Ultimate Guide to Cookies, Consent, and Compliance

Last updated on April 27, 2021|Published on November 3, 2020

Cookies — Yes, it sounds palatable! But now we’re not referring to those sweet, savory chunks! What we’re going to discuss here is all about HTTP cookies, the small pieces of text files that a website stores on a user’s computer while they’re browsing the website.

“We use cookies to ensure that we give you the best experience on our website”

It’s a safe bet to say that you might have come across these kinds of notification popups countless times while browsing the Internet!

Several sites worldwide show cookie consent notifications to users immediately upon their first visit. And, typically, the majority of the visitors would simply press ahead, accepting the use of cookies.

Why do most of the users don’t give cookies the attention that it deserves? Perhaps they are not pretty much aware of what cookies are and how they work. But once you get to know this, you’d see cookies as a matter of much greater importance.

This post is intended to help website owners get acquainted with cookies and make its use in line with the relevant laws and regulations including the GDPR, PECR, and the ePrivacy Directive.

HTTP Cookies — What Does it Exactly Mean?

A Cookie as a term has become increasingly prevalent in recent years. But many Internet users are still not aware of what cookies are and how websites would use it.

Let’s discuss them in more detail here!

An HTTP cookie (also known as Internet cookie, or browser cookie, or web cookie) is a small piece of data that a website installs on a user’s browser while the user is browsing the web.

There exist different types of cookies that serve different purposes such as collecting users’ behavioral data for creating targeted ads.

To put it simpler: you might have noticed several times that advertisements keep on appearing on social media sites or some other sites for items you were searching for on any shopping site just moments ago.

Have you ever wondered how these ads reach before you? The cookies (or the so-called small text files) stored on your browser is the reason why this happens! It tracks the information you’ve searched on the web, thereby generating targeted ads tailored to your specific needs and interests.

Furthermore, websites use cookies for various other purposes like remembering your device information, website login, shopping carts, site preferences, location data, and so forth.

Types of Cookies

Cookies are generally classified based on their characteristic attributes such as their mode of origin, the time period they remain on a user’s browser, and what purposes they serve. The most common types of cookies are described in brief below.

Cookies Classified Based on the Source

  • First-party Cookies
    First-party cookies are placed on a user’s browser by a website or a domain the user visits directly.

    These kinds of cookies are being set for purposes like collecting analytics data, remembering browsing options such as language or location settings, and carrying out other activities that improve the browsing experience of users.

  • Third-party Cookies
    Third-party cookies are issued by any party apart from the website or a domain that a user visits directly.

    A third party can be referred to as an advertiser who provides targeted ads; or services that help website operators add third-party elements (e.g. live chat, social-media buttons, Google Maps element, etc.) on their site.

Cookies Classified Based on the Expiration Period

  • Session Cookies
    Session cookies (aka Non-persistent cookies) are temporary cookie files that get expired immediately after a user closes the browser window.

    Session cookies are typically used to recognize the online behavior of users and remember their actions during their browsing session. These types of cookies save a user’s items selection or their shopping cart list even after they switch to a different page.

  • Persistent Cookies

    The functionality of persistent cookies is much relative to session cookies but differ from it when it comes to the matter of the expiration period. Unlike session cookies, persistent cookies remain on a user’s browser for a considerably longer time. Therefore, it’s also known as permanent cookies.

    Persistent cookies usually come with an expiration period ranging between a single second to several years. Once these cookies reach their expiration date, they will get deleted automatically from the user’s browser.

    Persistent cookies recognize users and remember their browser settings or preferences on their subsequent visits. This is how these kinds of cookies help websites provide better user experiences.

Cookies Classified Based on the Purpose

  • Strictly Necessary Cookies
    Strictly necessary cookies, as its name itself suggests, are essential for a website to provide the basic features (e.g. user registration, shopping carts, wish lists, e-payments, etc.) to the users.
  • Performance Cookies
    Performance cookies (aka Statistics cookies) allow websites to provide enhanced user experience by remembering the users. These cookies evaluate the performance of a website by collecting information on how visitors use the website.
  • Functional Cookies
    Functional cookies (aka Preference cookies) are classified as cookies that ensure a website functions properly

    Cookies that allow user registration or remember username and password for automatic login, a user’s site preferences (e.g. the language preference of a user), etc. are examples of functional cookies.

  • Marketing Cookies
    Marketing cookies are used by websites to track the activities and behaviors of users online so as to provide them with personalized advertisements. These types of cookies are often persistent in nature and are usually installed on a user’s browser by third parties.

Use of Cookies — The Legal and Regulatory Requirements

Cookies are vitally essential for the smooth operations of your website. As cookies are created to identify users over the web, they can foster the collection of enormous amounts of data, including personally identifiable information about users.

This could be a user’s name, age, gender, residential address, email id, IP address, telephone number, financial/health information, etc.

But as a website owner, it’s necessary that you are aware that gathering or processing a user’s data without their explicit consent is unlawful. Yes, there exist certain rules and regulations that govern your website’s use of cookies.

