There’s a lot of misinformation about how cookies relate to the GDPR, and responsibilities website owners have when it comes to consent. Does the GDPR apply to cookies? What are the GDPR cookie consent requirements?
In this article, we’ll clear up the confusion surrounding cookies and the GDPR and we’ll explore what’s required to obtain valid consent for cookies.
A cookie is a small file that’s sent from a website and stored on a user’s computer. Once installed, cookies can send information about the visitor’s activity back to the website and enable a more personalized user experience.
In the EU, cookies don’t fall directly under the GDPR. Instead, cookies are handled by the ePrivacy Directive (also known as Cookie Law).
However, both laws now work together, complementing each other.
This article is a part of our series on cookies and cookie consent. Read also:
If your website can be visited by European users, and it installs non-technical cookies, the Cookie Law requires you to:
Most importantly, you have to give visitors the opportunity to provide, withdraw or refuse consent. Prior to consent, no cookies — except for exempt cookies — can be installed.
As we mentioned, the GDPR doesn’t directly apply to cookies, but still some of its requirements may extend to them as well.
For example, while the Cookie Law does not explicitly require that you keep records of consent for cookies, in most cases cookies do process personal data. That’s why you may need to keep records of consent.
Moreover, many Data Protection Authorities across the EU have also aligned their cookie and tracker rules to GDPR requirements.
The Cookie and Consent Preference Log is now available in our Privacy Controls and Cookie Solution. Simply integrate this feature with one click, and you can easily store and manage GDPR proofs of your users’ consent.
Our Privacy Controls and Cookie Solution allows you to manage all aspects of the Cookie Law. In particular, you can:
Cookie consent management for the ePrivacy, GDPR and CCPA