Meanwhile, countries like Brazil and South Africa have developed privacy frameworks inspired by the GDPR and follow the opt-in model.

Businesses often face challenges while navigating these fragmented legal environments without compromising the user experience. Let’s map the legal terrain, enforcement patterns, and best practices to help global businesses stay ahead.

When it comes to well-developed justice systems, European Union countries truly lead the way. This trend continues in privacy, with an impressive 98% of Europe having data privacy laws implemented as of February 2025.

GDPR and ePrivacy Directive

In the European Union, cookie consent is primarily governed by two legal instruments:

• General Data Protection Regulation (GDPR): It outlines data subject rights, transparency requirements, business obligations, and broad consent principles, including informed, freely given, specific, and unambiguous consent.
  
• ePrivacy Directive: It focuses specifically on electronic communications and cookie usage.

Under these laws, non-essential cookies such as those used for analytics, marketing, or personalisation require prior opt-in consent. 

Businesses should document consent, ensure it is revocable and keep it separate from general terms and conditions.

Consent requirements across the EU

Fines, enforcement trends, and user behaviour

• The CNIL fined Google and Facebook € 150 M+ in 2022 for making cookie rejection harder than acceptance.
  
• AEPD fined SEAT, a Spanish car manufacturer, € 20,000 (reduced to € 12,000) for not obtaining cookie consent before placing non-essential cookies.
  
• Meta faced multiple GDPR fines across Ireland and Luxembourg, some involving cookie tracking in behavioural advertising.
  
• Cookie acceptance rates vary. Sites offering transparent, easy-to-use controls consistently perform better. 

Only 5% of users in France never accept cookie banners and 28% always do- Statista, 2022

Here is a quick tab on the privacy realm in the United States.

California’s CCPA/CPRA: opt-out

California leads the US with the California Consumer Privacy Act (CCPA) and its update, the California Privacy Rights Act (CPRA).

These laws do not require opt-in consent for cookies (except for minors under 16), but:

• Businesses must provide a “Do Not Sell or Share My Personal Information” link.
• Honour Global Privacy Control (GPC) signals automatically.
• Maintain transparency with consumers regarding data collection and processing

The California Privacy Protection Agency (CPPA) now has full enforcement power along with the California Attorney General, marking a new era of compliance scrutiny in 2025.

Other US state-level laws

By 2025, 20+ states have enacted comprehensive privacy laws, including:

• Virginia (VCDPA)
• Colorado (CPA)
• Connecticut (CTDPA)
• Utah (UCPA) and other states

While similar in structure, differences include opt-out rights, sensitive data definitions, and browser-based signal handling. Uniformity is lacking, but the move toward GDPR-lite frameworks, adapted to specific locations, is evident.

Canada

Canadian regulators classify most cookies as “computer programs” under the Canadian Anti-Spam Law (CASL), requiring user consent before installation, especially for non-essential cookies.

When cookies collect personal information, PIPEDA and provincial privacy laws in Québec, British Columbia, and Alberta apply.

The PIPEDA allows implied consent only for low-risk, well-explained purposes, and requires express consent for anything sensitive or unexpected. Non-necessary cookies may thus require express consent under Canadian privacy laws.

The Quebec law requires express opt-in for cookies.​​

The proposed Consumer Privacy Protection Act (CPPA) under Bill C-27 may introduce stricter rules, including expanded consent requirements and algorithmic transparency. It is still in the consideration stage.

China’s PIPL

China’s Personal Information Protection Law (PIPL) mandates separate, explicit consent for tracking and profiling. Notably:

• Consent must be renewed for significant processing changes.
• The Cyberspace Administration of China (CAC) conducts high-profile audits.
• Cross-border transfers require security assessments and contracts.

Cookies fall under broader personal data rules, meaning any tracking without proper consent could lead to severe penalties.

India’s DPDPA: consent-centric design

India’s Digital Personal Data Protection Act (DPDPA) introduces:

• Consent as the default basis for personal data processing.
• Purpose limitation and notice obligations.
• Data fiduciary responsibilities, including consent logs and access controls.

Though enforcement mechanisms are still being finalised, India is setting up a Data Protection Board to ensure accountability and compliance.

Brazil’s LGPD

The Lei Geral de Proteção de Dados (LGPD) shares core GDPR principles:

• Lawful, transparent processing
• Specific consent for cookies and trackers
• User rights to access, correction, and deletion

The ANPD has issued guidelines on cookies and consent (Portuguese), with growing enforcement activities in the telecom and digital advertising sectors.

South Africa’s POPIA: from policy to practice

South Africa’s Protection of Personal Information Act (POPIA) enforces:

• Explicit consent for data collection
• Transparent privacy notices
• Accountability by data controllers and processors 

The Information Regulator of South Africa enforces the law.

• EU: Consent banners must offer clear rejection options. Pre-checked boxes or dark patterns are non-compliant.
  
• US: “Accept All” and “Do Not Sell” buttons dominate, often without granular controls.
  
• Asia-Pacific: Consent language is expected to reflect national law. For example, India emphasises notice in English or any of the scheduled languages.
  
• Geo-targeting: Best-in-class consent solutions like CookieYes serve legally compliant banners to users based on their location.

#1 Geo-targeted cookie banners

One banner won’t fit every visitor. Tailor banners by location to meet local laws and cultural expectations:

• Comply with default rules (e.g., reject by default in the EU).
• Display policies in the local language and with appropriate legal references.

#2 Consent logging and audit readiness

You need a defensible trail. Every consent event should be:

• Timestamped and documented.
• Tied to specific cookie categories.
• Stored in compliance with data minimisation principles.

Automated logging tools that come with consent management tools reduce risk and streamline audits.

#3 Cross-device & cross-region UX

Respect consent across all touchpoints:

• Sync preferences across sessions.
• Minimise repetition to avoid consent fatigue.
• Match your brand’s design while ensuring accessibility and clarity.

#4 Avoid dark patterns

Deceptive consent design, known as dark patterns, is under fire globally. These include pre-selected boxes, hidden decline buttons, or manipulative wording.

• Design choices must not trick users into accepting cookies.
• Rejection must be as easy as acceptance.
• Regulators like CNIL, DPC, and OPC are actively targeting misleading interfaces.
• Clear, balanced choices foster trust and boost compliance.

Avoiding dark patterns isn’t just about compliance, but also it’s about creating a privacy-positive experience that users appreciate.