Last Updated:
The EU law on the handling of personal data, The General Data Protection Regulation, is often referred to by its acronym GDPR.
How does the GDPR affect your website’s use of cookies and online tracking? How do you comply? And how does it affect the cookie policy and your cookie consent on your website?
In this article, we give a comprehensive introduction to the GDPR and a hands-on guide as to what the rules mean for you and your website.
GDPR and cookies | What do I need to know? | Is my use of cookies compliant?
GDPR and cookies
The GDPR is a EU regulation that represents the most significant initiative on data protection in 20 years.
The purpose is to protect “natural persons with regard to the processing of personal data and on the free movement of such data”, e.g. the website user.
Cookies are mentioned once in the 88 pages long regulation. However, those few lines have a significant impact on the compliance of cookies:
(30): “Natural persons may be associated with online identifiers […] such as internet protocol addresses, cookie identifiers or other identifiers […]. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”
In other words: when cookies can identify an individual, it is considered personal data.
What’s the deal with cookies anyway?
Cookies are small files that are automatically dropped on your computer as you browse the web. In and of themselves they are harmless bits of text that are locally stored and can easily be viewed and deleted.
But cookies can give a great deal of insight into your activity and preferences, and can be used to identify you without your explicit consent.
This represents a major breach from a legal point of view, and as data technologies grow more and more sophisticated, your privacy as a user is increasingly compromised.
Often, the cookies don’t even originate from the website you are visiting, but from third parties that track you for marketing purposes. All of which is going on “behind the scenes”.
While not all cookies are used in a way that could identify users, the majority (and the most useful ones to the website owners) are, and will therefore be subject to the GDPR.
Cookies for analytics, advertising and functional services, such as survey and chat tools, are all examples of cookies that can identify users.
The problem with cookies is both one of privacy - what is being registered? - and one of transparency - who is tracking you, for what purpose, where does the data go, and for how long does it stay?