Skip to main content

GDPR & Cookies: A Complete Guide to Compliance

The General Data Protection Regulation (GDPR) transformed how websites handle cookies when it came into effect on 25 May 2018. While the ePrivacy Directive is the primary EU law governing cookies, the GDPR applies whenever cookies process personal data — which, in practice, means almost always. Understanding how the GDPR applies to cookies is essential for any website operating in or targeting users in the European Economic Area.

How the GDPR Applies to Cookies

The GDPR does not mention cookies by name. Instead, it governs the processing of personal data, defined in Article 4(1) as any information relating to an identified or identifiable natural person. Recital 30 of the GDPR explicitly states that online identifiers — including cookie identifiers — may be used to create profiles of natural persons and identify them. This means that any cookie containing or linked to a unique identifier constitutes personal data under the GDPR.

In practice, this covers nearly all cookies beyond the most basic functional ones. Analytics cookies that assign a unique visitor ID, advertising cookies that track browsing behavior, and even session cookies tied to a user account all process personal data and therefore fall under the GDPR's requirements.

Article 6: Lawful Basis for Processing

Under Article 6 of the GDPR, every instance of personal data processing requires a lawful basis. For cookie-related processing, two bases are most commonly invoked:

  • Consent (Article 6(1)(a)): The data subject has given consent to the processing for one or more specific purposes. This is the primary lawful basis for most cookie processing, particularly for analytics, marketing, and advertising cookies.
  • Legitimate interest (Article 6(1)(f)): Processing is necessary for the legitimate interests of the controller, provided those interests are not overridden by the rights and freedoms of the data subject.

The legitimate interest basis has been the subject of significant debate in the cookie context. Some website operators have argued that analytics tracking serves a legitimate interest. However, multiple Data Protection Authorities have rejected this argument for cookies that are not strictly necessary. The French CNIL, the Austrian DSB, and the European Data Protection Board (EDPB) have all taken the position that consent is required for analytics cookies, and that legitimate interest cannot serve as a lawful basis for setting non-essential cookies on a user's device.

The EDPB's Guidelines 05/2020 on consent state unequivocally: "Scrolling or continuing to browse a website does not constitute valid consent." The era of implied consent for cookies is over.

Article 7: Conditions for Valid Consent

Article 7 sets out the conditions that consent must meet. For cookie consent to be valid under the GDPR, it must be:

  1. Freely given: The user must have a genuine choice. Consent is not freely given if the user cannot refuse or withdraw consent without detriment. Cookie walls that block access to a website unless all cookies are accepted have been found non-compliant by several DPAs, though the legal landscape varies by jurisdiction.
  2. Specific: Consent must be given for each distinct purpose. A single "Accept all" without the option to consent to specific categories does not meet this requirement.
  3. Informed: The user must be clearly told what they are consenting to. This means identifying the cookies, their purposes, the data collected, and any third parties involved.
  4. Unambiguous: Consent must be given through a clear affirmative action. Pre-ticked checkboxes, silence, or inactivity do not constitute valid consent.

Article 7(3) adds a critical requirement: withdrawing consent must be as easy as giving it. If a user can accept cookies with a single click, they must be able to withdraw that consent with equal ease. A cookie banner that makes "Accept" prominent but buries the opt-out option in a settings page several clicks deep does not comply.

Article 4(11): The Definition of Consent

Article 4(11) defines consent as "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."

This definition is reinforced by Recital 32, which states:

"Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement. This could include ticking a box when visiting an internet website. Silence, pre-ticked boxes or inactivity should not constitute consent."

The landmark Planet49 ruling by the Court of Justice of the European Union (CJEU) in October 2019 (Case C-673/17) confirmed this interpretation, ruling that pre-ticked checkboxes do not constitute valid consent for cookies.

Transparency Obligations: Articles 12–14

Articles 12 through 14 require data controllers to provide information about data processing in a concise, transparent, intelligible, and easily accessible form, using clear and plain language. For cookies, this means:

  • Your cookie policy must be written in language that ordinary users can understand — not legal jargon.
  • Information must be provided at the time of data collection (i.e., before cookies are set).
  • Users must be told the identity of the controller, the purposes of processing, the categories of data, any recipients, retention periods, and their rights.
  • If cookies are shared with third parties (such as Google Analytics, Facebook Pixel, or advertising networks), those third parties must be identified.

