Laws and Regulations of cookie consent in each region

Modified on Fri, 8 Sep, 2023 at 2:44 PM

In this article, you will find a comprehensive breakdown of cookie banner requirements for different regions, countries, and states in the US including specific regulations and compliance needs.


Find here the Complete list

  • European Union and UKGDPR
  • Switzerland: FADP
  • France: CNIL
  • Russia
  • Canada
    • Québec: Law 25
    • Rest of Canada: PIPEDA / CASL
  • US
    • California: CCPA
    • Virginia: VCDPA
    • Colorado: CPA
    • Utah: UCPA
    • Indiana
    • Rest of US
  • Brazil: LGPD
  • Mexico: LFPDPPP
  • Colombia
  • Argentina: PDP
  • Australia: APA
  • New Zealand: New Zealand Privacy Act
  • Philipines: 2012 DPA 
  • Japan: APPI
  • Turkey: KVKK
  • Thailand: PDPA
  • South Korea: PIPA




European Union & UK  (GDPR)


GDPR can be regarded as the most robust set of data protection regulations globally, revolutionizing individuals' access to information about themselves and imposing limitations on organizations regarding the handling of personal data and cookie consent. GDPR came into force on May 25, 2018. European countries were granted the authority to tailor the regulations to meet their specific requirements. Within the United Kingdom, this adaptability led to the enactment of the Data Protection Act (2018), superseding the previous Data Protection Act of 1998.


  • Include a Button to Accept Cookies: The text in the cookie banner and the button must make it clear that by clicking the button the user agrees to the deployment of cookies.
  • Include a Button to Reject Cookies: Must include a statement telling the user that they can deny the consent of data collection and a button that allows them to do so.
  • Provide Detailed Information About Cookie Use: The cookie banner should contain information about why the website uses cookies. For example, does it collect data for analytics, advertising, or social media purposes?
  • Alert the User if the Website Shares Data with Third Parties: If the website shares the data collected through cookies with third parties the cookie banner should explain this.
  • Link to the Website’s Cookie Policy: Here the website will provide further information about the cookies in use on the site, including a list of all the cookies.


Observations: Countries in this region need to use illow's GDPR banner.


If you want to know more about the regulations in Europe and the UK, you can access our article "Europe and UK (GDPR - General Data Protection Regulation)".





Switzerland  (FADP / DPO)


Switzerland adheres to the Federal Act on Data Protection (FADP) when it comes to safeguarding data privacy. This legislation was initially introduced in 1993 and underwent revision in 2007, incorporating the Data Protection Ordinance (DPO) as well.


  • Explicit consent: The banner should obtain explicit consent from the user before placing cookies on their device. This entails clearly informing the user about the use of cookies and providing clear options to accept or reject their use.

  • Clear and concise information: The banner should provide clear and easily understandable information about the purpose of the cookies and how the collected data will be used. This may include details about tracking, personalizing the user experience, data analytics, etc.

  • Cookie management options: The banner should allow the user to have control over cookies and offer clear options to manage their preferences. This may include the ability to selectively accept or reject cookies, as well as the option to revoke consent at any time.

  • Access to the privacy policy: The banner should provide a visible and easily accessible link to the privacy policy, where the treatment of personal data and the use of cookies are fully described.

  • Duration of consent: The banner should include information about the duration of the user's consent. If the consent has an expiration date, this should be clearly indicated to the user.


Observations: With illow's GDPR banner, your site will be ready to comply with this regulation.


If you want to know more about the regulations in Switzerland, you can access our article "Switzerland: FADP (Federal Act on Data Protection) / DPO (Data protection ordinance)".





France   (CNIL)


The CNIL (Commission nationale de l'informatique et des libertés) is an independent regulatory body in France that works to protect your data privacy rights. They focus on ensuring that websites and businesses handle your personal information responsibly and transparently.


  • Explicit consent: The banner should obtain explicit consent from the user before placing cookies on their device. This entails clearly informing the user about the use of cookies and providing clear options to accept or reject their use.

