There are two main reasons websites are popping up cookie disclosures - the CCPA and GDPR - two sets of privacy laws that may (or may not) apply to your website.

CCPA: California Consumer Privacy Act

The CCPA, effective since January 1, 2020, aims to grant Californian residents greater control over their personal information. It mandates that businesses operating in California disclose their data collection practices and provide users with the ability to opt out of the sale of their data. This regulation has influenced the way websites handle cookies.

The CCPA applies to for-profit businesses that do business in California and meet any of the following:

• Have a gross annual revenue of over $25 million;
• Buy, sell, or share the personal information of 100,000 or more California residents, households, or devices; or
• Derive 50% or more of their annual revenue from selling California residents’ personal information.

GDPR: General Data Protection Regulation

The GDPR, enforced since May 25, 2018, is a comprehensive data protection regulation that applies to European Union (EU) citizens. It emphasizes transparency, consent, and user rights regarding their personal data. Websites targeting EU users must obtain clear and affirmative consent before collecting personal data, which includes the use of cookies.

According to the European Commission, GDPR applies to:

• a company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed; or
• a company established outside the EU and is offering goods/services (paid or for free) or is monitoring the behaviour of individuals in the EU.

But I'm not in California or Europe

At the very heart of this ambiguity is the fluid nature of the web.  Just because you don't operate in Europe or California, your website may still attract visitors from these locations.  You may actually sell products or provide meaningful business information to users there. 

The European Commission provides some additional guidance on when GDPR does not apply:

Your company is [a] service provider based outside the EU. It provides services to customers outside the EU.  Its clients can use its services when they travel to other countries, including within the EU. Provided your company doesn't specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR. 

Nonetheless, organizations seem to be erring on the side of caution and implementing cookie pop-ups.  Given the number of organizations that have already implemented them, a decision not to may become more conspicuous and may leave the impression that the organization doesn't care about visitor privacy.