gdpr cookies

How Does GDPR Affect Cookies?

Last updated on October 12, 2021|Published on October 11, 2021

So you’ve been hearing about GDPR and its effect on website cookies and wondering if they apply to your site. Well, the short answer is: it depends. In this blog post, we will go over what GDPR means for cookies usage and the role they play in the regulation, and clarify whether or not they apply to your website. 

What is GDPR?

The European Union’s GDPR (General Data Protection Regulation) is a data privacy law that came into effect on May 25, 2018. Its objective is to protect the privacy of individuals residing within the EU and EEA member states. It applies to companies that collect and process personal data of EU and EEA residents to offer them services and goods. The law requires them to have a legal basis for processing personal data and to be transparent about what they do with that data. One of the six lawful bases for processing data in GDPR is to get explicit consent in order to collect and use your data.

Here is a quick rundown of the EU GDPR:

gdpr in a nutshell

The GDPR has seen a lot of debate in recent months. As the EU’s data protection legislation, GDPR is designed to guarantee an individual’s right to privacy. Many small and big organizations have fallen victim to GDPR’s scrutiny and have had to pay huge fines. There are still many who haven’t conformed to the rules and are likely to be under the radar of the data protection authorities. Many big organizations have challenged the GDPR rulings, but only time will tell if they can overpower it.

What are cookies?

The first thing that people think about when they hear the word “cookies” is food. But here, cookies are pieces of data that a website you visit stores in your browser. They are typically used to improve the browsing experience and help the website operate and provide services. 

This is how cookies usually work:

At first, this might seem harmless but imagine all the pieces of information, like your location or age or hobbies, stored along with it. Some cookies collect the personal information of users who visit the site and use them for their designated purpose. This personal information, sometimes, maybe private or sensitive. And the websites use this for remarketing or retargeting the user across other websites as well. This is why the “are cookies are bad?” wave of negative press gained traction. 

To know in detail about different types of cookies and how they work, read this article.

Article 4(1) of the GDPR defines personal data that fall under the scope of the regulation as:

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

You might be thinking what has this got to do with website cookies. 

As per Recital 30, “an online identifier” includes cookie identifiers that have personal information which can link to a user. Therefore, using cookies will subject your website to GDPR compliance.

What does GDPR say about cookies?

As we have already seen, the GDPR does not explicitly mention the use of cookies, except once. Since GDPR covers cookies, you should handle them with care. If you want your website to comply with GDPR, you need to review your cookie usage policy and let users know about what kind of cookies are tracking their activity.

Under GDPR, cookies are subject to the same rigorous data protection as other personal data. As a result, the website can use cookies if it meets at least one of the following three conditions: 

  • The user has given explicit consent to use cookies or
  • The cookie is necessary for the provision of a service that users have requested (we will get back to this later)

GDPR cookie consent is likely the most discussed topic when it comes to a website’s GDPR compliance. A valid cookie consent has the same conditions as consent for using any other personal data, such as:

  • Inform your users about cookies and their purpose and their choice to opt out in an easy-to-understand language
  • Do not compel users to give consent with terms and conditions.; it must happen in their free will
  • Provide users with a specific consent option for each cookie category
  • Users must express their consent via an unambiguous method such as clicking a button
  • Withdrawing consent must be as easy as giving it
  • Demonstrate proof of consent by documenting the consent received

What cookies are allowed under GDPR?

Now that you know that GDPR regulates the use of cookies, it is important to note that not all cookies are subject to data protection. The GDPR only applies to cookies that collect personal data and provide services that are otherwise not requested or expected by the users. E.g. Google Analytics uses cookies to monitor the user behavior to record the analytics. These cookies require user consent because they collect and use identifiable information for analytics, and it is not what the users request or expect when they visit the site. Analytics is just a third-party service.