  • Clear and concise information: The banner should provide clear and easily understandable information about the purpose of the cookies and how the collected data will be used. This may include details about tracking, personalizing the user experience, data analytics, etc.

  • Cookie management options: The banner should allow the user to have control over cookies and offer clear options to manage their preferences. This may include the ability to selectively accept or reject cookies, as well as the option to revoke consent at any time.

  • Access to the privacy policy: The banner should provide a visible and easily accessible link to the privacy policy, where the treatment of personal data and the use of cookies are fully described.

  • Duration of consent: The banner should include information about the duration of the user's consent. If the consent has an expiration date, this should be clearly indicated to the user.


Observations: With illow's GDPR banner, your site will be ready to comply with this regulation.


If you want to know more about the regulations in France, you can access our article "France - CNIL (Commission nationale de l'informatique et des libertés)".





Russia


In Russia, while there aren't explicit laws or regulations specifically addressing the use and deployment of cookies, recent statements by regulators and limited court cases indicate that cookies and IP addresses are recognized as personal data. Consequently, the collection and processing of such information without the user's consent is deemed unlawful.


Observations: With illow's GLOBAL banner, your site will be ready to comply with Russia's privacy best practices requirements.





Canada   (PIPEDA / CASL)


The Personal Information Protection and Electronic Documents Act (PIPEDA) is the federal data privacy law that governs the commercial use of Canadian residents' personal information.

As Canada's PIPEDA requires you to inform users and obtain their consent, PIPEDA compliance means knowing and controlling all cookies and tracking technologies in use on your website, plus having a solution for collecting the valid consents of users to all of those cookies that you use.


  • Include a Button to Reject Cookies: Although it does not specifically clarify a button as in other cases, we must provide an opt-out option that “takes effect immediately and is consistent.”
  • Provide Detailed Information About Cookie Use: The cookie banner should contain information about why the website uses cookies. For example, does it collect data for analytics, advertising, or social media purposes?
  • Alert the User if the Website Shares Data with Third Parties: If the website shares the data collected through cookies with third parties the cookie banner should explain this.
  • Link to the Website’s Cookie Policy: Here the website will provide further information about the cookies in use on the site, including a list of all the cookies.


Observations: With illow's GLOBAL banner, your site will be ready to comply with Canadian regulations.


If you want to know more about this regulations you can visit our article "Canada (PIPEDA / CASL)".





Quebec   (Law 25)


Regarding consent requests, they must be presented separately from any other information communicated to the individual in question. Therefore, the request should be presented on its own, such as in a consent banner, and cannot simply appear within a website's privacy policy or within an application's terms.


  • Explicit consent: The banner should obtain explicit consent from the user before placing cookies on their device. This entails clearly informing the user about the use of cookies and providing clear options to accept or reject their use.

  • Clear and concise information: The banner should provide clear and easily understandable information about the purpose of the cookies and how the collected data will be used. This may include details about tracking, personalizing the user experience, data analytics, etc.

  • Cookie management options: The banner should allow the user to have control over cookies and offer clear options to manage their preferences. This may include the ability to selectively accept or reject cookies, as well as the option to revoke consent at any time.

  • Access to the privacy policy: The banner should provide a visible and easily accessible link to the privacy policy, where the treatment of personal data and the use of cookies are fully described.

  • Duration of consent: The banner should include information about the duration of the user's consent. If the consent has an expiration date, this should be clearly indicated to the user.


Observations: With illow's GDPR banner, your site will be ready to comply with Canadian regulations.


If you want to know more about this regulations you can visit our article "Quebec (Canada) - (Quebec 25)".





UNITED STATES:



California   (CCPA)


The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) are significant regulations concerning privacy and personal data in California.

While the GDPR emphasizes both opt-in and opt-out approaches, the CCPA predominantly promotes an opt-out model for regulating data processing. Therefore, websites aiming for CCPA cookie compliance must offer an opt-out alternative to users, enabling them to withhold consent for the use of cookies that gather and sell their personal information.

