GDPR cookies, consent, and compliance

What you need to know about the GDPR, cookies, consent, and compliance

The General Data Protection Regulation (GDPR) is a European regulation that governs the collection and processing of personal data from individuals in the EU. 

Under the GDPR, it is the legal responsibility of website owners and operators to make sure that personal data is collected and processed lawfully. A website belonging to a company located outside the EU is required to comply with the GDPR if it collects data from visitors, customers, or users inside the EU.

Even though cookies are mentioned only once in the GDPR, cookie consent is nonetheless a cornerstone of compliance for websites with EU users. This is because one of the most common ways for personal data to be collected and shared online is through the use of various website cookies. The GDPR sets out specific rules for the use of cookies.

Consent is a commonly used legal basis for data processing under the GDPR, including cookie use. It gives users control over access to their data. When consent is obtained with a tool like a consent management platform, it enables clear documentation and secure storage of consent preferences, which can be provided to data protection authorities. 

The GDPR requires website owners to provide information about data processing — including via cookie use — and users’ rights. A website may only collect personal data from users after they have given their explicit consent for specifically stated data processing purposes (and potentially for specific data processing services).

Websites must comply with the following GDPR cookie requirements:

• Prior and explicit consent must be obtained before any activation of cookies (apart from whitelisted, necessary cookies) if consent is the chosen legal basis.
• Users must be able to provide granular consent, i.e. users must be able to activate some cookies rather than others and not be forced to consent to either all or none.
• Consent must be freely given, i.e. not allowed to be forced or due to manipulation.
• Consents must be as easily withdrawn or changed as they are given.
• Consents must be securely stored as legal documentation.
• Consent must be renewed at least every 12 months. However, some national data protection guidelines recommend more frequent renewal, e.g. 6 months. Check your local data protection guidelines for compliance.

Typically, GDPR cookie compliance is achieved on websites through the use of cookie banners and clear cookie policy texts. These banners provide users with information about data processing. They enable users to select and accept specific cookies for activation while rejecting others if they so choose when they visit a site.

The European Data Protection Board’s (EDPB) guidelines from May 2020 clarify what constitutes valid consent on websites in compliance with the GDPR. Art. 7 GDPR provided a comprehensive — and since widely copied — definition of valid consent when the law came into effect in 2018.

EDPB guidelines state that your website’s cookie notice is not allowed to have pre-ticked checkboxes, and continued scrolling or browsing by users cannot be considered valid consent for the processing of personal data.

Users must freely give clear and affirmative action to indicate their cookie consent for your website to activate cookies and process personal data.

GDPR cookies and consent requirements

The GDPR requires websites to obtain explicit consent from users before placing cookies on their devices that process personal data. The key requirements for valid GDPR cookie consent are:

• Consent must be freely given through affirmative action, such as clicking an “Accept” button. Pre-ticked boxes or inferred consent from browsing do not constitute valid consent. Accept and reject options must also be equally presented and accessible.
• Consent must be able to be specific and granular, enabling users to consent to certain cookie categories but reject others, rather than only an “Accept all” or an all or nothing choice. 
• Users must be provided clear and comprehensive information about the legal basis, types of cookies used, their purposes, third parties that may access the data, data retention, and data processing activities, to make an informed choice. 
• Consent must be unambiguous with no doubt about the user’s intentions. Continuing to browse a website or clicking away from a consent banner cannot be interpreted as consent. 
• Users must be able to withdraw or change their consent as easily as it was given. 
• Website operators must be able to demonstrate proof of valid consent from users. 

To comply with the GDPR, websites typically use cookie consent banners that block cookies until users actively consent, provide granular consent options, and enable easy consent management or withdrawal. Consent must be renewed at least annually, though it may need to be done earlier, e.g. if the user clears their browser settings and removes stored cookie consent preference information.

GDPR cookie compliance test

Test if your website complies with the GDPR’s cookie consent requirements by using the free Cookiebot CMP compliance test.

Simply enter the URL of your domain and let us conduct a free scan of your website to detect all cookies and trackers on your website and whether you meet the GDPR’s cookie consent requirements. Get your audit results in minutes.

Don’t be alarmed if your website has a lot more unknown cookies, trackers, and other components than you may have thought. Some third-party trackers can be deeply embedded. For example, they can be found within other cookies, which can make them very difficult to detect (without deep scanning technology) to get a complete list of all the data processing services in use.