Since the ePrivacy Directive and GDPR could work in conjunction for data protection, we could take a few rules from the Directive to determine the type of cookies that are allowed under GDPR without consent:

  • The cookie is solely used for data transmission over an electronic communication network and not for data processing
  • the cookie is used for services explicitly requested by the user and without these cookies, the website will break.

Such cookies are known as strictly necessary cookies. 

Here are some examples by ICO (the UK supervising authority) of cookies that qualify as strictly necessary:

Image source: ico.org.uk

Cookies that can be used to identify a person require explicit consent. E.g. cookies used for analytics, advertising, social tracking, functional services like chats, emails, etc.

Read more about what cookies are exempted from consent here.

GDPR cookies checklist (do’s and don’ts)

For GDPR cookie compliance, the first step is to inform users about them and ask for their permission. You might have seen a lot of websites that use cookie banners or popups for the same. The cookie banner has text that conveys the necessary details about the cookies to users so that they can accept or reject cookies. 

Here is a checklist (do’s and don’ts) for achieving GDPR cookie compliance:

  • Disclose about cookies and their purpose
  • Ask for consent to use cookies
  • Allow users to deny consent to use cookies
  • Do not use cookie walls; use an equivalent alternative that will not block complete access to the website.
  • Let users decide what type of cookies the site must store on their device
  • Avoid pre-ticked checkboxes for consent
  • Do not store cookies until the users give their consent
  • Do not store cookies if users scroll through the page or close the consent banner without taking any action
  • Allow users to easily withdraw consent any time as it was to give it
  • Keep a record of registered user consent for proof of compliance
  • Provide detailed explanations about cookies in the privacy or cookie policy, and make it easily accessible.

Check out some of the best GDPR cookie consent examples

CookieYes for GDPR cookie compliance

CookieYes is a consent manager application for cookies to comply with GDPR and CCPA. It helps your website to collect and manage cookie consent and is perfect for any type of website, no matter what services it offers. With CookieYes, you can:

  • add a GDPR compliant cookie consent banner;
  • customize the banner per your website’s requirements;
  • scan website for cookies and auto-categorize them based on their properties;
  • auto-block all identified third-party cookies prior to consent;
  • add third-party scripts that set such cookies to block them;
  • give granular cookie consent control to users;
  • geo-target the banner for EU users only;
  • auto-translate the banner to 30+ languages; 
  • keep a record of user consent; and
  • generate privacy and cookie policy pages for free.

It seamlessly integrates with all major CMSes such as WordPress, Wix, Squarespace, Shopify, Drupal, Joomla, and Blogger for GDPR cookie compliance. You can use CookieYes for a custom-coded website as well. 

Other than packed with features, CookieYes is easy to implement on your website. It takes less than two minutes to start managing cookie consent on your website with CookieYes.

Take it for a test run for 14 days and see if it meets your expectations (we don’t ask for your credit card details; you can upgrade at any time).

Frequently asked questions

Not always. Cookies are necessary depending on your website’s services and functionality. There are some cookies without which the website may break or malfunction. E.g. cookies that remember users’ UI preferences. Without them, the website may not function smoothly. Another example is load balancing session cookies that are mandatory if you want to distribute the processing of the web servers over different machines. 

Cookies that are not technically necessary to keep a website running are not mandatory. However, if you want to make use of the functionalities they offer, you can use them in compliance with the privacy laws.

Some cookies store and share information like IP address, device information,  browser history, and login credentials. This information can identify the person if linked with other information.

Do you need consent for cookies?

Cookie laws require websites to get user consent before storing any cookies on their device. However, some cookies that are necessary for a website to function properly, do not need consent. Your website must get consent for cookies that are not necessary for a website to function and collects personal data of users to track them. E.g. cookies used for advertisements and analytics require consent.

A cookie policy is required if your website uses cookies that collect personally identifiable information and use them to track you. You need to disclose the details to your users, such as their type, source (third parties), duration, purpose, and how to manage them. You can also add this information to the privacy policy.       

Start a 14-day free trial

Trials start with all our features enabled. Cancel anytime. No credit card required.