Where Is Opt-In Cookie Consent Required? 2026 Country Guide

Opt-in cookie consent is required in the EU/EEA, UK, Brazil, South Korea, China, Saudi Arabia and Quebec. Most US states use notice and opt-out. Full 2026 map.

Written by
Daniel
Published on
Where Is Opt-In Cookie Consent Required? 2026 Country Guide

Every team running one website for global traffic eventually hits the same question: do we need to block cookies until people click "Accept," or is a notice with an opt-out link enough?

Get it wrong in one direction and you're exposed where regulators fine real money for pre-consent tracking — CNIL fined SHEIN €150 million in September 2025 largely for placing ad cookies before users touched the banner. Get it wrong in the other direction and you're throwing away consent-gated traffic in places that never asked for a banner.

There's no global standard, but there is a fairly clean three-way split. This is the at-a-glance version: which jurisdictions require prior opt-in consent for non-essential cookies, which run on notice plus opt-out, and which sit in between. For deeper legal detail per country, see our guide to cookie consent laws outside the EU and US; for US state specifics, see cookie banner requirements in US states.

As of mid-2026, prior opt-in consent for non-essential cookies is required in the EU/EEA, the UK, Brazil, South Korea, Saudi Arabia, China, and Quebec (Canada). Most US states, Switzerland, Australia, Japan, and Singapore instead use a notice-and-opt-out or transparency model — though several of those still require opt-in for specific cases like sensitive data or ad targeting.

Here's the full map.

The 2026 opt-in vs opt-out comparison table

Jurisdiction Model Key law What it means for your banner
EU / EEA Opt-in ePrivacy Directive Art. 5(3) + GDPR Block all non-essential cookies until consent; reject must be as easy as accept
United Kingdom Opt-in (with new exceptions) PECR, amended by Data (Use and Access) Act 2025 Opt-in still the default, but since 5 Feb 2026 low-risk analytics and appearance cookies can run consent-free with a simple way to object
Quebec (Canada) Opt-in Law 25, s. 8.1 Tech that identifies, locates or profiles users must be off by default; user activates it
Brazil Opt-in (for most non-essential) LGPD + ANPD cookie guidance Consent is the appropriate basis for ad/profiling cookies; some first-party analytics can rest on legitimate interest
South Korea Opt-in (when identifiable) PIPA Consent before cookies that count as personal information; prior opt-in for behavioral ad targeting; cookie disclosure mandatory in privacy policy
Saudi Arabia Opt-in (consent-default) PDPL No cookie-specific statute, but consent is the default legal basis and behavioral advertising requires prior opt-in
China Opt-in, plus separate consents PIPL Consent for personal data via cookies; separate consent for sensitive data and for cross-border transfers — which catches most foreign ad/analytics tags
US states (19 laws in force) Notice + opt-out CCPA/CPRA + 18 other state laws No banner mandate for ordinary cookies; must offer opt-out of targeted ads/sale and honor GPC in a growing list of states; opt-in for sensitive data
Switzerland In between FADP + Telecom Act Art. 45c Inform users and offer opt-out; explicit consent only for high-risk profiling and sensitive data
Canada (federal) In between PIPEDA Implied consent acceptable for non-sensitive purposes; express consent for sensitive ones — see our Canada consent banner guide
Japan In between APPI No general cookie consent duty; consent needed when sharing "personally referable information" (e.g. cookie IDs) with third parties who can link it to individuals
Singapore In between PDPA Consent framework, but "deemed consent by notification" with an opt-out window covers many tracking uses
Australia Notice / transparency Privacy Act 1988 (APPs) No cookie banner requirement; transparency obligations apply, and reform tranches keep tightening the definition of personal information

(Operational guide, not legal advice — and "opt-in" here always means for non-essential cookies; strictly necessary cookies are exempt everywhere.)

The opt-in jurisdictions, briefly

EU / EEA

The anchor of the opt-in world. ePrivacy Article 5(3) requires prior consent for storing or accessing anything on a user's device beyond what's strictly necessary, and the GDPR defines what valid consent looks like: freely given, specific, informed, unambiguous. The EDPB's Cookie Banner Taskforce report pushed national regulators toward a common line — no pre-ticked boxes, no cookies before choice, and a reject option that isn't buried. Enforcement is not theoretical: on 1 September 2025 CNIL fined Google €325 million and SHEIN €150 million over cookie violations.

