An online store, a publisher, a SaaS app, and a healthcare site all need cookie consent, but none of them face the same rules. Healthcare adds HIPAA. Publishers add the IAB Transparency and Consent Framework. E-commerce adds a payment-security standard that has nothing to do with cookies at all.
The base law is the same everywhere. The extra law, the tracker mix, and the penalty ceiling shift by sector. That gap decides how strict a site's consent setup has to be.
What Is Cookie Compliance (and Why It Differs by Industry)?
Cookie compliance is using cookies lawfully with valid visitor consent under the GDPR, the ePrivacy Directive, the CCPA, and any other applicable privacy law. It applies to any site that sets a non-essential cookie or tracker for a visitor covered by one of those laws.
That definition holds for every site. What changes by sector is which additional law layers on top. A hospital website faces HIPAA on top of GDPR and CCPA. A programmatic publisher faces the IAB Transparency and Consent Framework. An e-commerce store faces the CCPA's Do Not Sell requirement. It also faces PCI DSS, a completely separate payment-security standard with nothing to do with cookies. "Applicable law" is the part that shifts by industry, and it decides how strict a site's consent setup has to be.
Why Cookie Compliance Risk Varies by Industry
Cookie compliance risk varies by industry because compliance tracks the type of data collected more than the industry label itself. Each sector combines its own extra laws, its own tracker mix, and its own data sensitivity. Together, those three set a different real-world penalty if consent fails.
Three drivers explain the gap:
- Sector-specific law layering: the United States has no single comprehensive federal privacy law. Federal, sector-specific statutes such as HIPAA for healthcare and GLBA for financial services stack under a growing set of state comprehensive privacy laws.
- A different tracker mix per industry: a publisher runs programmatic ad cookies that pass consent signals to dozens of ad-tech vendors. A SaaS company runs product analytics inside an authenticated app where most cookies are essential. A healthcare site runs a pixel that can silently forward a visitor's medical page views to an ad platform.
- Data sensitivity setting the penalty ceiling: a blog's analytics cookie firing early is a compliance gap. A hospital's pixel forwarding protected health information (PHI) to a marketing vendor is a HIPAA violation. That carries the potential for a lawsuit, not just a fine.
Cookie Compliance by Industry, at a Glance
Six industries face six different combinations of trackers, risk, and governing rules, summarized below before the sector-by-section breakdown.
| Industry | Typical trackers | Key compliance risk | Governing rule(s) | Priority control |
|---|---|---|---|---|
| E-commerce | Checkout/session cookies, GA4, ad pixels | Ad and analytics cookies firing before consent; missed opt-out or GPC signal | GDPR, CCPA/CPRA, PCI DSS v4.x (payment pages) | Block ad and analytics scripts before consent |
| Publishers and media | Programmatic ad cookies, GA4, social pixels | Passing invalid consent signals to ad vendors; low opt-in rates | GDPR, ePrivacy Directive, IAB TCF v2.3 | Pass a valid TCF consent string to every ad partner |
| SaaS | GA4, product analytics, session and marketing cookies | Consent on the marketing site vs. the authenticated app; global visitor base | GDPR, CCPA, regional laws | Region-based banner plus a stored consent log |
| Healthcare | Meta Pixel, GA4, chat and appointment widgets | PHI reaching ad vendors; lawsuit exposure | HIPAA (HHS), CIPA, MHMDA, CCPA | Block trackers on sensitive pages, not just a banner |
| Web agencies | Mixed, per client site | Standardizing consent and proof across many client industries at once | Whatever each client's sector requires | One dashboard with per-site configuration |
| Blogs and content sites | GA4, ad-network cookies, embeds | Analytics or ad cookies firing before consent, even on a small site | GDPR, ePrivacy Directive, CCPA | Consent banner plus blocking analytics and ad cookies |
E-commerce and Online Stores
Online stores run three cookie types at once: checkout cookies, analytics, and ad retargeting, each with a different compliance job. Checkout and session cookies stay essential and load regardless of consent. Analytics and advertising cookies need consent under the GDPR. They also need an opt-out path under the CCPA before they fire.
Retargeting is where the CCPA and CPRA bite hardest. Ad pixels that build cross-context behavioral profiles count as a "sale or sharing" of personal information. A California store must therefore honor Universal Opt-Out signals, including the Global Privacy Control (GPC), which a browser sends automatically to opt the visitor out.
A frequent conflation trips up store owners: PCI DSS. PCI DSS protects payment card data for any entity that stores, processes, or transmits it. It is a payment-security standard, not a cookie consent law. A store can be fully PCI DSS compliant on its payment processing and still run analytics cookies before a visitor consents. That is a separate, unrelated violation.
