Iubenda logo
Start generating


Table of Contents

What does GDPR say about cookies?

Does GDPR affect cookies?

Are cookies ruled by the GDPR? How do you have to manage cookie consent in order to be compliant? Let’s clear up some doubts and misconceptions in this post.

Does GDPR affect cookies?

When you think about data law and privacy legislations, cookies easily come to mind as they’re directly related to both. This often leads to the common misconception that the Cookie Law (ePrivacy Directive) has been repealed by the GDPR, which in fact, it has not. Instead, you can think of the ePrivacy Directive as currently “complementing” the GDPR in a sense, rather than being repealed by it.

The Cookie Law does not explicitly require that records of consent be kept, only proof. However, many Data Protection Authorities across the EU have aligned their cookie rules to GDPR requirements. This means that, depending on the country relevant to you, you may be required to maintain records of cookie consent as required under the GDPR.

How often a GDPR/ePR compliant cookie banner should appear?

A cookie banner, also called a GDPR cookie notice, informs users that your site runs cookies and gives them the option to access more details and either grant or reject consent.

It has to be shown on the user’s first visit, and you have to keep track of and save consent settings for each user for up to 12 months from the last site visit.

Having an accurate cookie banner, cookie policy and blocking cookies before consent are all requirements under the ePrivacy (Cookie Law) and GDPR.

More on cookies

Find out how easy it is to set up a cookie banner when using WordPress:

👉 How to add a GDPR cookie banner to WordPress

How do I add a banner for cookies to my website?

Our Privacy Controls and Cookie Solution lets you generate a GDPR cookie notice, link to a cookie policy (as legally required), block cookies until consent is collected and asynchronously run scripts once consent is collected.

What are the penalties and fines for GDPR non-compliance?

The consequences for non-compliance can include fines up to €20 million or 4% of the annual worldwide turnover (whichever is greater).

Not all GDPR infringements lead to fines: sanctions may include official reprimands, periodic data protection audits (which can result in being barred from using data associated with the violation — including entire email lists) and liability damages.

About us


Cookie consent management for the ePrivacy, GDPR and CCPA


See also