  • Provide Detailed Information About Cookie Use: The cookie banner should contain information about why the website uses cookies. For example, does it collect data for analytics, advertising, or social media purposes?
  • Link to the Website’s Cookie Policy: Here the website will provide further information about the cookies in use on the site, including a list of all the cookies.
  • Do Not Sell Button: Websites should include a link or a button on their homepage with the title “Do Not Sell My Personal Information.” The “Do Not Sell” page should include a link to the website’s privacy policy, as well as a button that lets them opt-out of personalized advertisements.


Observations: In this region, it needs to use illow's US Opt-out banner.


If you want know more about CCPA regulation you can visit our article "California (CCPA - CPRA)" .





Virginia   (VCDPA)


The Virginia Consumer Data Protection Act (VCDPA) addresses the utilization of cookies and other tracking technologies, specifically pertaining to targeted advertising. Websites employing cookies and trackers to collect and process personal data from individuals located in Virginia must offer users the ability to opt out of the collection and use of their personal data for targeted advertising purposes.


This opt-out alternative can be facilitated through a consent management platform (CMP) that automatically identifies and controls the use of cookies and other tracking technologies based on users' expressed consent preferences as they interact with consent banners or cookie banners on the websites they visit.


  • Include a Button to Reject Cookies: Although it does not specifically clarify a button as in other cases, we must provide an opt-out option that “takes effect immediately and is consistent.”
  • Provide Detailed Information About Cookie Use: The cookie banner should contain information about why the website uses cookies. For example, does it collect data for analytics, advertising, or social media purposes?
  • Alert the User if the Website Shares Data with Third Parties: If the website shares the data collected through cookies with third parties the cookie banner should explain this.
  • Link to the Website’s Cookie Policy: Here the website will provide further information about the cookies in use on the site, including a list of all the cookies.
  • Include a Link to the Cookie Settings: This isn’t required under GDPR as long as users have the choice to reject all cookies. However, it does have the benefit of allowing users who would otherwise reject all cookies to permit some forms of data collection. 


Observations: With illow´s GLOBAL banner, your site will be ready to comply with this regulation.


If you want to know more about VCDPA regulation, you cant visit our article "Virginia (VCDPA)".





Colorado   (CPA)


In September 2021, comprehensive data privacy legislation known as the Colorado Privacy Act (CPA) was implemented in Colorado. However, it is important to note that the CPA primarily focuses on consumer data privacy and does not specifically address cookies in detail.

Under the CPA, consumers have the right to opt out of the sale of their personal data. This means that businesses collecting personal information through cookies may need to provide users with the option to opt out of such data collection and usage for targeted advertising or other purposes.


Observations: In this region, it needs to use illow's GLOBAL banner.


If you want to know more about CPA regulation, you cant visit our article "Colorado (CPA)".





Utah   (UCPA)


Utah made its mark as the fourth state in the United States to enact privacy legislation, joining the ranks of California (CCPA), Colorado (CPA), and Virginia (VCDPA). The Utah Consumer Privacy Act (UCPA) is slated to go into effect on December 31, 2023. 

Notably, Utah's privacy law stands out for its business-friendly approach and unique provisions.

Following the footsteps of other state-level regulations, the UCPA adopts an opt-out consent framework. By default, personal data can be collected, processed, sold, or utilized for targeted advertising without explicit consent from consumers, with the exception of minors. However, individuals retain the right to opt out of the sale or use of their data for targeted advertising if they prefer their data not to be processed.


Observations: Although this regulation has not been enforced yet, by using illow's US Opt-out banner, your website would be prepared to comply with it.


If you want know more about UCPA regulation you can visit our article "Utah - UCPA (Utah Consumer Privacy Act)" .





Indiana


Currently, Indiana does not have strict laws or regulations specifically addressing the use of cookies. However, on May 2, 2023, Indiana Governor Eric Holcomb signed Senate Bill 5 into law, making Indiana the seventh state in the United States to have a comprehensive state privacy law. The bill shares many similarities with other recent state laws, particularly Virginia's VCDPA.

