Does EU Cookie Law Apply to US Websites?

Yes, the EU cookie law applies to US websites under certain conditions. If a US website has or targets EU-based users, it must comply with the GDPR, which includes the requirements of the EU cookie law. This means that if EU users can access the website or app, their data, including IP addresses, is considered personal data under the GDPR, and therefore the website must adhere to GDPR regulations.

When EU-based users access a US website that uses cookies, informed consent must be freely given by those users before any cookies are executed. This typically means having a cookie notice in place and blocking cookie scripts until consent is obtained. If a user refuses consent, the cookies should not be activated. All relevant information about the use of cookies must be disclosed to users through an up-to-date cookie policy.

However, if a US website does not conduct any business with EU residents and does not allow EU-based users to access the site, it may not need to comply with the EU cookie law. The ePrivacy Directive (ePD) (which compliments GDPR), which governs cookie usage, does not have extraterritorial scope and applies only to activities within the European Union.

That said, the GDPR has a broader reach. It can apply to any organisation, regardless of its location, if it offers goods or services to people in the EU or monitors their behaviour within the EU. Therefore, US websites that engage with EU residents and collect or process their personal data must comply with both the GDPR and the EU cookie law, ensuring they have the necessary consent mechanisms and privacy disclosures in place.