Lastly, many of these kinds of cookies can change between visits/sessions. This means they can be entirely different cookies, collecting various data for different agents. This variation makes it challenging for website owners to continuously inform users about the purpose and duration of cookies. It also makes it difficult to enable valid consent options for them, adding to their legal responsibilities.

Cookiebot CMP and GDPR cookie consent

Cookiebot CMP by Usercentrics is a plug-and-play consent management platform (CMP). It provides technology developed to help you achieve GDPR compliance and balance data privacy with data-driven business on your website.

Cookiebot CMP has powerful, patented scanning technology that detects all cookies and trackers on your domain. Then, our consent management solution automatically controls all cookies and trackers and empowers your end users with granular consent or opt-out solutions, depending on where in the world they are located.

How Cookiebot CMP helps you achieve compliance for GDPR cookies 

When a user from the EU visits your website, Cookiebot CMP automatically geotargets their location and presents them with the correct text and consent options to enable GDPR cookie compliance. Cookiebot CMP enables:

• auto-blocking of all cookies and trackers until consent is obtained
• granular, explicit consent choices with the four categories of cookies (and the option of providing information about individual services in use)
• comprehensive declaration of legal basis, provider, purpose, duration, and type of each cookie
• securely documented user consent
• automatic renewal requests for user consent

The Cookiebot CMP technology can be implemented with just a few lines of JavaScript on your website, installed directly from the cloud without any need for manual implementation or on-site assistance.

Create your Cookiebot CMP account to get started and let our world-leading consent solution do the heavy lifting of privacy protection and enable data compliance with the GDPR’s cookie consent requirements.

Google Consent Mode and Cookiebot CMP

With Google Consent Mode and Cookiebot CMP, you can manage the Google services running on your site based on the consent state of your end users. Enable GDPR compliance and optimize analytics data and ads revenue with one simple solution.

Cookiebot CMP manages your website’s users’ consent, then signals their consent preferences to the API running Google Consent Mode, which then controls all your favorite services — like Google Analytics and Google Ads — based on the consent state of each individual user on your website.

Did a user decline consent for statistics or marketing cookies? Cookiebot CMP tells Google Consent Mode, which blocks those cookies, but also enables you to get aggregate and non-identifying insights into your website’s performance and enables showing contextual ads instead of targeted ads. You respect user privacy while continuing campaigns and optimizing your website.

With Cookiebot CMP and Google Consent Mode, get a fast and easy GDPR compliance solution with optimized analytics data and boost ad revenue.

GDPR cookies and consent in detail

Website users are becoming increasingly savvy about their personal data online and who has access to it. But the average person still doesn’t have the full picture of just how much information can regularly be collected about them, their interests, and their activities.

What personal data is included in cookies?

Personal data is generally defined as any information that relates or can in any way be related to an identified or identifiable living person (known in the law as a “data subject”). Some of these data points can identify a person individually, like their name. Other information needs to be aggregated to make it identifying, like IP address. Some kinds of personal data also pose a greater risk of harm to individuals if unlawfully accessed or misused. Those categories of data are often classified as “sensitive”, e.g. sexual orientation or ethnic background.

Various kinds of accessible personal information include:

• names
• addresses
• email addresses
• identification card numbers (such as Social Security, passport, etc.)
• financial information (such as credit card numbers)
• location data (such as geolocation information)
• IP addresses
• search and browser history
• health-related and biometric data
• ethnicity information
• political convictions
• religious beliefs
• sexual orientation or gender expression

Under the GDPR, the last five items on that list are considered sensitive personal information. Companies that process sensitive personal information must comply with specific processing conditions under the GDPR.

GDPR’s take on cookies

Cookies are small text files that are stored on your end-users’ browsers. When they are activated they track users and collect data on the site, or across the internet, depending on the type of cookie.

Cookies most often contain an identifier (known as a “Cookie ID”) that is in itself considered personal data under the GDPR. This is because a Cookie ID is an identifier — personal data that could identify an individual — when set on a user’s browser. This unique ID enables your website to remember the individual user and their preferences and settings when they return to your website, e.g. consent choices, language preference, shopping cart contents, etc.

Cookie IDs are frequently used for website tracking purposes and can be used to generate comprehensive profiles of individual people that are then sold to digital advertising agencies and used for behavioral marketing.