Indiana's data privacy law will operate on an opt-out mechanism and will take effect in 2026.


Observations: Although this regulation has not been enforced yet, by using illow's GLOBAL banner, your website will be prepared to comply with it.





Rest of US


For the remainder of the United States, there are currently no explicitly defined federal regulations concerning cookies or the specific banner to be displayed. Nonetheless, it is advisable to maintain a notification regarding their usage and provide access to their respective privacy policies.


Observations: With illow's GLOBAL banner, your site will be compliant with the rest of USA.




Brazil   (LGPD)


The LGPD establishes that any natural person or entity, regardless of their location, must comply with the law if they engage in data processing in Brazil, offer goods and services to individuals located in Brazil, or process personal data of individuals who were in Brazil at the time of data collection.

Since the LGPD applies to cookies, it is important to maintain cookie compliance to avoid penalties. As cookies can contain personally identifiable information, they are subject to the regulations of the LGPD.


  • Include a Button to Accept Cookies: The text in the cookie banner and the button must make it clear that by clicking the button the user agrees to the deployment of cookies.
  • Include a Button to Reject Cookies: This must include a statement telling the user that they can deny the consent of data collection and a button that allows them to do so. It must be on the first level of the banner.
  • Provide Detailed Information About Cookie Use: The cookie banner should contain information about why the website uses cookies. For example, does it collect data for analytics, advertising, or social media purposes?
  • Alert the User if the Website Shares Data with Third Parties: If the website shares the data collected through cookies with third parties the cookie banner should explain this.
  • Link to the Website’s Cookie Policy: Here the website will provide further information about the cookies in use on the site, including a list of all the cookies.


Observations: Countries in this region need to use illow's GDPR / LGPD banner.


If you want to know more about LGPD regulation, consult our article "Brazil - LGPD (Lei Geral de Proteção de Dados)".





México   (LFPDPPP)


Data security in Mexico is primarily governed by the Federal Law for Safeguarding Personal Data in the Possession of Private Parties (Federal Law for Personal Data Protection in Private Hands), also known as the LFPDPPP, which was established in 2010. This legislation outlines the guidelines for private entities when it comes to gathering, handling, and disclosing individuals' personal data. 


  • Include a Button to Reject Cookies: Although it does not specifically clarify a button as in other cases, we must provide an opt-out option that “takes effect immediately and is consistent.”
  • Provide Detailed Information About Cookie Use: The cookie banner should contain information about why the website uses cookies. For example, does it collect data for analytics, advertising, or social media purposes?
  • Alert the User if the Website Shares Data with Third Parties: If the website shares the data collected through cookies with third parties the cookie banner should explain this.
  • Link to the Website’s Cookie Policy: Here the website will provide further information about the cookies in use on the site, including a list of all the cookies.
  • Include a Link to the Cookie Settings: This isn’t required under GDPR as long as users have the choice to reject all cookies. However, it does have the benefit of allowing users who would otherwise reject all cookies to permit some forms of data collection. 


Observations: With illow´s GLOBAL banner, your site will be ready to comply with this regulation.


If you want to know more about LFPDPPP regulation, consult our article "Mexico - LFPDPPP (Ley de Proteccion de Datos Personales en Posesion de los Particulares)".





Colombia


Although Colombia does not have a law strictly on Cookies, the information obtained can be considered as personal data and these must be regulated.


  • Include a Button to Accept Cookies: The text in the cookie banner and the button must make it clear that by clicking the button the user agrees to the deployment of cookies.
  • Include a Button to Reject Cookies: Although it does not specifically clarify a button as in other cases, we must provide an opt-out option that “takes effect immediately and is consistent.”
  • Provide Detailed Information About Cookie Use: The cookie banner should contain information about why the website uses cookies. For example, does it collect data for analytics, advertising, or social media purposes?
  • Alert the User if the Website Shares Data with Third Parties: If the website shares the data collected through cookies with third parties the cookie banner should explain this.
  • Link to the Website’s Cookie Policy: Here the website will provide further information about the cookies in use on the site, including a list of all the cookies.
  • Include a Link to the Cookie Settings: This isn’t required under GDPR as long as users have the choice to reject all cookies. However, it does have the benefit of allowing users who would otherwise reject all cookies to permit some forms of data collection. 


