Cookie Consent Laws Outside the EU and US: 2026 Country Guide

Brazil, Quebec, China, South Korea, Saudi Arabia, and Nigeria require opt-in cookie consent; Japan, Australia, and federal Canada don't. Full 2026 country guide.

Written by
Daniel
Published on
Cookie Consent Laws Outside the EU and US: 2026 Country Guide

Most cookie consent content is written as if the world ends at the borders of the EU and California.

It does not. Brazil's regulator says consent is the right legal basis for non-essential cookies. Quebec requires tracking technology to be off by default. Nigeria wants a cookie banner you cannot scroll past. China expects explicit consent — and a separate one if the data leaves the country. Most of these laws copy GDPR's extraterritorial reach, so they apply whether or not you have a local office.

This guide covers the legal substance, country by country, as of June 2026. For the quick opt-in vs opt-out world summary, see where opt-in cookie consent is required; for implementation strategy, see can one cookie banner cover every country.

At least eleven major jurisdictions outside the EU and US regulate cookies and tracking: Brazil (LGPD), Canada (PIPEDA plus Quebec's Law 25), the UK (PECR as amended by the DUAA), China (PIPL), Japan (APPI and the Telecommunications Business Act), South Korea (PIPA), India (DPDP Act), Australia (Privacy Act), Saudi Arabia (PDPL), Nigeria (NDPA), and South Africa (POPIA). Brazil, Quebec, the UK, China, South Korea, Saudi Arabia, and Nigeria effectively require opt-in consent for non-essential cookies; Japan, Australia, federal Canada, and South Africa currently allow notice-based or opt-out models for most tracking.

Country Law Cookie consent model Status, June 2026
Brazil LGPD + ANPD cookie guidance Opt-in for non-essential cookies In force; guidance since 2022
Canada (federal) PIPEDA + OPC guidelines Notice/opt-out for non-sensitive ad tracking; opt-in for sensitive data In force; CPPA reform died with Bill C-27
Quebec Law 25 Opt-in — tracking/profiling tech off by default Fully in force
UK PECR + DUAA 2025 Opt-in, with new narrow exceptions (statistics, appearance, emergencies) DUAA changes live since 5 Feb 2026
China PIPL Opt-in; separate consent for sensitive data and cross-border transfers In force since Nov 2021
Japan APPI + Telecom Business Act Notice / consent / opt-out options for external transmission TBA rules live; APPI amendment bill in the Diet
South Korea PIPA + PIPC guidance Opt-in where cookie data identifies a person In force; guidance updated 2025
India DPDP Act 2023 + DPDP Rules 2025 Opt-in trajectory — affirmative consent once Rules fully apply Phased: consent managers Nov 2026, core duties May 2027
Australia Privacy Act 1988 Notice-based today; no cookie opt-in rule yet Children's Code due Dec 2026; tranche 2 reform pending
Saudi Arabia PDPL Opt-in — consent is the default lawful basis In force; active enforcement since 2025
Nigeria NDPA 2023 + GAID 2025 Opt-in for non-essential cookies, prominent banner required GAID effective Sept 2025
South Africa POPIA Notice + lawful basis; opt-in for electronic direct marketing In force; marketing guidance Dec 2024

The LGPD has been in force since September 2020, and the ANPD (Brazil's data protection authority) published dedicated cookie guidance in October 2022 — the closest thing in the Americas to the EU playbook:

  • Consent is the appropriate legal basis for non-essential cookies. Legitimate interest is reserved for strictly necessary ones.
  • The first banner layer should let users fully accept or fully reject non-essential cookies — reject parity, in other words.
  • A second layer should offer category-level granularity, and withdrawal must actually disable the cookies.

Fines run up to 2% of Brazil revenue, capped at R$50 million per violation. If you already run an EU-grade banner, Brazil mostly needs a Portuguese-language variant and correct category mapping — not a new legal model.