United Kingdom

Still opt-in by default under PECR, but the UK is now the most interesting divergence story. The Data (Use and Access) Act 2025's PECR changes took effect on 5 February 2026, adding consent exceptions for storage and access used for statistical purposes, appearance/preference settings, and emergency assistance — provided users get clear information and "a simple means of objecting." The ICO finalised its storage and access technologies guidance on 29 April 2026. Translation: low-risk first-party analytics can now run in the UK without a consent box, which is not true in the EU. The DUAA also raised maximum PECR fines from £500,000 to UK GDPR levels (£17.5m or 4% of global turnover). If you serve both markets, you need separate rule packs, not one "Europe" bucket.

Quebec (Canada)

The strictest regime in North America. Under Law 25's section 8.1, technology with functions that allow a person to be identified, located or profiled must come with those functions deactivated by default — the user switches them on, not off. Quebec's regulator (the CAI) adopted consent-validity guidelines in October 2023 emphasizing clear, granular, purpose-specific consent. Practically: EU-style prior consent for tracking and profiling cookies for Quebec visitors.

Brazil

The LGPD itself is a legal-basis law, not a cookie law, but the ANPD's cookie guidance settles the practical question: consent is the appropriate basis for non-essential cookies — especially third-party advertising and profiling — with no pre-ticked boxes and a real reject option on the first layer. The carve-out worth knowing: the ANPD accepts that some audience-measurement analytics may rest on legitimate interest with a documented assessment. (More on that nuance in do analytics cookies require consent?.)

South Korea

PIPA treats cookie data as personal information whenever it can identify someone, directly or combined with other data — which captures most ad-tech identifiers. Consent must come before collection, your privacy policy must disclose automatic collection tools and how to refuse them, and online behavioral advertising requires prior opt-in consent. The PIPC is one of Asia's most active enforcers.

Saudi Arabia

No cookie-specific statute, but the PDPL (fully enforced since September 2024) makes consent the default legal basis for processing personal data, with narrow exceptions — and behavioral/targeted advertising requires prior opt-in consent. If your site touches Saudi users with ad tech, treat it as an opt-in market.

China

PIPL requires consent for processing personal information, and then goes further: separate consent for sensitive personal information and for transferring data outside China. Since most Western analytics and advertising tags send data to servers abroad, a site serving mainland Chinese users effectively needs explicit, specific opt-in before those tags fire — a generic "Accept all" banner doesn't satisfy the separate-consent standard.

The notice and opt-out jurisdictions

United States

No US state requires EU-style opt-in for ordinary cookies. The model across the 19 comprehensive state laws in force (Indiana, Kentucky and Rhode Island joined on 1 January 2026) is: clear notice, plus the right to opt out of targeted advertising, sale, and sharing of personal data. Two big caveats:

  • Opt-in still exists for sensitive data (health, precise geolocation, biometrics, children's data) in most states.
  • Universal opt-out signals are now mandatory at scale. Twelve states require honoring signals like Global Privacy Control in 2026 — California, Colorado, Connecticut, Texas, Montana, Oregon, Delaware, New Hampshire, New Jersey and Nebraska already, with Maryland and Minnesota following in July 2026. A GPC-enabled browser visit must be treated as an opt-out, no clicks required.

State-by-state details live in our US states banner guide.

Switzerland

Frequently misclassified as EU-equivalent. It isn't. Under the revised FADP and Article 45c of the Telecommunications Act, the baseline is inform and offer an opt-out — the FDPIC's cookie guidelines (updated October 2025) confirm that opt-in is only required for high-risk profiling (think cross-site tracking feeding real-time bidding) and sensitive personal data. A transparency banner with a working refusal option covers most Swiss-only setups.

Australia, Japan, Singapore

  • Australia: no cookie banner mandate. The Privacy Act requires transparency under the APPs, and the ongoing reform tranches are expanding what counts as personal information (device IDs, cookie IDs) — worth watching, but today it's a notice regime.
  • Japan: the APPI doesn't require consent to set cookies, but the 2022 "personally referable information" rules require consent when you pass cookie data to a third party who can link it to an individual — which is exactly what conversion APIs and ad-matching do. Opt-in for that pathway, notice for the rest.
  • Singapore: the PDPA's "deemed consent by notification" lets organizations proceed after notice plus a reasonable opt-out window for many tracking purposes, with assessments required. Pragmatic, but not a free pass for ad profiling.

India deserves an honorable mention: the DPDP Act's consent-manager framework is pulling it toward the opt-in column as the rules phase in — we cover it in cookie consent laws to watch before 2027.

