Territorial scope
Now comes the tricky part. Do the laws governing the use of cookies apply to all visitors, regardless of their geographical location? Can you only gather consent from visitors residing in the EU? If you or your organization are not located in Europe, the answer is clear – neither GDPR nor ePrivacy Directive governs entities outside the EU, provided that their site visitors also reside outside of the EU. However, residents of the EU are protected by GDPR regardless of the location of the entity.
As for EU sites, it looks like in this case there is a discrepancy in the requirements between GDPR and ePrivacy:
- European websites must always comply with GDPR, but only in regard to cookies that are related to an identified or identifiable natural person.
- ePrivacy Directive applies to all cookies, but only for end users and terminal equipment of end users located in the EU.
It looks like it is not necessary to gather consent for cookies that are not related to an identified or identifiable natural person or their terminal equipment located outside of the EU. In practice, though, the only way to profit from this loophole is to create one’s own mechanism for tracking users’ behavior, as all 3rd party tracking cookies absolutely do fall under GDPR.