Canada: opt-out federally, opt-in in Quebec

Canada is two regimes in one country.

Federally (PIPEDA): the Privacy Commissioner's behavioural advertising guidelines allow opt-out consent for ad tracking — but only if the purpose is obvious, the data is non-sensitive, and the opt-out is immediate and persistent. Opt-in is required for sensitive data, tracking children should be avoided entirely, and technologies users cannot decline (zombie cookies, fingerprinting) are off the table. The CPPA reform died with Bill C-27 in January 2025, so PIPEDA still governs.

Quebec (Law 25): section 8.1 requires technology with functions to identify, locate, or profile a person to be deactivated by default — the user has to turn it on. That makes Quebec the only North American jurisdiction with an EU-style opt-in default for tracking cookies.

The full picture is in our complete guide to consent banners in Canada.

UK: still opt-in, now with carve-outs

Post-Brexit, the UK kept PECR's opt-in rule but is diverging from the EU via the Data (Use and Access) Act 2025, whose cookie provisions commenced on 5 February 2026. New exceptions let sites set cookies without consent for first-party statistics, appearance preferences, and emergency assistance — provided users get clear information and a free, simple opt-out. Meanwhile, maximum PECR fines jumped from £500,000 to £17.5 million or 4% of global turnover, and the ICO finalised its updated storage-and-access guidance in April 2026.

Net effect: slightly more permissive on analytics than the EU, much more dangerous to ignore. More detail in what changed in cookie consent laws in 2026.

China's PIPL (in force since November 2021) does not mention cookies by name, but its consent standard covers them: consent must be given "under the precondition of full knowledge, and in a voluntary and explicit statement." Cookie identifiers that can single out a visitor are personal information, so tracking, analytics, and ad cookies need prior opt-in consent — a privacy policy mention is not enough.

Two PIPL features routinely surprise Western teams. First, separate consent: sensitive personal information and cross-border transfers each need standalone consent, not a bundled "accept" click — and sending Chinese visitors' data outside the mainland also requires a transfer mechanism (CAC security assessment, standard contract, or certification). Second, extraterritorial reach: PIPL applies to foreign companies serving users in China, and courts have started applying it that way.

Japan is the most permissive major economy on this list — for now.

  • Under the APPI, cookie data not linked to an identified person is "personally referable information." Consent is needed mainly when the recipient will link it to personal data — a rule aimed squarely at adtech data sharing.
  • The amended Telecommunications Business Act (effective June 2023) added "external transmission rules": when your site sends user information to third parties via analytics tags or ad pixels, you must notify users or make the details readily available, obtain consent, or offer an opt-out. Most sites comply with detailed disclosure rather than a consent banner.
  • In April 2026, Japan's Cabinet approved an APPI amendment bill, now before the Diet, that extends protections to "contactable" identifiers — email addresses, phone numbers, and device or cookie IDs that let someone reach a specific individual. If passed, the new rules are expected to take effect by 2028.

So for Japan: a banner is usually optional, but a complete tracker inventory and disclosure page is not.

South Korea: opt-in where cookies identify, with regulator attention on ad tracking

PIPA is one of Asia's strictest privacy laws, and the PIPC one of its most active regulators. Cookies that collect identifiable or combinable behavioural data are personal information, requiring specific, informed, prior consent — notice-then-opt-out is not sufficient where identification is possible.

In April 2025 the PIPC updated its privacy policy drafting guidelines to require concrete descriptions of how users can block or refuse cookies and targeted advertising. Behavioural advertising remains a stated supervision priority, and penalties scale to 3% of relevant turnover. Treat Korea as an opt-in market with strong documentation expectations.

