How does GDPR affect cookies?6 min read

GDPR-interactive-content blog post cover image

Cookies are useful to track website visitor engagement, follow up with marketing, and to make visitors user experience run smoothly. However, with the General Data Protection Regulation (GDPR) took effect on 25 May 2018 companies have to rethink their cookie strategy.

According to GDPR, companies need to account and inform about what information you collect through cookies. It is your responsibility to ensure transparency in processing data and inform about who tracks the data. On top of that, you need to be aware of the data location. Also, for how long have you been keeping, and for what purpose it has been accumulated.

What are cookies?

Are they a spying tools tracking your every move on the Internet, or tracking devices designed to make your life easier?

Let’s have a closer look. Cookies are simple text files that usually contain a site name and a unique user ID. They are small files of text that are dropped on your computer when you browse websites and can be easily be viewed and deleted on your computer.

And what do the files do?

Well, the first time you visit a website, you download a cookie to your computer, and the next time you visit the same site your computer checks whether you have a cookie with that site name, and the cookie sends the information it has back to the site. It sounds harmless, right?

In a way, yes. This means the site will know you’ve been there before and can tailor what it shows based on the previous information it has about you.

What’s more, cookies can also keep what you added to your shopping cart for a certain amount of time. What’s more, they are also enabling you to return and finish your purchase.

However, cookies can sometimes identify you without your explicit consent and allow third parties to track your behavior for marketing purposes and often without you knowing.


Cookies gathering information about you doesn’t always originate from the website you are visiting. Instead, they can originate from third parties, such as another website you previously visited. Third-party cookies are usually meant for data mining and tracking your activity across different sites for marketing purposes.

Often, cookies can gather enough information to identify you as an individual. Consequently, they can track your behavior on the Internet, and build up a profile about you.

Not all cookies can identify users, but most cookies used for analytics and advertising can. However, cookies can include ‘pseudonymous identifiers’. It is a string of numbers or letters, that provides uniqueness. As a result, such cookies can identify an individual, which means that under GDPR, the data that you gather is strictly ‘personal data’. Therefore cookies become subject to the GDPR.

GDPR and cookies

It’s important to distinguish that when your cookies can identify an individual, the data that you collect for your website is personal data in the GDPR legislation. For instance, if your website uses cookies to process personal data or data that can be combined with other data, your website must comply with the GDPR requirements.

Cookies and consent

Gaining valid consent is one of the crucial changes that GDPR is making to the collection and processing of personal data.

You must get explicit consent

You must provide a consent to accept cookies through affirmative, positive action. This means visitors need to approve it by clicking in an opt-in box, which may not be pre-clicked.

You must inform visitors about cookies

You must be clear to the visitor why, how, and where you use their personal data. It must also be clear to the user what the consent is given to. In other words, you need to be compliant. The user must receive an accurate picture of how you will use the cookies. Simply, in plain language, explain what will you use the data for, where will you store it, and for how long.

Clicking ‘ok’ is not enough

Most of us have seen popups saying ‘by using this site, you accept cookies’. Under GDPR this is not a valid consent anymore.

Visitors must be able to withdraw consent

Indeed, at any time of the day, users should be able to remove their consent as simply as they gave it. Therefore they should be able to find the opt-in box and uncheck the cookie consent.

You must get prior consent

You must receive consent before the processing of the initial data. Meaning you can’t start collecting and processing data only because a visitor uses your website. The user must give its consent to allow that.

You must get consent based on honest choice

You must give access to the website and its functions, even though, only the necessary cookies have been accepted. With this in mind, a website’s access should not be limited if a visitor chooses only to accept the cookies that are necessary for the website to function.

User’s right to ask for deleting data

The user has the right to ask for deleting all his or her personal data from cookies on request.

You must renew all consent

Every 12 months, upon the user’s first visit to the site, the visitor must renew the consent. 

You must document all consent

You need to document and keep safe every consent you receive.

To summarise, stay transparent, cut the nonsense, and record your consent! and GDPR

On, there is a GDPR function that can be activated with one click. For cookies, this means you can set up multiple cookie consents for monitoring and collecting data for analytical or marketing purposes. If you enable the GDPR function and cookie consent form setup, it means that you agree to not collect any information within each category about visitors until they give their consent.

You can choose for the cookie consent to be a header or a footer, that will appear again from the bottom or top of the page if your clients decide to change their consent.

If your site supports multiple languages, you can also pick several language support to create a consent in different languages.

On the consent form, you have an option to add a link to a page for more information about your cookies.

When it comes to documenting and storing on everything happens automatically. Every consent is attached to a user profile. Therefore, it is easy to find, access, and view, or delete if someone asks to erase his/her data.

This was the fourth part of the series on the GDPR, stay tuned on the blog for more. For more information about GDPR and, have a look at our special GDPR page.


This website does not include legal advice for your company to use in complying with EU data privacy laws like the General Data Protection Regulation. Instead, it provides information to help you better understand what can be done on the platform to comply with the law. Consequently, this information isn’t legal advice and we encourage you to seek a professional lawyer’s opinion when referring to this. In order to be clear, this information is in no way a recommendation or any expression of legal understanding. This page does neither enlist all the regulation within the GDPR. In a nutshell, it’s important that you make sure your company meets all the legal requirements of the GPDR.

Subscribe to our blog!

* indicates required