Observations: With illow´s GLOBAL banner, your site will be ready to comply with this regulation.






Argentina   (APDP)


The Personal Data Protection Act of Argentina 2000 (Law No. 25,326) is applicable to any individual or entity within the country that handles personal data.

According to the law, data can only be collected with the informed consent of the individual. Furthermore, individuals have the right to access, rectify, and delete (or request the deletion of) their data.

Thus, if cookies can be used to identify an individual and can therefore be defined as personal data under the Personal Data Protection Act, consent may be required.


  • Include a Button to Accept Cookies: The text in the cookie banner and the button must make it clear that by clicking the button the user agrees to the deployment of cookies.
  • Include a Button to Reject Cookies: Although it does not specifically clarify a button as in other cases, we must provide an opt-out option that “takes effect immediately and is consistent.”
  • Provide Detailed Information About Cookie Use: The cookie banner should contain information about why the website uses cookies. For example, does it collect data for analytics, advertising, or social media purposes?
  • Alert the User if the Website Shares Data with Third Parties: If the website shares the data collected through cookies with third parties the cookie banner should explain this.
  • Link to the Website’s Cookie Policy: Here the website will provide further information about the cookies in use on the site, including a list of all the cookies.
  • Include a Link to the Cookie Settings: This isn’t required under GDPR as long as users have the choice to reject all cookies. However, it does have the benefit of allowing users who would otherwise reject all cookies to permit some forms of data collection. 


Observations: With illow's GLOBAL banner, your site will be ready to comply with Argentina's PDP Act.


If you want to know more about Argentinian regulation, you can read our article "Argentina - LPDP (Ley de Protección de Datos Personales)". 





Australia   (APA)


Although specific regulatory guidance on cookie consent requirements is not available in Australia, the Privacy Law of 1988 outlines certain notification and consent obligations that organizations must adhere to when implementing cookie consent notices in accordance with the law.
According to the Australian Privacy Law, obtaining consent is necessary only when collecting sensitive personal information, such as health-related data, racial information, criminal records, or sexual orientation. Therefore, it seems that cookie banners are not obligatory in Australia.

While a cookie consent banner is not a specific requirement, you may still choose to include it on your website. At illow, we recommend having a cookie banner that effectively communicates and ensures transparency in line with the regulations. By doing so, you can maintain compliance and foster a user-friendly experience on your site.


  • Include a Button to Accept Cookies: The text in the cookie banner and the button must make it clear that by clicking the button the user agrees to the deployment of cookies.
  • Include a Button to Reject Cookies: Although it does not specifically clarify a button as in other cases, we must provide an opt-out option that “takes effect immediately and is consistent.”
  • Provide Detailed Information About Cookie Use: The cookie banner should contain information about why the website uses cookies. For example, does it collect data for analytics, advertising, or social media purposes?
  • Alert the User if the Website Shares Data with Third Parties: If the website shares the data collected through cookies with third parties the cookie banner should explain this.
  • Link to the Website’s Cookie Policy: Here the website will provide further information about the cookies in use on the site, including a list of all the cookies.
  • Include a Link to the Cookie Settings: This isn’t required under GDPR as long as users have the choice to reject all cookies. However, it does have the benefit of allowing users who would otherwise reject all cookies to permit some forms of data collection. 

Observations: With illow´s GLOBAL banner, your site will be compliant with this regulation.


If you want to know more about Argentinian regulation, you can read our article "Australia - APA (Australia Privacy Act)" .





