skip to main content

Privacy Laws & Frameworks

CookiePro helps companies comply with the following privacy regulations & frameworks


California Consumer Privacy Act


What is the CCPA?

The California Consumer Privacy Act (CCPA) introduces new data privacy rights for California residents – forcing companies that conduct business in the state of California to implement structural changes to their privacy programs.

How do I achieve compliance?

  • Enable an opt-out for only those specific cookies through a CookiePro-created cookie banner.
  • Provide a “Do Not Sell My Personal Information” link for users to opt out of sale of personal information.
  • Track do not sell requests by many unique identifiers, such as account number or device ID, and respond within 45 days.

When will the CCPA go into effect?

The CCPA will go into effect on January 1, 2020.

What happens if I don't comply with the CCPA?

Failure to comply with the CCPA can result in penalties up to $7,500 USD for each violation.


General Data Protection Regulation


What is the GDPR?

The big name in privacy, the GDPR sets the most strict and far-reaching standards for the handling of user data. It is based on principles of consent, transparency, protection, and user control.

How do I achieve compliance?

  • Provide users with specific and accurate information on all cookies and other tracking technologies.
  • Enable a user to show their consent with a clear, affirmative action.
  • Give users the possibility to opt in and opt out of the various types of cookies, and to have access to their settings and make subsequent changes to them if they change their mind.

When will the GDPR go into effect?

The GDPR went into effect on May 25, 2018.

What happens if I don't comply with the GDPR?

Failure to comply with the GDPR can result in fines as high as 4% of a company’s annual revenue.


The Regulation on Privacy and Electronic Communications


What is ePrivacy?

The e-Privacy regulation is a law currently being constructed by the EU Commission. The ePrivacy Regulation complements the GDPR with a heavier focus on personal privacy, personal data, and confidentiality, specifically in electronic communication.

How do I achieve compliance?

  • Inform users about your data collection activities before storing cookies on a user’s device and/or tracking them and give them the option to choose whether it’s allowed or not.
  • Link a cookie policy or make available details of cookie purpose, usage, and related third-party activities.
  • Clearly state the third-party cookie categories and purpose for tracking.

When will the ePrivacy regulation go into effect?

The European Parliament set out its position on the Regulation in October 2017. However, the Council of the EU, which is made up of ministers of the Member States, has not yet come to a position on the legislation.

What happens if I don't comply with ePrivacy?

Penalties range from up to €10,000,000 or 2% of worldwide annual turnover for some minor incidents and up to €20,000,000, or 4% of worldwide annual turnover, for more serious breaches – whichever is the higher in each case.


Brazilian General Data Protection Law


What is the LGPD?

LGPD was unanimously approved on July 10, 2018 and will become law in 2020. The LGPD carries many similarities with the EU’s General Data Protection Regulation (GDPR), however, it is leaner in comparison.

How do I achieve compliance?

  • Obtain and track consent, as well as allow data holders the right to opt out.
  • Provide clear and accurate information about how the data is being processed.
  • Enable data holders to request that their personal data be deleted after they withdraw consent.

When will the LGPD go into effect?

The LGPD will go into effect in February 2020.

What happens if I don't comply with the LGPD?

Non-compliance with the requirements of the LGPD could result in fines amounting to 2% of gross sales (of the company or a group of companies) or a maximum sum of R $ 50,000,000.00 (fifty million reais) per infringement, approximately USD 12.9 million.


The UK Information Commissioner’s Office

ICO Guidance

What is the ICO?

The UK Information Commissioner’s Office (ICO) Guidance is the independent regulatory office in charge of upholding information rights in the interest of the public.

Who does the ICO affect?

This is not addressed by the UK. There is an assumption that the ICO might follow the rules given by the ePrivacy. This would mean that its guidance would apply to use of cookies carried out by an established controller or processor that monitors the behavior of individuals in the U.K.

What should be included in the cookie banner?

The consent must cover each purpose for which personal data will be processed. The user must be able to identify all parties placing cookies, meaning that organizations should name all parties who will rely on users’ consent.

What is considered valid consent?

The users must give specific, freely given and unambiguous consent to the cookies prior to the cookie being dropped.  A user continuing to browse a website does not amount to that user’s consent.


Commission nationale de l’informatique et des libertés


What is the CNIL?

The Commission nationale de l’informatique et des libertés is an independent French administrative regulatory body whose mission is to ensure that data privacy law is applied to the collection, storage, and use of personal data

Who does the CNIL affect?

The revised French cookies rules only apply to the processing of cookies of an establishment in France, regardless of whether the actual processing takes place in France.  

What should consent cover?

The consent must cover each purpose for which personal data will be processed. The CNIL accepts that organizations can offer a global consent for all cookies for which consent is required in their first consent layers and a second layer allows the user to give specific consent to each purpose separately.  

Do analytic cookies require consent?

Not always. Certain analytic cookies can be exempted from prior consent requirements if they meet a list of cumulative requirements provided by the CNIL.

Nevada SB-220

Nevada Privacy Law (SB-220)

Nevada Privacy Icon

What is SB-220?

Nevada’s new law, SB-220, which requires website operators to honor opt-out procedures, went into effect October 1, 2019. Nevada’s Senate Bill 220, or “An Act relating to Internet privacy,” requires organizations who run websites that collect and maintain data comply with requirements set by the law.

Who does the SB-220 affect?

The Nevada Privacy Law applies to an “operator of an Internet website or online service which collects certain items of personally identifiable information about consumers” in Nevada.

What do I need to know about this law?

Nevada consumers must be able to opt-out of the sale of “covered information collected through a website or online service. Leverage CookiePro’s Opt-Out Builder to create and customize a sleek and actionable “Do Not Sell My Personal Information” link or button for your website. Then, use CookiePro’s consumer request portal to manage requests from intake all the way through fulfillment. 

How do I achieve compliance?

  • Understand what personal information is covered under the law.
  • Customize a request form with a “Do Not Sell” link to enable users to opt-out of advertising and data collection cookies on your website.
  • Automate the intake and fulfillment of consumers’ requests to access or delete their personal information.
  • Track do not sell requests by various unique identifiers, such as account number or device ID, and respond within 60 days.
popup close button