Isle of Man - Applied GDPR & Cookie Consent Rules | ConsentStack

Back to Regulations Guide

Key Facts

Effective Date

May 25, 2018

Enacted

January 1, 2018

Enforcing Authority

Isle of Man Information Commissioner

Consent Model

Opt-in

Applies To

Organizations processing personal data in Isle of Man

Overview

The Isle of Man took the unique approach of applying the GDPR directly into domestic law through the Applied GDPR Order 2018. Both EU and UK adequacy decisions are in force, and an independent Information Commissioner provides enforcement including ePrivacy-equivalent cookie provisions.

What This Means for Your Website

Full GDPR requirements apply for Isle of Man visitors — the regulation is directly applied
ePrivacy-equivalent cookie consent provisions are in force
GDPR-equivalent penalty tiers apply
Both EU and UK adequacy decisions facilitate data transfers

Key Requirements

The Isle of Man Information Commissioner enforces the directly applied GDPR with full GDPR-equivalent penalty tiers. The direct application means the Isle of Man's data protection framework mirrors the GDPR exactly, without the adaptation differences seen in some national implementations.

How ConsentStack Handles This

ConsentStack applies GDPR-compliant consent for Isle of Man visitors with the same standards as EU GDPR compliance.

Penalties

GDPR-equivalent tiers.

Revenue-based

4% of annual revenue

Key Requirements

GDPR applied directly into domestic law
Full data subject rights
Independent Information Commissioner

Notable Provisions

Direct GDPR application into domestic law
EU and UK adequacy decisions granted
ePrivacy-equivalent provisions

Other Europe Regulations

GDPREuropean Union + EEA

The GDPR sets the global standard for data protection, requiring explicit opt-in consent before processing personal data of EU/EEA residents. For websites, non-essential cookies must be blocked until visitors actively consent. Pre-ticked boxes and implied consent are invalid.

PECRUnited Kingdom

PECR is the UK's cookie-specific law, requiring consent before storing or accessing cookies. The DUAA 2025 significantly increased penalties from GBP 500,000 to GBP 17.5 million and introduced analytics exceptions on an opt-out basis. Only strictly necessary cookies are exempt.

ePrivacy DirectiveEuropean Union + EEA

Article 5(3) of the ePrivacy Directive is the primary EU legal basis requiring cookie consent. It mandates prior informed consent before storing or accessing any information on a user's device, with narrow exceptions only for transmission necessity and explicitly requested services.

Loi Informatique et LibertésFrance

France has the most actively enforced cookie regime in Europe. CNIL issued 259 corrective decisions in 2025, with cookie-specific fines totaling EUR 486.8 million including EUR 325M against Google. A Refuse all button or Continue without accepting must appear on the first layer.

UK GDPRUnited Kingdom

The UK GDPR is the retained EU GDPR post-Brexit, with consent standards identical to the EU version. The UK adequacy decision was renewed December 2025, valid until December 2031. Combined with PECR, it forms the legal framework for cookie consent in the UK.

Germany implements the ePrivacy Directive through Section 25 of TDDDG (renamed from TTDSG in May 2024). A Consent Management Ordinance (EinwV) became effective April 2025, establishing a voluntary framework for recognized consent management services. Cookie banners must not obscure website content.

Frequently Asked Questions

Does the Isle of Man follow GDPR?

Yes. The Isle of Man applied the GDPR directly into domestic law — one of the most direct GDPR implementations outside the EU.

Does the Isle of Man have EU adequacy?

Yes. Both EU and UK adequacy decisions are granted for the Isle of Man.

Does the Isle of Man have cookie-specific rules?

Yes. ePrivacy-equivalent provisions apply alongside the directly applied GDPR.

Stay compliant with Isle of Man Applied GDPR

ConsentStack helps you implement Opt-in consent for Isle of Man automatically.