New Zealand


Currently, New Zealand does not have specific legislation on cookies. However, the Privacy Act of New Zealand 2020 encompasses the protection of personal data, including the use of cookies within the privacy realm. This law establishes fundamental principles for the proper handling of personal information and grants individuals rights over their data, such as the right to access, correct, and delete personal information collected through cookies.

Although there is not extensive information specifically addressing the use and management of cookies, it is recommended to display our GLOBAL cookie banner in New Zealand to ensure compliance with these regulations and provide enhanced protection for users.

This banner counts with:


  • Include a Button to Accept Cookies: The text in the cookie banner and the button must make it clear that by clicking the button the user agrees to the deployment of cookies.
  • Include a Button to Reject Cookies: Although it does not specifically clarify a button as in other cases, we must provide an opt-out option that “takes effect immediately and is consistent.”
  • Provide Detailed Information About Cookie Use: The cookie banner should contain information about why the website uses cookies. For example, does it collect data for analytics, advertising, or social media purposes?
  • Alert the User if the Website Shares Data with Third Parties: If the website shares the data collected through cookies with third parties the cookie banner should explain this.
  • Link to the Website’s Cookie Policy: Here the website will provide further information about the cookies in use on the site, including a list of all the cookies.
  • Include a Link to the Cookie Settings: This isn’t required under GDPR as long as users have the choice to reject all cookies. However, it does have the benefit of allowing users who would otherwise reject all cookies to permit some forms of data collection. 


Observations: With illow's GLOBAL banner your site will be ready to be compliant with New Zealand best practices.


If you want to know more about New Zealand regulations, you can consult our article "New Zealand - New Zealand Privacy Law 2020" 





Philippines


In the Philippines, specific regulations on cookies are established in the Data Privacy Act of 2012 (Republic Act No. 10173), also known as the Philippine Data Privacy Act. Although the law does not directly mention cookies, it addresses the protection of personal data in general and establishes principles and requirements for its processing and collection.

According to the Philippine Data Privacy Act, informed consent is a key element for the collection and use of personal data, including those collected through cookies. Data controllers must clearly and transparently inform users about the use of cookies and obtain their consent before collecting any personal information.

Furthermore, the law establishes that users have the right to access, correct, and update their personal data, as well as request its deletion when it is no longer necessary for the purposes for which it was collected.



Observations: With illow's GLOBAL banner, your site will be ready to comply with Philippines best practices.


If you want to know more about the Philippine DPA, you can read our article "Philippines - DPA (2012 Data Privacy Act)".





Japan   (APPI)


On April 1st, 2022, Japan implemented the Revised Act on the Protection of Personal Information (APPI), introducing significant changes to breach handling procedures, cross-border data transfers, and requirements for obtaining cookie consent, among other revisions. This article explores the specific cookie consent requirements outlined in the Revised APPI.

The Revised APPI strengthens the safeguarding of individuals' rights concerning the transfer of their personal data to third parties. Generally, organizations are obligated to obtain explicit consent from individuals before transferring any personal data to third parties. However, the law also allows for an opt-out consent approach, where consent may be implied if sufficient notice is provided to individuals, accompanied by the opportunity to object or opt out. The law does not explicitly clarify whether organizations should rely on opt-in consent or opt-out mechanisms when it comes to the use of cookies, particularly third-party cookies.


Observations: With illow's GLOBAL banner, your site will be ready to comply with Japan regulations.

Observations: With illow's GLOBAL banner, your site will be ready to comply with Japan regulations.

If you want to know more about the Japanese APPI, you can read our article "Japan - APPI (Act on the Protection of Personal Information)".





Turkey   (KVKK)


On April 7, 2016, Turkey enacted Law No. 6698, also known as the Personal Data Protection Law (Kişisel Verileri Koruma Kanunu or KVKK). This groundbreaking legislation serves as Turkey's first dedicated law specifically addressing the protection of personal data within the country. Prior to the implementation of the KVKK, data protection in Turkey was governed by various sectoral laws as well as provisions outlined in the Turkish Constitution and Penal Code.

