On July 10, 2023, an adequacy decision between the EU and the US was agreed, named "EU-US Data Privacy Framework". As part of the ruling the "Standard Contractual Clauses (SCC)", under which data has been transferred between the EU and companies in the US, is no longer needed if you transfer data to a certified company placed in the US.
You can find a list of certified companies here.
Because of this, Cookiebot reporting has been changed to reflect that sending data to the US is compliant, as certified companies in the US are now considered to have adequate personal data protection mechanisms in place. If a US company is not certified, you still need to have standard contractual clauses in place for the transfer of data to non-certified US companies.
You can find the list of adequate countries here.
For example, Google/YouTube products are based in the US and it is solely their decision whether the data will be sent to the US or somewhere else. Cookiebot does not have any control over where the data is sent. Cookiebot just indicates in the scan report whether the data is being sent to an adequate or non-adequate country. The European Commission decides which countries outside the EU are deemed adequate.
What should I do if I want to stop sending data to non-adequate countries or non-certified US companies?
If you want to stop the cookies/trackers from sending your website visitors' data to non-adequate or non-certified US companies, you should remove the elements that set those particular cookies from your website. In the scan report, you will find information about what type of cookie it is, where it was first found, and in what line of the source code it can be found (when applicable).
Please keep an eye out for any comments or recommendations from your local DPA as this may provide information applicable to your situation.
What should I do if I want to continue sending data to non-adequate countries or non-certified US companies?
If you do decide to keep using these cookies, you can make sure your users are informed about this. You must make sure to enable ‘explicit consent’ and inform your users about the potential risks (see GDPR Article 49(1) a.) by adjusting the text in the cookie consent banner to include this information. See How can I customize the content in the cookie consent banner?.