Now, let’s see what these laws are and how they regulate cookie usage on websites.

The Impact of Various Data Protection Laws on Cookies

The most prominent and comprehensive regulations include the General Data Protection Regulation (GDPR), the UK Data Protection Act 2018 (DPA 2018), the Privacy and Electronic Communications Regulations (PECR), the ePrivacy Directive (ePD), and the ePrivacy Regulation (ePR) that would come to force in the near future.

Let’s get an overview of how these laws apply to a website’s use of cookies.


Here’s what the Recital 30 of the European Union’s General Data Protection Regulation has stated about the online identifiers for profiling and identification.

“Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”

This conveys that all kinds of online identifiers including cookies that collect the personal data of individuals are required to comply with the GDPR.

This is to say: a website or an organization needs to be very transparent about the types of cookies they use and the purposes they serve.

In other words, websites are required to obtain explicit consent from its users before placing cookies or online trackers on their terminal devices.

DPA 2018

The UK Data Protection Act 2018, which has been amended from the UK Data Protection Act 1998 is nothing but the UK’s implementation of the GDPR. The Act aims at protecting the personal data of British residents.

Therefore, when it comes to cookie usage, the DPA mandates websites to receive prior consent from their visitors for their use of cookies.


Regulation 6 of the Privacy and Electronic Communications (EC Directive) Regulations 2003 states that:

A person shall not use an electronic communications network to store information, or to gain access to information stored, in the terminal equipment of a subscriber or user unless the requirements of paragraph (2) are met.

The requirements are that the subscriber or user of that terminal equipment —
(a) is provided with clear and comprehensive information about the purposes of the storage of, or access to, that information; and
(b) is given the opportunity to refuse the storage of or access to that information.

Although the PECR has not included the term ‘cookie’ anywhere in its legislation, its Regulation 6 can be read in conjunction with the context of cookies.

That is, under the PECR, a person (let’s say a website owner) must clearly notify users of the comprehensive details of the cookies on their site. Furthermore, the PECR requires websites to get consent from the users prior to its use of cookies.

ePrivacy Directive (ePD)

Regulation 66 of the ePrivacy Directive (aka Cookie Law), which came into effect in 2002 and later amended in 2009, states about cookies as follows:

“Third parties may wish to store information on the equipment of a user, or gain access to information already stored, for a number of purposes, ranging from the legitimate (such as certain types of cookies) to those involving unwarranted intrusion into the private sphere (such as spyware or viruses). It is therefore of paramount importance that users be provided with clear and comprehensive information when engaging in any activity which could result in such storage or gaining of access. The methods of providing information and offering the right to refuse should be as user-friendly as possible. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user. Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. The enforcement of these requirements should be made more effective by way of enhanced powers granted to the relevant national authorities.”

This indicates that the ePD mandates websites to obtain consent from visitors before collecting their personal information. Moreover, this data privacy legislation lets users allow or refuse a website’s cookie usage.

ePrivacy Regulation (ePR)

The forthcoming ePrivacy Regulation will replace the ePrivacy Directive and complement the GDPR. But the regulation on the use of cookies will remain more or less the same as how the ePD and the GDPR mandate now. ePR mandates granular cookie consent choices for the users and making such a system as user-friendly as possible. Get to know more about it here.

Failing to adhere to the above laws and regulations can put organizations at the risk of heavy penalties or fines. The violators of the GDPR can be fined up to €20 million or 4% of the annual global turnover – whichever is greater.

So, if your website uses cookies, make sure your site operates legally.


California Consumer Privacy Act (CCPA) gives more emphasis on opt-out than opt-in. That is, the users must be able to opt-out of cookies.

It advises adding a ‘Do Not Sell My  Personal Information” (DNSMPI) link on your website for opt-out. Therefore, if you use cookies that sell the personal information of users, you must give them the choice to opt-out.


French data protection authority adopted its new guidelines and final recommendations on cookies recently. It is not different from the GDPR requirements.

It allows the use of analytics cookies before consent if the cookies generate anonymous statistical data that cannot be used to identify the users.

Achieving Legal Compliance for the Use of Cookies

As a website owner, ensuring regulatory compliance is highly imperative to drive growth in your business and protect yourself from non-compliance penalties.

If your website uses cookies that could identify users, you’re required to obtain consent from them before collecting or processing their personal data. This way, you could ensure that your website is in compliance with the major laws that regulate the use of cookies.

But managing the cookie consents of a plethora of users may not be quite as easy as it sounds. Therefore the best possible thing you can do is implement a consent management solution that ensures that no cookies and trackers are installed on your users’ terminals prior to receiving explicit consent from them.

CookieYes is one such cookie consent management solution. It lets you add a customizable cookie banner to your site so that your users can easily give consent or reject your site’s use of cookies. Also, it scans your website for cookies and automatically blocks all the non-essential cookies until obtaining your users’ consent.

