What does GDPR say about cookies?

When you think about data law and privacy legislations, cookies easily come to mind as they’re directly related to both. This often leads to the common misconception that the Cookie Law (ePrivacy Directive) has been repealed by the GDPR, which in fact, it has not. Instead, you can think of the ePrivacy Directive as currently “complementing” the GDPR in a sense, rather than being repealed by it.

The Cookie Law does not explicitly require that records of consent be kept, only proof. However, many Data Protection Authorities across the EU have aligned their cookie rules to GDPR requirements. This means that, depending on the country relevant to you, you may be required to maintain records of cookie consent as required under the GDPR.

A cookie banner, also called a GDPR cookie notice, informs users that your site runs cookies and gives them the option to access more details and either grant or reject consent.

It has to be shown on the user’s first visit, and you have to keep track of and save consent settings for each user for up to 12 months from the last site visit.

Having an accurate cookie banner, cookie policy and blocking cookies before consent are all requirements under the ePrivacy (Cookie Law) and GDPR.

Our Privacy Controls and Cookie Solution lets you generate a GDPR cookie notice, link to a cookie policy (as legally required), block cookies until consent is collected and asynchronously run scripts once consent is collected.

The consequences for non-compliance can include fines up to €20 million or 4% of the annual worldwide turnover (whichever is greater).

Not all GDPR infringements lead to fines: sanctions may include official reprimands, periodic data protection audits (which can result in being barred from using data associated with the violation — including entire email lists) and liability damages.