US companies seeking to expand into the EU and UK markets must consider the location of their customers, the websites or pages they have access to, and the laws they are required to comply with. This blog offers a handy checklist to reference when considering cookie management.
When Are US Websites Subject to Cookie Laws?
The laws which regulate the use of cookies are the Privacy and Electronic Communications Regulations (PECR) in the UK and the ePrivacy Directive (EPD) in the EU. These laws are enforceable under the GDPR because the act of collecting certain cookies constitutes the processing of personal data under the GDPR.
US companies looking to market to the EU or the UK and use cookies in these ways will need to consider the territorial scope of the GDPR and the UK GDPR. The UK and EU GDPR outline where the rules will apply to processing personal data and have extra-territorial scope. It applies to:
- a controller or processor established in the UK or the EU, regardless of where the processing activities are carried out. Established has been seen to mean any real and effective activity that takes place within the union (or the UK), exercised due to stable agreements regarding the particular nature of economic activities that the companies are undertaking and the services they offer.
- processing of personal data by a controller or processor who is not established in the UK or EU, of data subjects based in the Union where the processing activities relate to the offering of goods or services or the monitoring of behaviour, as far as the behaviour takes place in the Union.
These scenarios mean that US companies offering goods and services to individuals in the UK and EU, or that monitor individuals' activities within that area, are subject to GDPR rules and regulations.
What Laws Can Impact the US?
Both PECR and EPD require consent for the collection of cookies. In both of these pieces of law, consent needs to be freely given, specific, informed, and unambiguous. In addition to the requirements under cookie law, US companies may also need to consider the requirements for processing personal data, which can be collected through the process of collecting cookies.
Cookies can be regarded as personal data, as the definition includes IP addresses, device IDs, and browser activity if the data is related to an identified or identifiable natural person. The majority of applicable UK law is the same as that of the EU, insofar as Article 3 remains unchanged and the definitions of personal data remain the same. GDPR contains the same requirements for consent to be valid, but additionally states the way the request must be presented, in plain and intelligible language, informing the data subject that their consent can be withdrawn at any time.
The EPD requires consent for the collection of cookies, but also states that users must have the opportunity to reject cookies, and the methods of giving or withdrawing consent should be as user-friendly as possible. All of this to say, however, specific access to a website can be barred due to the rejection of cookies if there is a legitimate purpose for doing so.
However, the Data Use and Access Act (DUAA) makes some exceptions, which have been slowly coming into force since it gained royal assent on June 19, 2025. DUAA provides a list of purposes for using cookies, which can be considered strictly necessary and no longer require consent, along with the removal of consent needed for some non-essential cookies. The new non-essential cookies, which will not require consent, include collecting cookies for statistical data to improve services, enhance the website's appearance and performance, and provide emergency assistance.
Checklist of Requirements to Consider:
- A separate cookie consent banner in clear and plain language.
- Comprehensively detailing why cookies are collected and how they are used, and the ability to withdraw consent at any time.
- A record of consent given and how it was provided.
- A record of the processing activities and who has access to the data collected via cookies.
- Processing the personal data collected via cookies in line with GDPR requirements.
- Appointment of a representative in the UK or EU, depending on which Article 3 processing activity your company falls under.
Why Compliance Should be a Necessity, Not Just a Goal
The importance of compliance with cookie-related law is not to be understated, out of the 18 fines the ICO imposed in 2024, 15 were PECR-related. Fines can be imposed by supervisory authorities of up to 4% of the total worldwide annual turnover or €20 million, applicable to both the EU and the UK.
In 2025, 23andMe fell under the extra-territorial scope of the GDPR and was fined £2.31 million by the ICO. Google was fined €325 million by the CNIL (French Data Protection Regulator). DUAA further changes the UK's data protection law by increasing potential fines under PECR to align with the penalties under GDPR.
Compliance with UK and EU data protection regulations not only allows US companies to enter their markets with confidence, knowing that the potential fine of €20 million is unlikely, but it also enhances their reputation and protects their customers.
Emily Jenkins
Academy Data Privacy Consultant