India: the DPDP Act is now operational law — on a phased clock

India enacted the Digital Personal Data Protection Act in 2023, and the long-awaited DPDP Rules were notified on 14 November 2025. Implementation is phased:

  • November 2025: definitions and Data Protection Board provisions took effect.
  • 13 November 2026: registration and obligations of Consent Managers — licensed intermediaries through which users can give, review, and withdraw consent across services.
  • 13 May 2027: the core duties — notice requirements, consent standards, breach reporting, retention, data principal rights.

The Act requires consent that is "free, specific, informed, unconditional and unambiguous with a clear affirmative action." Applied to cookies that process personal data, that is an opt-in standard, with penalties up to ₹250 crore (roughly US$30 million) per category of violation. If India matters to your traffic, build auditable consent records and real withdrawal flows in 2026, before the May 2027 deadline arrives.

Australia: notice-based today, reform arriving in stages

Australia's Privacy Act 1988 has no cookie consent requirement — tracking is governed by notice obligations and general collection rules. Two things are changing:

  1. The Privacy and Other Legislation Amendment Act 2024 (tranche 1) mandated a Children's Online Privacy Code, which the OAIC must register by 10 December 2026; the exposure draft consultation closed on 5 June 2026. Services "likely to be accessed by children" will face stricter rules on profiling and tracking.
  2. Tranche 2 — expected to redefine personal information to include cookie IDs and device identifiers, and to require voluntary, specific, unambiguous consent — has still not been introduced as of June 2026.

Australia belongs on your watchlist rather than your banner-rules engine. We track it in cookie consent laws to watch before 2027.

Saudi Arabia's PDPL became enforceable in September 2023, with the grace period ending in September 2024. Consent is the default lawful basis for processing personal data unless a statutory alternative applies — which, for advertising and analytics cookies, generally means opt-in consent, with Arabic-language notices where you target Saudi residents.

Enforcement is no longer theoretical: SDAIA's specialized committees issued 48 violation decisions in their first year of substantive adjudication (reported February 2026), with marketing without prior consent among the most common violations. Fines reach SAR 5 million (about US$1.3 million) per breach, doubling for repeats.

Nigeria's Data Protection Act (NDPA) took effect in June 2023, and the NDPC's General Application and Implementation Directive (GAID), issued March 2025 and effective 19 September 2025, operationalises it. For websites, the GAID is unusually concrete:

  • A cookie notice must appear prominently on the homepage — visibly occupying part of the page, not a footer link users never see.
  • Users must get a genuine option to accept or decline, and consent must be affirmative — no pre-ticked boxes, no implied consent from continued browsing.
  • Only strictly necessary cookies (security, stability, accessibility) are exempt.

With Africa's largest internet population, Nigeria is the clearest opt-in jurisdiction on the continent.

POPIA (fully in force since July 2021) has no cookie-specific clause, but cookies that process identifiable information need a lawful basis like any other processing — and the practical pressure point is section 69: electronic direct marketing requires prior opt-in consent unless a narrow existing-customer exception applies. The Information Regulator's Guidance Note on Direct Marketing (December 2024) confirmed the strict reading: informed, voluntary, specific consent, with the burden of proof on you.

If your cookies feed remarketing or email targeting aimed at South African users, you are in opt-in territory. Purely functional and measurement cookies sit in a softer notice-plus-lawful-basis zone.

What to actually do: a rollout checklist

  1. Pull six months of traffic by country. Anything above a few percent from an opt-in jurisdiction here deserves explicit handling, using the table above as your consent-model map.
  2. Scan what actually fires before consent. Run an automatic cookie scan per region — regulators test runtime behaviour, not policy text.
  3. Localise the layers that matter legally. Portuguese for Brazil, French for Quebec, Arabic for Saudi Arabia. Reject parity on the first layer wherever opt-in applies.
  4. Handle China separately. Cross-border transfer of Chinese users' data needs its own consent and a transfer mechanism — do not fold it into a generic banner.
  5. Log consent with timestamps and policy versions. India's consent-manager regime, Saudi enforcement, and South Africa's burden-of-proof rule all assume you can produce evidence.
  6. Diarise the deadlines: 13 November 2026 (India consent managers), 10 December 2026 (Australia Children's Code), 13 May 2027 (India core obligations).