The Draft Guidelines emphasize the need for explicit consent when using tracking cookies for social plug-ins and online behavioral advertising. However, under specific circumstances, first-party analytics cookies that don't collect personal data may be used without the data subject's explicit consent. These circumstances include utilizing first-party analytics cookies solely for generating anonymous statistics, refraining from cross-tracking user internet browsing, ensuring a reasonable cookie lifespan, and prohibiting the transmission of data collected via first-party analytics cookies to third parties.

Considering the above, we encourage the implementation of a banner that aligns with the following characteristics:


  • Include a Button to Accept Cookies: The text in the cookie banner and the button must make it clear that by clicking the button the user agrees to the deployment of cookies, this is known as Opt-in consent. 
  • Include a Button to Reject Cookies: Must include a statement telling the user that they can deny the consent of data collection and a button that allows them to do so.
  • Provide Detailed Information About Cookie Use: The cookie banner should contain information about why the website uses cookies. For example, does it collect data for analytics, advertising, or social media purposes?
  • Alert the User if the Website Shares Data with Third-Party cookies: If the website shares the data collected through cookies with third parties the cookie banner should explain this.
  • Link to the Website’s Cookie Policy: Here the website will provide further information about the cookies in use on the site, including a list of all the cookies.


Observations: With illow's GDPR banner, your site will be ready to comply with this regulation.


If you want to know more about KVKK regulation, you can read our article "Turkey - KVKK (Kişisel Verileri Koruma Kanunu)". 





Thailand   (PDPA)


The Personal Data Protection Act (PDPA) of Thailand has gone through a journey before finally came into full effect on June 1st, 2022. Initially passed in 2019, it experienced delays in 2020 and 2021, but now it's ready to safeguard personal information in the digital era.

Considered Thailand's pioneering legislation in data protection, the PDPA draws comparisons to the European General Data Protection Regulation (GDPR). It mandates that those who handle personal data, such as data controllers and processors, must obtain consent from the data owners and strictly utilize it for the stated purposes. Failure to comply could result in administrative fines of up to THB 5 million or criminal fines of up to THB 1 million.

In Thailand, personal data refers to "any information relating to a person that can directly or indirectly identify them". However, information about deceased individuals falls outside the scope of personal data.


  • Include a Button to Accept Cookies: The text in the cookie banner and the button must make it clear that by clicking the button the user agrees to the deployment of cookies, this is known as Opt-in consent. 
  • Include a Button to Reject Cookies: Must include a statement telling the user that they can deny the consent of data collection and a button that allows them to do so.
  • Provide Detailed Information About Cookie Use: The cookie banner should contain information about why the website uses cookies. For example, does it collect data for analytics, advertising, or social media purposes?
  • Alert the User if the Website Shares Data with Third-Party cookies: If the website shares the data collected through cookies with third parties the cookie banner should explain this.
  • Link to the Website’s Cookie Policy: Here the website will provide further information about the cookies in use on the site, including a list of all the cookies.


Observations: With illow's GDPR banner, your site will be ready to comply with Thailand regulations.


If you want to know more about Thailand PDPA regulation, you can read our article "Thailand - PDPA (Personal Data Protection Act)".





South Korea   (PIPA)


The Personal Information Protection Act (PIPA) of South Korea was enacted in September 2011, positioning it as one of the world's most stringent data privacy legislations.

South Korea's PIPA establishes precise and detailed requirements throughout the entire lifecycle of personal data management. These requirements encompass elements such as advance notification, opt-in consent, and substantial legal penalties, solidifying its reputation as a robust data protection law.

While the territorial scope is not explicitly defined within the law, it is worth noting that South Korea's approach to enforcing data privacy bears resemblances to the internationally acclaimed General Data Protection Regulation (GDPR) implemented by the European Union.


Observations: With illow's GDPR banner, your site will be ready to comply with South Korea regulations.


If you want to know more about PIPA regulation, you can read our article "South Korea - PIPA (Personal Information Protection Act)"

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article