The one overlap is worth naming precisely. PCI DSS v4.x Requirement 6.4.3 makes merchants inventory, justify, and integrity-check every script and third-party cookie on a payment page. Its purpose is blocking e-skimming, not consent, so the two programs still run separately.
Five controls get e-commerce cookie compliance right.
- Load only strictly necessary checkout and session cookies before consent.
- Block Google Analytics 4 and retargeting pixels until the visitor accepts.
- Publish a working "Do Not Sell or Share My Personal Information" link and honor GPC signals for CCPA-covered stores.
- Inventory and vet third-party scripts on payment pages under PCI DSS v4.x.
- Keep the PCI DSS payment-security program and the cookie consent program as two separate compliance tracks.
I have watched Google Analytics and retargeting pixels fire the instant a checkout page loads, well before any consent banner shows. That single misconfiguration is the most common e-commerce cookie violation. It happens even on stores that otherwise take payment security seriously.
Publishers and Media Sites
Publishers monetize through programmatic advertising. Their defining cookie compliance requirement is passing a valid consent signal to every ad vendor in the chain. That happens through the IAB Transparency and Consent Framework (TCF), a layer most other industries never need.
TCF v2.3 launched in April 2025. Publishers, ad-tech vendors, and consent management platforms face a February 28, 2026 deadline to implement it. Three roles interact under the framework. The publisher collects consent, the CMP encodes it into a standardized consent string, and each ad vendor reads that string before processing data.
Beyond TCF, the underlying legal trigger for a publisher's consent banner is often misunderstood. The cookie consent requirement comes from the ePrivacy Directive, not the GDPR directly. The GDPR barely mentions cookies; the ePrivacy Directive is the instrument that actually requires the banner. Google Consent Mode v2 works alongside TCF for publishers who also run Google Ads or Analytics, passing consent state to Google's systems specifically.
Opt-in rates matter commercially here in a way they rarely do elsewhere. A publisher's ad revenue is directly tied to the share of visitors who consent to advertising cookies. That makes banner design a revenue lever, not just a legal checkbox.
SaaS Companies
SaaS companies run two distinct cookie surfaces. One is a public marketing site that needs full cookie consent. The other is an authenticated app where most cookies are strictly necessary for the session itself. The defining compliance challenge is getting the consent model right for a global signup base, while keeping a usable consent log for enterprise security reviews.
The marketing site needs a GDPR-compliant opt-in banner for EU visitors. It also needs a CCPA-compliant opt-out path for US visitors, often shown to the same global audience through region-based consent. The authenticated app mostly avoids this problem: session cookies, authentication tokens, and security cookies are strictly necessary and do not require consent.
I have seen SaaS teams get tripped up trying to block Google Analytics and marketing cookies anywhere on the domain, including inside the logged-in app. The actual requirement only applies to the pre-login marketing pages and any non-essential analytics running inside the product itself.
Enterprise buyers now routinely ask for a consent log during security review. It proves the vendor documents consent choices the same way it documents any other data-handling control. A SaaS-specific implementation walkthrough covers the region-correct setup end to end.
Healthcare and Health-Adjacent Sites
Healthcare sites face the strictest cookie compliance bar of any industry. Common trackers like Meta Pixel and Google Analytics can forward protected health information (PHI) to ad vendors, and HIPAA prohibits exactly that.
The HHS Office for Civil Rights states the rule directly in its guidance on online tracking technologies.
Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.
A June 2024 federal court order narrowed that guidance for tracking on unauthenticated public pages tied to an IP address. Tracking on authenticated patient portals and telehealth logins is unaffected. Those pages generally do have access to PHI, so HIPAA obligations there stand.
The core problem is contractual, not just technical. HHS treats a tracking vendor that receives PHI as a business associate, so the provider must sign a Business Associate Agreement (BAA) with it. Google and Meta will not sign a BAA for their ad pixels, which is why those trackers cannot run where PHI is processed.
A consent banner alone does not solve this. The trackers themselves have to be blocked on sensitive pages before they can fire. A banner a visitor may or may not read is not enough on its own.
Why a banner is not enough:
- A banner discloses that tracking happens. It does not stop a pixel from firing before a visitor interacts with it.
- Meta Pixel and GA4 can capture page-level context, such as a visit to a specific condition or provider page. That context becomes PHI once tied to an identifiable visitor.
- Healthcare tracking-pixel litigation is active, not historical. A 2025 legal alert on the Teladoc case describes a federal court finding that tracking-technology use created an independent criminal purpose, defeating a consent-based defense.