The GDPR requires that your website only collect personal data from your users for specified, explicit, and legitimate purposes and that you obtain their clear and affirmative consent before doing so.

In your everyday work with your website, this GDPR cookie requirement means that you not only need to know what cookies and trackers are in operation on your domain but also why they are there and what they’re doing (i.e. what data they’re collecting).

• Where do the cookies come from — who is their provider?
• What kind of data do the cookies collect or process? Is it personal data, or sensitive? Are you obtaining prior consent before they are activated and begin collection?
• What is the purpose of the cookie’s data collection? For lawful personal data collection, legitimate purposes must be stated as part of the information provided to end users for consent to be considered valid.
• What types of cookies or trackers are they? The technical details are important as part of valid consent, as this is part of the information requirement. (All types need prior consent, with the exception of “necessary” or “essential” cookies.)
• How long is the cookie active, i.e. for how long will it be stored on your users’ browsers?

Example of cookie compliance under the GDPR

Your website uses a plugin from a tech company like Google or Facebook. This could be Google Tag Manager or a comment or like section on one of your subpages from Facebook.

You will now set cookies from your website. They are third-party cookies because they do not come from your own service/website but are set on a user’s browser from Google or Facebook.

These cookies will not be necessary cookies, i.e. not white-listed and exempt from the GDPR, but rather will need the explicit consent of users before your website is allowed to activate them.

Even though these third-party cookies come from companies like Google or Facebook, the legal responsibility for GDPR cookie compliance is still yours as the website owner.

The 4 different types of cookies as defined by GDPR

It’s very likely your website has more than one type of cookie. This is important, as the GDPR cookie requirements are different for the different types of tracking cookies and tracking technologies in use on the Internet.

The EU’s data protection legal framework is primarily based on the GDPR, but it also includes legal precedents such as the Planet49 case, the ePrivacy Directive (EU cookie law), and guidelines from national data protection agencies and the European Data Protection Board (EDPB).

Together, these components create the specific requirements that websites with users from within Europe must follow today.

Under the GDPR, cookies fall into four categories:

• Necessary cookies are most often your website’s own (first-party) and are important to have activated for your site to function properly. These will often be session cookies that only last as long as the user visits your site. Only strictly necessary cookies can be white-listed to be exempt.
• Preference cookies that remember user choices such as language settings or currency preference on your website.
• Statistics cookies that most often come from third-party services, such as analytics software that you implement on your website, like Google Analytics.
• Marketing cookies almost always come from third-party tech or ad companies to serve advertisements to your users or collect personal data from them for future marketing purposes.

Under the EU’s GDPR, cookies that are not strictly necessary for the basic function of your website must only be activated only after your end users have given their explicit consent to the specific purpose of their operation and collection of personal data.

With Cookiebot CMP’s deep scanning technology, all the cookies and trackers in use on your website will be detected, and their specific information provided for you and your users in a simple cookie declaration that provides the required information for GDPR cookie compliance.

Create a GDPR-compliant cookie policy

Your website needs to have a cookie policy that is easily accessible to your end users.

Under the GDPR, a cookie policy must inform users of:

• what information you collect
• under what legal basis you collect information
• what you do with users’ information
• how you protect their information
• if you disclose any information to third parties
• how you store their information (and for how long)
• how users may access, migrate, request rectification, restriction, or deletion of information

Cookiebot CMP automatically generates a cookie declaration for your website once it has scanned your domain.

This forms the basis of your cookie policy, as it contains most of the information that is required by the EU’s GDPR in a cookie policy.

A GDPR cookie policy can easily be integrated with your website’s existing privacy policy.

See the Cookie Declaration and Privacy Policy for Cookiebot™ for examples of how to draft your website’s cookie policy and what information you need to include.

A cookie policy is a dynamic element since your website is a dynamic system. Cookies change and so must your cookie policy. That’s why the Cookiebot™ solution automatically generates a cookie declaration that enables your cookie policy to stay up to date. This saves time and resources, especially for smaller organizations.

Cookiebot CMP and GDPR cookie compliance

Cookiebot CMP has been in operation since 2012 and is a mature technology that enables compliance with the EU’s GDPR and similar data protection laws around the world through our unmatched scanning technology and consent management solution. 

The technology simplifies GDPR compliance and privacy protection and is trusted by millions of websites around the world.

FAQ