You don't need thirteen banners. You need one banner shell and a handful of rule sets:

  1. Inventory first. Scan your site so you know every cookie, pixel and SDK and its purpose. (Automatic cookie scanning beats spreadsheets.)
  2. Define three or four modes, not one per country:
    • opt_in_strict — EU/EEA, Brazil, Quebec, South Korea, Saudi Arabia, China: block everything non-essential pre-consent, symmetric accept/reject.
    • opt_in_uk — same, but with the DUAA statistical/appearance exceptions if you choose to use them (plus a simple objection control).
    • opt_out_us — load with notice, honor GPC and opt-out links, gate sensitive-data processing behind opt-in.
    • notice_default — Switzerland, Australia, Japan, Singapore: transparency banner, working refusal, consent gates only on the specific triggers above (high-risk profiling, third-party PRI sharing, etc.).
  3. Geo-detect and route. IP-based detection at page load picks the mode; default unknown regions to your stricter setting.
  4. Wire the modes to tag behavior, not just banner copy — what fires pre-consent is what regulators test.
  5. Log everything: which rule set applied, banner version, user action, timestamp. That log is your defense.
  6. Re-review quarterly. The map moved twice in the last 18 months (US states, UK); it will move again.

Whether one strict global banner is ever the smarter trade-off is its own debate — we've written up the one-banner-everywhere question separately.

Where CookieChimp fits

This whole article is basically CookieChimp's job description: geo-targeted banners that switch between opt-in and opt-out modes automatically, automatic cookie scanning to keep your inventory honest, GPC support for US state laws, Google Consent Mode v2 signaling, and consent logs you can actually hand to a regulator. Simple for visitors, precise underneath — without your frontend team maintaining a jurisdiction matrix by hand.

FAQ

Is opt-in cookie consent required in the United States?

Not for ordinary cookies. US state laws use a notice-and-opt-out model for targeted advertising and data sales rather than requiring prior consent. But opt-in is required for sensitive data (health, precise location, biometrics, children's data) in most states, and twelve states now require honoring universal opt-out signals like Global Privacy Control.

Does Switzerland require opt-in cookie consent like the EU?

No. Switzerland's revised FADP and Telecommunications Act require informing users and offering a way to refuse cookies — an opt-out model. Explicit opt-in consent is only needed for high-risk profiling (such as cross-site tracking) and sensitive personal data, per the FDPIC's cookie guidelines.

Did the UK stop requiring cookie consent in 2026?

No — opt-in remains the UK default. What changed is that the Data (Use and Access) Act 2025 added consent exceptions, in force since 5 February 2026, for narrowly defined uses like statistical analytics and appearance settings, provided users are informed and given a simple way to object. Advertising and cross-context tracking still require consent.

Which countries require opt-in consent for analytics cookies?

The EU/EEA is the strictest: analytics cookies generally need consent unless a national regulator has blessed a specific exempt configuration. Quebec, China and South Korea also effectively require it where analytics data is identifiable. The UK now exempts low-risk statistical cookies, and Brazil's ANPD accepts legitimate interest for some audience measurement.

Do I need a different cookie banner for every country?

You need different behavior, not different designs. One banner UI with three or four jurisdiction rule sets — strict opt-in, UK opt-in-with-exceptions, US opt-out with GPC, and a notice default — covers the current global map. Geolocation picks the rule set at page load.

What happens if I use an opt-out banner for EU visitors?

You're non-compliant, and it's the single most-enforced cookie violation in Europe. CNIL's September 2025 fines against Google (€325M) and SHEIN (€150M) both involved cookies set without valid prior consent. EU regulators routinely test whether tags fire before the user makes a choice.

References

  1. EDPB, "Report of the work undertaken by the Cookie Banner Taskforce": edpb.europa.eu
  2. ICO, "Guidance on the use of storage and access technologies" (finalised 29 April 2026): ico.org.uk
  3. CNIL, "Cookies placed without consent: SHEIN fined 150 million euros by the CNIL": cnil.fr
  4. IAPP, "New year, new rules: US state privacy requirements coming online as 2026 begins": iapp.org
  5. IAPP, "US State Privacy Legislation Tracker": iapp.org
  6. Global Privacy Control, "Take Control of Your Privacy": globalprivacycontrol.org
  7. FDPIC (Switzerland), "Guidelines published on data processing using cookies": edoeb.admin.ch
  8. ANPD (Brazil), "Guia Orientativo: Cookies e Proteção de Dados Pessoais": gov.br
  9. CAI (Quebec), "Critères de validité du consentement : la Commission adopte ses lignes directrices": cai.gouv.qc.ca
  10. Baker McKenzie Global Data and Cyber Handbook, "South Korea: Cookies, Online Tracking and Direct Marketing": resourcehub.bakermckenzie.com
  11. Baker McKenzie Global Data and Cyber Handbook, "Saudi Arabia: Cookies, Online Tracking and Direct Marketing": resourcehub.bakermckenzie.com

Need one banner that knows where it is? Get started with CookieChimp and ship geo-targeted consent in an afternoon.

The content of this article is provided for information purposes only and does not constitute legal or other advice.