How does GDPR affect cookies?


Cookies – useful to track website visitor engagement, follow up with marketing, gather information about unique visitors, identify visitors, and to make a visitors user experience run smoothly. With the General Data Protection Regulation taking effect on 25 May 2018 companies will, however, have to rethink their cookie strategy.

According to the GDPR companies need to account and inform about what information they collect through cookies, ensure transparency in processing the data and inform about who tracks the data, where and for how long its kept, and for what purpose it’s accumulated.

What are cookies?

Are they a spying tools tracking your every move on the Internet, or tracking devices designed to make your life easier?

Let’s have a closer look. Cookies are simple text files that usually contain a site name and a unique user ID. They are small files of text that are dropped on your computer when you browse websites and can be easily be viewed and deleted on your computer.

And what do the files do?

Well, the first time you visit a website, a cookie is downloaded to your computer, and the next time you visit the same site your computer checks whether you have a cookie with that site name, and the cookie sends the information it has back to the site. It sounds harmless, right?

In a way, yes. This means the site will know you’ve been there before and can tailor what it shows based on the previous information it has about you. Let’s say you are on a weather forecast site and want to see the weather in your town. If the website knows you live in Toronto from information it gathered last time, it can show the weather there right away and save you the time spent clicking your way toward Toronto. Smart!

Cookies can also keep what you added to your shopping cart an hour ago and didn’t have time to purchase. When you return to the site to return the purchase, your item is waiting in the shopping cart. Again, smart!

However, cookies do not only give a great deal of insight into your activities and preferences for companies, but they can also be used to identify you without your explicit consent and allow third parties to track your behaviour for marketing purposes – often without you knowing.


Cookies gathering information about you doesn’t always originate from the website you are visiting. Instead, they can originate from third parties, such as another website you previously visited. Third-party cookies are usually meant for data mining and tracking your activity across different sites for marketing purposes.

In many occasion, cookies can gather enough information to identify you as an individual, track your behaviour on the Internet and build up a profile about you.

Not all cookies can identify users, but most cookies used for analytics and advertising can. Cookies can include ‘pseudonymous identifiers’ which is a string of numbers or letters, used to provide uniqueness. Such cookies can identify an individual, which means that under the GDPR the data gathered is considered to be ‘personal data’ and therefore cookies become subject to the GDPR.

GDPR and cookies

It’s important to distinguish that when cookies can identify an individual, the data collected about the individual is considered to be personal data in the GDPR legislation. If your website uses cookies to process personal data or data that can be combined with other data, or singled out to identify an individual, your website must comply with the GDPR requirements.

Cookies and concent

Gaining valid consent is one of the crucial changes that GDPR is making to the collection and processing of personal data.

You must get explicit consent

Consent to accept cookies must be given through affirmative, positive action. This means visitors need to give consent by clicking in an opt-in box, which may not be pre-clicked.

You must inform visitors about cookies

It must be made clear to the visitor why, how and where the personal data is used. It must also be clear to the user what the consent is given to. In other words, to be compliant, the user must receive an accurate picture of how cookies are being used: in plain language, explain what the data will be used for, where it will be stored, and for how long.

Clicking ‘ok’ is no longer enough

Most of us have seen popups saying ‘by using this site, you accept cookies’ or ‘on this site we use cookies, by using it, you accept.’ Under the GDPR this is not a valid consent anymore. 

Visitors must be able to withdraw consent

At any time of the day, users should be able to remove their consent as easily as they gave it. They should therefore easily be able to find the opt-in box and uncheck the cookie consent.

You must get prior consent

The consent must be given before the processing of the initial data. Meaning you can’t start collecting and processing data only because a visitor uses your website. The user must give its consent to allow that.

You must get consent based on true choice

The user must have access to the website and its functions, even though all but the necessary cookies have been rejected. Meaning, websites access should not be limited if a visitor chooses only to click cookies necessary for the website to function.

The right to be forgotten

The user has the right to be forgotten; where all of his or her personal data from cookies are deleted on his request.

All consent must be renewed

Every 12 months, upon the user’s first visit to the site, the visitor must renew his consent. 

You must document all consent

All consent you receive needs to be documented and kept safely.

To summarise, stay transparent, cut the nonsense, and record your consent!

Dot and cookies

On, there is a GDPR function that can be activated with one click. For cookies, this means you can set up multiple cookie consents for monitoring and collecting data for analytical or marketing purposes. If the GDPR function is enabled and cookie consent form setup, this means that no information within each category will be collected about visitors until they give their consent.

You can choose for the cookie consent to be a header or a footer, that will easily appear again from the bottom or top of the page if clients chose to change their consent.

If your site supports multiple languages, you can also pick multiple language support to create a consent in multiple languages.

On the consent form, there’s the option to add a link to a page for more information about your cookies.

Documenting and storing on happens automatically, every consent is attached to the user profile, making it easy to find, access, view, and delete if someone sends in a data erasure request.

This was the fourth part of series on the GDPR, stay tuned on the blog for more. For more information about GDPR and, have a look at our special GDPR page.

Disclaimer: This website does not include legal advice for your company to use in complying with EU data privacy laws like General Data Protection Regulation. Instead, it provides information to help you better understand what can be done on the platform to comply with the law. This information isn’t legal advice and we encourage you to seek a professional lawyer’s opinion when referring to this. To be clear, this information is in no way a recommendation or any expression of legal understanding. This page does neither enlist all the regulation within the GDPR, and it’s important that you make sure your company meets all the legal requirements of the GPDR.

Leave a Reply

Your email address will not be published. Required fields are marked *