Cookies are small data files that websites place on people’s devices when they are browsing and then store in their web browsers.
Cookies can enable websites to remember individual users and their preferences and settings when they return to the site. For example, a website may use cookies to remember what your username and password are so you can automatically log in next time. Cookies can also enable advertisers to track people’s online activity so that they can target them with personalized ads.
Because cookies can store enough information to potentially identify an individual, they fall under GDPR’s definition of personal data and are therefore subject to the regulation.
GDPR Cookie Consent
In the 88-page legal document of the GDPR regulation, cookies are only mentioned once.
Supplementing GDPR is the ePrivacy Directive (EPD) — or the “cookie law.” Last amended in 2009, it will eventually be replaced by the Regulation on Privacy and Electronic Communications, which contains specific provisions on cookies.
Complying with the regulations governing cookies under both GDPR and the EPD requires organizations to:
- Receive users’ consent before you use any cookies except strictly necessary cookies
- Clearly explain the data each cookie tracks and why
- Document and store users’ consent
- Allow users to access your service even if they do not allow the use of certain cookies
- Make it easy for users to withdraw their consent
To meet these requirements and inform customers how your organization collects and uses their data, organizations can create a cookie consent notice.
GDPR Cookie Consent Notice Example
A typical cookie consent notice includes a few common elements. It usually covers:
- Types of cookies being used
- How you’re using each type of cookie
- Whether you’re sharing data stored in cookies with advertisers or other third parties
- How users can manage cookies
- A link to a page where users can learn more
It’s a common practice to display this notice in a banner. This banner will include buttons that allow users to accept or reject cookies. Each of these options must be presented clearly so users can reject cookies as easily as they can accept them.
Below is an example from the UK ICO’s website:
Notice that users are able to click on the link to their cookie page, which further details what cookies are, how they’re being used on the website, and how users can manage their cookie settings. Here’s what that page looks like:
Privacy Notice with GDPR Cookie Consent Notice Template
It’s also common to include cookie clauses in your privacy notice. You can use this template as a foundation for building your own.
FAQs
Does GDPR require consent for cookies?
Yes, GDPR requires consent for cookies because they fall under the definition of personal data.
How do I become GDPR compliant with cookies?
To become GDPR compliant with cookies, you must meet the following requirements:
- Receive users’ consent before you use any cookies except strictly necessary cookies
- Clearly explain the data each cookie tracks and why
- Document and store users’ consent
- Allow users to access your service even if they do not allow the use of certain cookies
- Make it easy for users to withdraw their consent
What are cookies according to GDPR?
According to GDPR, cookies are online identifiers provided by devices, applications, tools and protocols that may be associated with natural persons. This may leave traces which may be used to create profiles of the natural persons and identify them, particularly if they are combined with unique identifiers and other information received by the servers. Other examples of these online identifiers according to GDPR are IP addresses and radio frequency identification tags.