GDPR (General Data Protection Regulation) enforced by the European Union to protect its people’s data privacy. It changes the way organizations, including websites, handling user’s personal data. The law demands all parts of a site which has access to the users’ data for compliance with the GDPR rules, especially cookie usage. For more info on the law, check out this detailed guide.

As far as a mailing list or a website form is concerned, users are well aware that they are giving their personal information in it. But when it comes to cookies, users have no idea that their data is being stored without their consent. The GDPR has brought some strict norms to control such flaws of the websites. This article explains the GDPR cookie compliance.

What are cookies?

Cookies are small text files that are placed in the web browser of the user’s device by the website the user is visiting. There are three different types of cookies session, persistent and third-party cookies.

  • Session cookies are the temporary ones that expire when you close the browser or after a certain amount of time.
  • Persistent cookies remain in the browser until its expiration period. They track the activities of the user on the website, which created that cookie.
  • Third-party cookies are used for advertisement purposes, and these are placed on your system by websites other than the one you are visiting.

There can be both necessary and non-necessary cookies in it. Necessary cookies are essential for the proper functioning of the website. On the other hand, non-necessary cookies are placed mainly for advertising and marketing-related benefits.

Read more about cookies in this article.

GDPR On Cookies

Although the GDPR mentions cookies only once in the 88-page long document, it reflects on the importance of cookies with those few words.

natural persons may be associated with online identifiers…such as internet protocol addresses, cookie identifiers or other identifiers…. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them“.

In short, if any data that either alone or in combination with other data is capable of identifying the person, then possession of such data should be compliant with the GDPR norms.

GDPR compliance of cookies is indeed important to make sure the overall compliance of your website with the GDPR. The most unfortunate fact is that sometimes even the website owner wouldn’t have any knowledge of the cookies present on his or her website. Therefore, it is useful to do a cookie audit of your website.

Since cookies store a considerable amount of personal data of users in them, it is essential to manage how you use cookies and being transparent about it to the users.

GDPR has put forward some instructions on the GDPR compliance of cookies. You have to carefully follow them to achieve compliance and hence to avoid any repercussions from it.

Consent for cookies

Until the GDPR, most of the websites were considering the silence of the users as consent. At least that was implied by them when they used phrases like “by visiting this website” or “by continuing to use this website, you agree to our use of cookies.” This way of asking consent is no more valid under GDPR. Forcing the user to give consent for cookies by allowing them no other way to visit the website is not a good practice. The site should try to provide the same experience for users who have given consent for cookies and for those who haven’t. Getting your website’s cookie consent right is, perhaps, one of the efficient ways to GDPR compliance.

CookieYes is a great cookie consent management solution for your website to comply with the GDPR for cookie usage.

Language of the cookie details

GDPR has stated that the details regarding cookies should be given in a simple and straightforward language so that users don’t have any issue in understanding it. Often many websites use complex language to stop people from further reading it. Hence, they will feel compelled to give consent without fully understanding the details regarding cookies.

Cookie policy

The privacy policy of your website must contain a clause on cookies. This clause should include the description of the cookies the site uses, including what purpose they serve. It should also provide methods to remove or block the cookies (non-necessary) in case users do not want to load them. You can give these details separately in the cookie policy. Most websites nowadays have a separate page for cookie policy. To get a better understanding of all the contents that a cookie policy must include, read this article.

GDPR cookie compliance
CookieYes cookie details from its privacy policy

Opt-out option

The opt-out option for the usage of cookies is just as crucial as the opt-in option. GDPR considers the right of users to withdraw or refuse the service of cookies as an important one. The law states that withdrawing the consent should be as easy as it was to give it. The GDPR also demands the website owners to include the ability to enable or disable cookies at a granular level. That is, consent should be specific to the use of each cookie, and users should be able to decide on allowing a cookie after reading its purpose.


For any website, cookies are essential for monitoring their performance. Thus, giving users a choice to disable the cookie may impact some functions of the site. But abiding by the law is more important than that. Hence, the only option left is to let the users clearly understand how important those cookies are for the website while also giving them the right to deny the use of that cookie. 

Disclaimer: The purpose of this article is to share general information with the readers. It does not represent any legal advice. For any legal assistance related to compliance, please contact your lawyer or a professional.