Where CookieChimp fits

Running eleven legal models by hand is exactly the work a CMP should absorb. CookieChimp is a simple yet powerful consent platform that serves geo-targeted banners per jurisdiction (opt-in in São Paulo and Lagos, notice-based in Sydney and Tokyo), scans your site automatically to keep cookie categories accurate, blocks non-essential scripts until consent where required, and keeps timestamped consent logs you can hand to a regulator.

FAQ

Is opt-in cookie consent required in Canada?

It depends where your visitor is. Under federal PIPEDA, opt-out consent is acceptable for non-sensitive behavioural advertising if it is transparent and easy to decline. In Quebec, Law 25 requires technology that identifies, locates, or profiles a person to be off by default — effectively opt-in for tracking cookies.

Do I need consent for cookies in Japan?

Usually not. Japan's external transmission rules let you choose between notifying users, obtaining consent, or offering an opt-out when tags send user data to third parties; detailed disclosure is the common route. Watch the pending APPI amendment, which would bring cookie and device IDs that can be used to contact a person into scope, likely by 2028.

What does India's DPDP Act mean for cookies?

Once the DPDP Rules fully apply on 13 May 2027, cookies that process personal data will need consent that is free, specific, informed, and given by clear affirmative action — an opt-in standard. Consent manager registration starts in November 2026, so 2026 is the year to build compliant notice and withdrawal flows.

Does China's PIPL apply to foreign websites?

Yes, if you process personal information of people in China to offer them products or services or analyse their behaviour. That includes cookies and analytics identifiers, requires explicit opt-in consent, and triggers separate consent plus a legal transfer mechanism when data leaves mainland China.

Which African countries require opt-in cookie consent?

Nigeria is the clearest case: the GAID 2025, effective September 2025, requires a prominent cookie banner with a real accept/decline choice for all non-essential cookies. South Africa's POPIA requires opt-in consent where cookies feed electronic direct marketing, and notice plus a lawful basis otherwise.

References

  1. ANPD (Brazil), "Guia Orientativo: Cookies e Proteção de Dados Pessoais": gov.br
  2. Office of the Privacy Commissioner of Canada, "Guidelines on privacy and online behavioural advertising": priv.gc.ca
  3. McCarthy Tétrault, "Quebec's Law 25 and Cookies: Not So Cookie Cutter": mccarthy.ca
  4. Clifford Chance, "Key aspects of the Data (Use and Access) Act take effect" (Feb 2026): cliffordchance.com
  5. Stanford DigiChina, "Translation: Personal Information Protection Law of the People's Republic of China": digichina.stanford.edu
  6. IAPP, "What does Japan's External Data Transmission Rule mean?": iapp.org
  7. Fisher Phillips, "Japanese Cabinet Approves APPI Amendments" (Apr 2026): fisherphillips.com
  8. Kim & Chang, "Updates on Privacy Policy Drafting Guidelines" (Apr 2025): kimchang.com
  9. Press Information Bureau (India), "DPDP Rules, 2025 Notified" (Nov 2025): static.pib.gov.in
  10. OAIC (Australia), "Children's Online Privacy Code": oaic.gov.au
  11. IAPP, "Saudi Arabia's data protection authority steps up enforcement" (Feb 2026): iapp.org
  12. DLA Piper Data Protection Laws of the World, "Nigeria": dlapiperdataprotection.com
  13. Covington, Global Policy Watch, "Long-Awaited POPIA Guidance on Direct Marketing Published" (Dec 2024): globalpolicywatch.com

One consent platform can carry all of this if the rules engine underneath is region-aware. Get started with CookieChimp and ship compliant, geo-targeted consent in an afternoon.

The content of this article is provided for information purposes only and does not constitute legal or other advice.