Iubenda logo
Start generating


Table of Contents

Are cookies GDPR compliant?

Yes, cookies are “GDPR compliant” as long as they’re handled in a legal way. Cookies still technically fall under the ePrivacy directive (Cookie Law), however, you can think of the ePrivacy directive as working alongside or complementing the GDPR. Since both the ePrivacy and GDPR are currently active, let’s take a look at how each one affects the use of cookies.

ePrivacy requirements for cookies:

If your website can be visited by European users, and it installs any non-technical cookies, the ePrivacy directive (Cookie Law) requires you to:

  • provide a compliant cookie policy;
  • display a cookie banner at the user’s first visit;
  • block non-exempt cookies before obtaining user consent; and
  • release cookies only after informed consent has been provided.

Most importantly, you have to give visitors the opportunity to provide, withdraw or refuse consent. Prior to consent, no cookies — except for exempt cookies — can be installed. Under the ePrivacy, consent to cookies must be informed and explicit, and can be provided by a clear affirmative (opt-in) action.

GDPR requirements for cookies

Because the GDPR was meant to apply broadly to all personal data processed of EU persons, some EU Data protection Authorities are choosing to also apply GDPR rules to how cookies must be handled. These GDPR cookie rules have, so far, impacted :

  • whether or not consent via scrolling or continued browsing is allowed
  • whether or not consent must be granular
  • if legitimate interest can be applied to cookie consent
  • if cookie lifetimes must be listed and more.

Note: Because the ePrivacy is, in fact, a Directive, the specifics of how requirements should be met are heavily dependent on individual Member State law. Generally, Directives set certain agreed-upon goals and guidelines in place with member states being free to decide how to make these directives into national legislation. Regulations, on the other hand, are legally binding across all Member States from the moment they are put into effect and they are enforced according to union-wide established rules.

? To learn more about which EU cookie consent rules apply on a per-country basis, check out our Cookie Consent Cheatsheet here.

How iubenda can help you manage cookie consent

Our Privacy Controls and Cookie Solution allows you to manage all aspects of the Cookie Law, in particular:

  • easily inform users via cookie banner and a dedicated cookie policy page;
  • obtain and save cookie consent settings;
  • preventively block cookies prior to consent; and
  • keep track of consent and save consent settings for each user for up to 12 months from the last site visit.

About us


Attorney-level solutions to make your websites and apps compliant with the law across multiple countries and legislations.


See also