If you run a website, you need to know where users must actively agree to cookies (opt-in) and where you can use them by default unless they say no (opt-out). Rules differ depending on the country.
You must ask for clear permission before setting non-essential cookies (like tracking or marketing cookies).
| Region | Consent Required Before Setting Cookies? |
|---|---|
| EU, UK, Switzerland, Brazil, Canada, South Korea, Japan | Yes (Opt-in) |
| US, Australia, New Zealand, India | No (Opt-out) |
European Union (EU)
The ePrivacy Directive and GDPR both apply. Users must say yes before most cookies are used. GDPR guidance from the EU
United Kingdom
UK law still follows the same basic model post-Brexit. Consent must be given before cookies are placed. UK ICO cookie guidance
Canada
Under PIPEDA, implied consent may be okay for functional cookies, but anything that tracks behavior usually needs opt-in. Office of the Privacy Commissioner of Canada
Brazil
The LGPD (Brazil’s data law) is modeled after the GDPR. Sites must ask before collecting personal data through cookies. Brazilian LGPD overview
South Korea
The PIPA law requires companies to get permission before using cookies for personal data. South Korea’s PIPA summary
Japan
Under recent updates to the APPI law, consent is needed if cookie data is shared with third parties and is linked to personal information. Japan’s APPI info
You can usually use cookies by default, but users must have a clear way to opt out.
United States
No federal cookie law. But California (under CCPA/CPRA) and other states require a “Do Not Sell or Share” option. California Privacy Protection Agency (CPPA)
Australia
Consent isn’t usually needed unless sensitive personal info is collected. Most cookies can be used with notice and opt-out. OAIC guidance
New Zealand
Cookie use is generally opt-out. Privacy law focuses more on transparency than upfront consent. NZ Privacy Act
India
Current rules don’t require opt-in unless cookies collect highly personal data. This could change with future data protection laws. India’s draft data protection bill summary
If you serve personalized ads via Google Ad Manager to users in any of these regions, ensure you're using a Google‑certified CMP with IAB‑TCF integration.
Google’s Consent Mode v2, part of its EU User Consent Policy, is currently required for end users located in the above regions when you're using Google’s ad and analytics products.
Currently, Google does not require opt-in consent for users in the United States under its ad and analytics policies.
However, certain U.S. states like California (CPRA), Virginia (VCDPA), and Colorado (CPA) have their own privacy laws that may require notice and opt-out options for data collection, especially for the sale or sharing of personal information.
While Consent Mode v2 is not mandatory in the U.S., Google recommends implementing clear user privacy practices and disclosures to stay compliant with evolving state-level regulations. Using a Consent Management Platform (CMP) is optional but can help maintain consistency across international audiences.
UniConsent allows you to display a cookie notice that includes opt-out options, as required by certain U.S. state privacy laws.
