Cookies are one of the mainstays of the modern web. They help websites remember you, and they can also be used to track your activity. However, how do you know if your website is subject to the GDPR cookie requirements? What if your use of cookies is a potential violation of GDPR? How do you ensure compliance in such a case?
CookieYes makes GDPR compliance for cookies easy and effortless.
Our cookie consent manager can help your website to:
- Display a law-complying cookie banner
- Scan website to identify and categorize cookies
- Block third-party cookies before consent
- Allow website users to customize cookie preferences any time
- Log cookie consent
- Generate policy pages
and much more!
Let’s find out all about how GDPR affects cookies.
Before that, here is a quick rundown of the EU GDPR:
Under the GDPR, “personal data” is defined as:
“‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”
You may be wondering how this relates to website cookies.
Recital 30 states that “an online identifier” includes cookie identifiers that have personal information which can link to a user.
Therefore, cookies can be considered personal data under GDPR.
What does GDPR say about cookies?
Under GDPR, cookies are considered personal data due to the nature of their processing. Websites that provide services or goods to users from the EU that use cookies must comply with the following requirements:
- the cookie is necessary for the provision of a service that users have requested (we will get back to this later), or
- the user has given explicit consent to use cookies
One of the significant changes brought by GDPR and ePrivacy Directive is the way in which consent for cookies is gained from users. Many big techs have already been accused and fined for violating cookie regulations. In January 2022, France’s CNIL fined (not for the first time) Google (150 million euros) and Facebook (60 million euros) for using dark patterns in their cookie notifications.
A valid GDPR cookie consent has the same conditions as consent for using any other personal data, such as:
- Informed: Informing users about cookies and their purpose in an easy-to-understand language
- Freely given: Not compelling users to give consent with terms and conditions; it must happen in their free will
- Specific: Providing users with a specific consent option for each cookie category (e.g., advertising or analytics)
- Unambiguous: Users must express their consent via an explicit method such as clicking a button or checking a box
- Withdrawable: Withdrawing consent must be as easy as giving it
- Demonstratable: You must document it for proof of consent
Does GDPR apply to all cookies?
The GDPR regulates the use of cookies, but it only applies to cookies that collect personal data and provide services that are otherwise not requested or expected by the users.
For example, Google Analytics uses cookies to monitor user behavior in order to record analytics—this is a service provided by Google. Analytics is not something users request or expect when they visit a site, so these cookies require user consent because they collect identifiable information for analytics purposes.
If a cookie provides a service that’s required by law or provides only basic functionality with no tracking or analytics involved then it doesn’t need consent.
ePrivacy Directive and GDPR could work in conjunction for data protection in the EU. To determine the type of cookies that are allowable under GDPR without consent, we could take a few rules from the Directive. These include:
- The cookie is solely used for data transmission over an electronic communication network and not for data processing
- the cookie is used for services explicitly requested by the user and without these cookies, the website will break.
Such cookies are known as strictly necessary cookies. These cookies do not require consent and will not be subject to GDPR.
Here are some examples of strictly necessary cookies by ICO, the UK supervising authority for UK-GDPR, which is the UK’s version of EU GDPR:
Cookies that are used to identify a person must have the user’s explicit consent. E.g. cookies used for analytics or advertising purposes, or functional cookies that enable chats, emails, etc.
How to comply with GDPR for cookies? (do’s and don’ts)
For GDPR cookie compliance, it is important to inform your users about the cookies you use and ask for their permission. You can do so by using a cookie banner, which will have the cookie text that conveys the necessary details about the cookies to users so that they can accept or reject cookies.
Here are the do’s and don’ts for complying with GDPR:
Do’s:
- Disclose cookies and their purpose
- Ask for consent to use cookies
- Allow users to deny consent to use cookies
- Let users decide what type of cookies the site must store on their device
- Allow users to easily withdraw consent any time as it was to give it
- Keep a record of registered user consent for proof of compliance
- Provide detailed explanations about cookies in the privacy or cookie policy, and make it easily accessible.
- Add easily accessible privacy or cookie policy for further information
Don’ts:
- Use deceptive or dark patterns to coerce users to give cookie consent.
- Use a cookie wall that blocks complete access to the website.
- Provide pre-ticked checkboxes for consent
- Store cookies before the users give their consent
- Store cookies if users scroll through the page or close the consent banner without taking any action
Check out some of the best GDPR cookie consent examples.
GDPR cookie consent made easy, and free!
Hassle-free cookie banner setup and cookie consent management for GDPR compliance.
Free GDPR Cookie ConsentFree 14-day trialCancel anytime
Frequently asked questions
What is GDPR?
GDPR stands for General Data Protection Regulation. It is a set of laws that protect the privacy of individuals residing within the EU and EEA member states. GDPR applies to companies that collect and process personal data of EU and EEA residents to offer them services and goods. The law requires them to have a legal basis for processing personal data and to be transparent about what they do with that data. One of the six lawful bases for processing data in GDPR is to get explicit consent in order to collect and use your data.
What are cookies?
Cookies are pieces of data that a website you visit stores in your browser. They are typically used to improve the browsing experience and help the website operate and provide services.
Some cookies collect the personal information of users who visit the site and use them for their designated purpose. This personal information, sometimes, may be private or sensitive. And the websites use this for remarketing or retargeting the user across other websites as well.
Are cookies covered by GDPR?
Yes, cookies are covered by GDPR if they collect information about users that could be used to identify them. Because cookies can be used to record information about individual users, they are subject to certain aspects of GDPR. For example, cookie consent is required for tracking any personal data such as IP addresses or search history.
Are cookies mandatory?
Not always. Cookies are necessary depending on your website’s services and functionality. There are some cookies without which the website may break or malfunction. E.g. cookies that remember users’ UI preferences. Without them, the website may not function smoothly. Another example is load balancing session cookies which are mandatory if you want to distribute the processing of the web servers over different machines.
Cookies that are not technically necessary to keep a website running are not mandatory. However, if you want to make use of the functionalities they offer, you can use them in compliance with the privacy laws.
Can cookies identify you personally?
Some cookies store and share information like IP address, device information, browser history, and login credentials. This information can identify the person if linked with other information.
Whta is GDPR cookie consent?
GDPR cookie consent is obtained by giving your users the ability to give you permission to store data on their computer in the form of cookies.
To obtain GDPR cookie consent, you must:
- Provide a clear notice about the cookies being used and an easy way to accept and refuse them.
- Prominently disclose what data is collected by the cookies.
- Inform users that they can withdraw their consent at any time.
Is a cookie policy required?
A cookie policy is required if your website uses cookies that collect personally identifiable information and use them to track you. You need to disclose the details to your users, such as their type, source (third parties), duration, purpose, and how to manage them. You can also add this information to the privacy policy.