I have seen healthcare marketing teams assume a cookie banner covers them here. The real fix is blocking the pixel on any page tied to a condition, provider, or appointment, before a visitor consents. State laws add further layers. CIPA exposes sites to wiretapping-style claims for capturing visitor communications. Washington's My Health My Data Act (MHMDA) creates its own consent duties for health data specifically. A dedicated healthcare compliance guide covers pixel blocking and page-level controls in full.
Web Agencies Managing Client Sites
Web agencies inherit every client's industry rules simultaneously. A healthcare client, an e-commerce client, and a SaaS client on the same roster each carry a different compliance bar. The agency's real problem is operational, not legal. It comes down to consistent consent, consistent tracker blocking, and provable consent logs across every client site, without the cost per site spiraling.
Agency developers describe the core difficulty in plain terms.
The tricky part is usually google analytics and facebook pixel, those love to fire before you can stop them.
That is the same blocking problem healthcare and e-commerce sites face, just repeated across an entire client portfolio at once.
Per-site cost scaling is the other recurring agency pain. Managing consent across ten or more client domains gets expensive fast when a tool prices strictly per domain. Agencies have described watching one large client site push every smaller site on the same account into a higher pricing bracket, for no operational reason. A step-by-step agency compliance guide walks through standardizing consent across a full client roster.
Blogs and Content Sites
Even a small blog running Google Analytics or an ad network needs cookie consent. The ePrivacy Directive triggers that requirement for any non-essential cookie, regardless of site size or traffic volume.
Site owners commonly assume a personal blog is too small to matter. The law does not carve out an exception for size. Any non-essential cookie, including a single analytics tag, needs consent under the ePrivacy Directive and the GDPR for EU visitors. It needs an opt-out path under the CCPA for California visitors.
The priority control for a blog is simple. It is a consent banner, plus actually blocking analytics and ad cookies until the visitor consents. Simply displaying a notice while the tracker keeps running does not count. Embeds and iframes (a YouTube video, a social post) frequently carry their own third-party cookies that the site owner never directly configured. Those need the same blocking treatment. A cookie consent for blogs and content sites guide covers the lightest-weight setup in full.
How Consently Adapts Consent to Your Industry
Consently puts every feature on every plan. Region-based consent, tracker blocking, IAB TCF, and Google Consent Mode all work the same way. That holds whether the site is a hospital, a store, or a blog.
Because Consently does not gate features by tier or by industry, a single account can serve the exact controls each sector above needs. Region-based consent templates switch automatically between a GDPR opt-in model for EU visitors and a CCPA opt-out model for US visitors. Automatic cookie, script, and iframe blocking stops trackers before consent, the priority control healthcare and e-commerce sites both need.
For publishers and other ad-tech-dependent sites, Consently supports IAB TCF v2.3 and Google Consent Mode v2, so consent signals reach ad and analytics vendors correctly. Agencies spanning multiple industries manage every client site from one multi-site dashboard. That covers five to ten domains on a single account instead of paying a separate bill per client. See who Consently is for across agencies, stores, publishers, and more.
Try Consently free to set up region-correct, industry-ready consent without hiring a lawyer or a developer.
FAQs
Does the US require cookie consent?
There is no single US federal cookie law. Requirements come from state laws like the CCPA and CPRA, and sector laws like HIPAA for healthcare. The EU's GDPR and ePrivacy Directive add separate requirements whenever a site has EU visitors.
Which industries have the strictest cookie rules?
Healthcare faces the strictest bar, since HIPAA treats a tracker sending protected health information to an ad vendor as a violation. Ad-funded publishers face the next-strictest bar, through the IAB Transparency and Consent Framework.
Is HIPAA a cookie law?
No. HIPAA governs protected health information, not cookies specifically. It applies to cookies and trackers only when they send health data to a vendor. Meta Pixel and Google Analytics can both do exactly that on a healthcare site.
Does PCI DSS cover cookies?
No. PCI DSS protects payment card data, not cookie consent. Its v4.x script rules do govern third-party scripts on payment pages, but that is payment security. An e-commerce site still runs PCI DSS and cookie consent as two separate programs.
Do e-commerce sites have to honor the Global Privacy Control?
Yes, in California. The CCPA and CPRA require sites to treat a Global Privacy Control (GPC) signal as a valid opt-out of a sale or sharing. See Do Not Sell or Share My Personal Information for how to wire this up.
What is the average cookie consent rate?
Global cookie acceptance rates run around 31%, with the US figure close to 32%. Actual rates vary widely by region, industry, and banner design, so treat this as a rough benchmark, not a target.
Do small blogs really need cookie compliance?
Yes, if the blog runs analytics or advertising cookies. The ePrivacy Directive requires consent for any non-essential cookie regardless of site size. A small blog with Google Analytics installed has the same underlying consent obligation as a large publisher.

