Are cookies ruled by the GDPR? How do you have to manage cookie consent in order to be compliant? Let’s clear up some doubts and misconceptions in this post.
When you think about data law and privacy legislations, cookies easily come to mind as they’re directly related to both. This often leads to the common misconception that the Cookie Law (ePrivacy Directive) has been repealed by the GDPR, which in fact, it has not. Instead, you can think of the ePrivacy Directive as currently “complementing” the GDPR in a sense, rather than being repealed by it.
The Cookie Law does not explicitly require that records of consent be kept, only proof. However, many Data Protection Authorities across the EU have aligned their cookie rules to GDPR requirements. This means that, depending on the country relevant to you, you may be required to maintain records of cookie consent as required under the GDPR.
A cookie banner, also called a GDPR cookie notice, informs users that your site runs cookies and gives them the option to access more details and either grant or reject consent.
It has to be shown on the user’s first visit, and you have to keep track of and save consent settings for each user for up to 12 months from the last site visit.
Find out how easy it is to set up a cookie banner when using WordPress:
The consequences for non-compliance can include fines up to €20 million or 4% of the annual worldwide turnover (whichever is greater).
Not all GDPR infringements lead to fines: sanctions may include official reprimands, periodic data protection audits (which can result in being barred from using data associated with the violation — including entire email lists) and liability damages.
Cookie consent management for the ePrivacy, GDPR and CCPA