How to Become Cookie Compliant?

CookieYes enables you to add a cookie banner to your website so that your visitors know that your site uses cookies and they will be able to easily make their privacy choices. Check out the CookieYes Setup Guide to get started with it.

Here’re some factors that you need to focus on to become compliant and stay compliant for your website’s use of cookies.

  • Provide information about the cookies that are being used on your website

“PECR do not set out exactly what information you must provide or how to provide it – this is up to you. The only requirement is that it must be “clear and comprehensive” information about your purposes.”

Source: ICO UK

Not only the PECR, no other laws including the GDPR have not set any standards on what privacy information needs to be provided to your users.

What really matters is that the information you provide must be clear, comprehensive, and easy to understand. Simply put, this information must help users make an informed decision about whether to give consent or not.

As a good rule of thumb, you should provide information about the types of cookies you use, what kinds of personal data are collected from the users, how long will their data be retained, and with whom the data will be shared.

Along with this information, you could also include a link to your legal documents such as your privacy policy or cookie policy where the users can find details about your cookie usage in depth.

And always ensure to use cookies only for the purposes that you have stated in your cookie consent banner.

CookieYes lets you add information about your use of cookies on your cookie banner. Also, the solution gives you full freedom to edit or modify the information whenever required.

CookieYes cookie consent banner
  • Let users give consent by a clear, affirmative action

It’s important that you always provide users with real choice and control over how you use their personal data. Or, put differently: the consent must be freely given by an individual. Otherwise, it cannot be considered valid on any legal grounds.

To make it more clear, anything on your consent banner such as pre-ticked checkboxes for non-essential cookies could make your site’s use of cookies non-compliant with the relevant laws and regulations.

Therefore, your cookie consent banner must operate in such a way that it receives consent from a user only through a clear, affirmative/positive action.
E.g. use of opt-in boxes or toggle buttons to allow users to turn on/off cookies selectively.

CookieYes helps you implement such a kind of cookie banner that lets you receive freely given, informed, and unambiguous consent from your site visitors.

CookieYes sets consent banners with all the non-essential categories of cookies toggled off by default. The banner layout shown below helps users seamlessly enable or disable non-essential cookies, according to their preferences

CookieYes cookie consent options
  • Allow refusal or withdrawal of consent anytime

Another important requirement to comply with the cookie legislation is that you must always allow users to refuse (or opt-out) your use of cookies. Also, you must give them the right to withdraw their consent at any time without asking for any justification.

CookieYes has a “Reject All” (editable) button to refuse consent. You can edit the label of the button as shown below.

CookieYes cookie consent opt-out

Enabling users to change their cookie settings or preferences is yet another major requirement. CookieYes allows you to include a customizable settings button on your consent banner.

Clicking the Preferences button, users will be able to view cookie categories separately and change the cookie settings to what they want.

CookieYes cookie consent preferences

Now, when a user accepts or rejects your website’s use of cookies, the cookie banner gets dismissed automatically.

But in case if they change their mind later, you must allow them to alter their cookie preferences. CookieYes’ “Cookie Settings” button displays the consent banner again so that the users can change their preferences.

CookieYes withdraw cookie consent
  • Keep a record of user consents

Article 7(1) of the GDPR states that:

“Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.”

This means that, according to the GDPR, you are obliged to record and store consents that you obtain from your users.

This is an essential requirement if, in the future, you need to prove to regulatory authorities that you have obtained consent from your users. Also, keeping a record of user consent is necessary to help users revoke their consent.

Managing records of consent received from each and every user can be a highly tedious task. But with CookieYes, the cookie consent management process will be completely automated.

CookieYes maintains a consent log, where all your users’ consent will be retained securely for an appropriate period of time.

CookieYes cookie consent log

Try CookieYes for free and make your complaint with the data privacy laws for cookies.

Final Recap

Cookies are small data files that a website stores on a user’s terminal for accomplishing a range of different purposes — such as uniquely identifying users, managing their browsing sessions, facilitating personalized user experiences, ad targeting, and much more. Cookies have actually become an indispensable component for the efficient operation of a site.

Not all cookies are used to track the browsing activities of users across the web. But the cookies used for analytics, advertising, marketing, and functional services are more likely to collect the personal data of users. This gave rise to increasing data privacy concerns among users.

In order to address this issue, many laws and regulations have been formulated, mainly focusing on the residents belonging to the member countries of the (European Union) and EEA (European Economic Area).

All the data privacy laws governing cookies require websites to get explicit consent from users prior to their use of cookies.

Implementing a cookie banner is the best and most effective way to get cookie consent. A good cookie consent solution like CookieYes enables you to add a cookie banner to your site and manage user consents seamlessly.

This way, you could easily make your site’s use of cookies compliant with the regulatory requirements. Adhering to these laws will not only help you stay away from hefty fines but also helps build customer trust and loyalty naturally.

Start a 14-day free trial

Trials start with all our features enabled. Cancel anytime. No credit card required.