Yes, cookies are “GDPR compliant” as long as they’re handled in a legal way. Cookies still technically fall under the ePrivacy directive (Cookie Law), however, you can think of the ePrivacy directive as working alongside or complementing the GDPR. Since both the ePrivacy and GDPR are currently active, let’s take a look at how each one affects the use of cookies.
If your website can be visited by European users, and it installs any non-technical cookies, the ePrivacy directive (Cookie Law) requires you to:
Most importantly, you have to give visitors the opportunity to provide, withdraw or refuse consent. Prior to consent, no cookies — except for exempt cookies — can be installed. Under the ePrivacy, consent to cookies must be informed and explicit, and can be provided by a clear affirmative (opt-in) action.
Because the GDPR was meant to apply broadly to all personal data processed of EU persons, some EU Data protection Authorities are choosing to also apply GDPR rules to how cookies must be handled. These GDPR cookie rules have, so far, impacted :
Note: Because the ePrivacy is, in fact, a Directive, the specifics of how requirements should be met are heavily dependent on individual Member State law. Generally, Directives set certain agreed-upon goals and guidelines in place with member states being free to decide how to make these directives into national legislation. Regulations, on the other hand, are legally binding across all Member States from the moment they are put into effect and they are enforced according to union-wide established rules.
? To learn more about which EU cookie consent rules apply on a per-country basis, check out our Cookie Consent Cheatsheet here.
Our Privacy Controls and Cookie Solution allows you to manage all aspects of the Cookie Law, in particular:
Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.