Privacy Laws & Frameworks

CookiePro helps companies comply with the following privacy regulations & frameworks


California Consumer Privacy Act

What is the CCPA?

The California Consumer Privacy Act (CCPA) introduces new data privacy rights for California residents – forcing companies that conduct business in the state of California to implement structural changes to their privacy programs.

How do I achieve compliance?

  • Enable an opt-out for only those specific cookies through a CookiePro-created cookie banner.
  • Provide a “Do Not Sell My Personal Information” link for users to opt out of sale of personal information.
  • Track do not sell requests by many unique identifiers, such as account number or device ID, and respond within 45 days.

When will the CCPA go into effect?

The CCPA went into effect on January 1, 2020.

What happens if I don't comply with the CCPA?

Failure to comply with the CCPA can result in penalties up to $7,500 USD for each violation.


General Data Protection Regulation

What is the GDPR?

The big name in privacy, the GDPR sets the most strict and far-reaching standards for the handling of user data. It is based on principles of consent, transparency, protection, and user control.

How do I achieve compliance?

  • Provide users with specific and accurate information on all cookies and other tracking technologies.
  • Enable a user to show their consent with a clear, affirmative action.
  • Give users the possibility to opt in and opt out of the various types of cookies, and to have access to their settings and make subsequent changes to them if they change their mind.

When will the GDPR go into effect?

The GDPR went into effect on May 25, 2018.

What happens if I don't comply with the GDPR?

Failure to comply with the GDPR can result in fines as high as 4% of a company’s annual revenue.


The Regulation on Privacy and Electronic Communications

What is ePrivacy?

The e-Privacy regulation is a law currently being constructed by the EU Commission. The ePrivacy Regulation complements the GDPR with a heavier focus on personal privacy, personal data, and confidentiality, specifically in electronic communication.

How do I achieve compliance?

  • Inform users about your data collection activities before storing cookies on a user’s device and/or tracking them and give them the option to choose whether it’s allowed or not.
  • Link a cookie policy or make available details of cookie purpose, usage, and related third-party activities.
  • Clearly state the third-party cookie categories and purpose for tracking.

When will the ePrivacy regulation go into effect?

The European Parliament set out its position on the Regulation in October 2017. However, the Council of the EU, which is made up of ministers of the Member States, has not yet come to a position on the legislation.

What happens if I don't comply with ePrivacy?

Penalties range from up to €10,000,000 or 2% of worldwide annual turnover for some minor incidents and up to €20,000,000, or 4% of worldwide annual turnover, for more serious breaches – whichever is the higher in each case.


The Lei Geral de Proteção de Dados Pessoais

What is the LGPD?

LGPD was unanimously approved on July 10, 2018 and will become law in 2020. The LGPD carries many similarities with the EU’s General Data Protection Regulation (GDPR), however, it is leaner in comparison.

How do I achieve compliance?

  • Obtain and track consent, as well as allow data holders the right to opt out.
  • Provide clear and accurate information about how the data is being processed.
  • Enable data holders to request that their personal data be deleted after they withdraw consent.

When will the LGPD go into effect?

The LGPD will go into effect in February 2020.

What happens if I don't comply with the LGPD?

Non-compliance with the requirements of the LGPD could result in fines amounting to 2% of gross sales (of the company or a group of companies) or a maximum sum of R $ 50,000,000.00 (fifty million reais) per infringement, approximately USD 12.9 million.

Nevada SB 220

Nevada Senate Bill 220
Nevada Privacy Icon

What is SB 220?

Nevada’s new law, SB 220, which requires website operators to honor opt-out procedures, went into effect on October 1, 2019. Nevada’s Senate Bill 220, or “An Act relating to Internet privacy,” requires organizations who run websites that collect and maintain data comply with requirements set by the law.

How do I achieve compliance with SB 220?

  • Understand what personal information is covered under the law.
  • Customize a request form with a “Do Not Sell” link to enable users to opt-out of advertising and data collection cookies on your website.
  • Automate the intake and fulfillment of consumers’ requests to access or delete their personal information.
  • Track do not sell requests by various unique identifiers, such as account number or device ID, and respond within 60 days.

Who does SB 220 apply to?

The Nevada Privacy Law applies to an “operator of an Internet website or online service which collects certain items of personally identifiable information about consumers” in Nevada.

What do I need to know about this law?

Nevada consumers must be able to opt-out of the sale of “covered information collected through a website or online service. Leverage CookiePro’s Opt-Out Builder to create and customize a sleek and actionable “Do Not Sell My Personal Information” link or button for your website. Then, use CookiePro’s consumer request portal to manage requests from intake all the way through fulfillment. 

Thailand PDPA

Personal Data Protection Act

What is the PDPA?

Thailand’s PDPA was created to govern data protection and allow the people of Thailand to exercise their privacy rights.  Thailand’s adoption of this law was inspired by many GDPR principles and will drastically increase privacy requirements for businesses operating in Thailand.

The PDPA was announced on May 29, 2019, and will go into effect a little less than 1 year later on May 27, 2020

How do I achieve compliance with the PDPA?

  • Customize a cookie banner and preference center to inform users about data collection and provide visitors with the ability to opt-out of advertising and data collection cookies on your website.
  • Create and add a form for individuals to practice their data subject rights, such as the right of access, right to erasure, right to object, and the right to data portability to their personal data.
  • Monitor incoming requests using a dashboard and automate the request process, from intake to fulfillment.

Who does the PDPA apply to?

The PDPA applies to personal data collected or used by a data controller or processor residing in Thailand. It also applies to a data controller or processor residing outside Thailand but collecting, using or disclosing personal data of a data subject in Thailand, for the purpose of offering goods or services to or monitoring the behavior of that data subject. Personal data is defined in the PDPA as any data of people that could identify that person directly or indirectly.

What happens if I don't comply with the PDPA?

Violation of the PDPA can result in fines of up to Baht 5,000,000 and imprisonment for up to one year.


The UK Information Commissioner’s Office
ICO Guidance

What is the ICO?

The UK Information Commissioner’s Office (ICO) Guidance is the independent regulatory office in charge of upholding information rights in the interest of the public.

Who does the ICO affect?

This is not addressed by the UK. There is an assumption that the ICO might follow the rules given by the ePrivacy. This would mean that its guidance would apply to use of cookies carried out by an established controller or processor that monitors the behavior of individuals in the U.K.

What should be included in the cookie banner?

The consent must cover each purpose for which personal data will be processed. The user must be able to identify all parties placing cookies, meaning that organizations should name all parties who will rely on users’ consent.

What is considered valid consent?

The users must give specific, freely given and unambiguous consent to the cookies prior to the cookie being dropped.  A user continuing to browse a website does not amount to that user’s consent.


Commission Nationale de l'Informatique et des Libertés

What is the CNIL?

The Commission nationale de l’informatique et des libertés is an independent French administrative regulatory body whose mission is to ensure that data privacy law is applied to the collection, storage, and use of personal data

What should consent cover?

The consent must cover each purpose for which personal data will be processed. The CNIL accepts that organizations can offer a global consent for all cookies for which consent is required in their first consent layers and a second layer allows the user to give specific consent to each purpose separately.  

Who does the CNIL apply to?

The revised French cookies rules only apply to the processing of cookies of an establishment in France, regardless of whether the actual processing takes place in France.  

Do analytic cookies require consent?

Not always. Certain analytic cookies can be exempted from prior consent requirements if they meet a list of cumulative requirements provided by the CNIL

Onetrust All Rights Reserved