Article 17: The Right to Erasure

Article 17 gives data subjects the right to have their personal data erased. In the cookie context, this means that if a user requests deletion of their data, any personal data collected through cookies must be deleted. This includes analytics profiles, advertising identifiers, and any other data linked to cookie identifiers.

For website operators using third-party analytics or advertising services, this can be particularly challenging, as data may be held by the third party. Your data processing agreements with third-party cookie providers should include provisions for handling erasure requests.

GDPR vs. ePrivacy: Which Applies When?

The relationship between the GDPR and the ePrivacy Directive can be confusing. Here is how they interact:

  • The ePrivacy Directive (Article 5(3)) governs the act of storing or accessing information on a user's device. It requires consent for all cookies except those that are strictly necessary. This is the lex specialis (specific law) for cookies.
  • The GDPR governs the subsequent processing of any personal data collected through cookies. It provides the framework for what constitutes valid consent, the rights of data subjects, and the obligations of data controllers.

In practical terms: the ePrivacy Directive tells you that you need consent to set a cookie. The GDPR tells you what valid consent looks like, what you can do with the data, and what rights users have regarding that data. Both apply simultaneously.

Data Protection Authorities and Enforcement

Each EU member state has a Data Protection Authority (DPA) responsible for enforcing both the GDPR and national implementations of the ePrivacy Directive. These authorities have the power to investigate complaints, conduct audits, and impose fines of up to 4% of global annual turnover or €20 million, whichever is higher.

Enforcement related to cookies has accelerated dramatically since 2020. DPAs across Europe have moved from guidance and warnings to substantial fines, making cookie compliance a genuine business risk rather than a theoretical concern.

Major Cookie-Related GDPR Fines

The following enforcement actions demonstrate the real financial consequences of cookie non-compliance:

Company Fine Authority Year Key Issue
Amazon Europe €746 million CNPD (Luxembourg) 2021 Non-compliant advertising tracking and consent mechanisms
Google LLC €150 million CNIL (France) 2022 Rejecting cookies was not as easy as accepting them
Facebook (Meta) €60 million CNIL (France) 2022 No simple mechanism to refuse cookies
Microsoft (Bing) €60 million CNIL (France) 2022 Cookies deposited without consent, no easy refusal mechanism
TikTok €5 million CNIL (France) 2023 Refusing cookies required more clicks than accepting
Criteo €40 million CNIL (France) 2023 Failure to obtain valid consent for tracking cookies
Vueling Airlines €30,000 AEPD (Spain) 2020 No option to reject cookies, only "accept"

These fines are not limited to large corporations. Small and medium-sized businesses have also faced enforcement actions, particularly in France, Italy, and Germany. The CNIL alone issued over 100 formal notices to websites of all sizes regarding cookie compliance in 2021.

Practical Checklist for GDPR Cookie Compliance

Use this checklist to verify your website meets GDPR requirements for cookies:

  1. Identify all cookies your website sets, including those placed by third-party scripts such as analytics, advertising, and social media widgets.
  2. Classify each cookie as strictly necessary, functional, analytics, or marketing/advertising.
  3. Implement prior consent for all non-essential cookies. No analytics or marketing cookies should fire before the user has given consent.
  4. Present consent choices fairly. The option to refuse cookies must be as prominent and accessible as the option to accept them.
  5. Offer granular consent. Users must be able to consent to specific categories of cookies rather than being forced into an all-or-nothing choice.
  6. Do not use pre-ticked boxes. All optional cookie categories must be unticked by default.
  7. Provide clear information about each cookie's purpose, the data it collects, who has access to the data, and how long the cookie persists.
  8. Identify third parties. Name the third-party services that set cookies on your site (Google Analytics, Facebook Pixel, HubSpot, etc.).
  9. Make withdrawal easy. Provide a persistent, easily accessible way for users to change their cookie preferences after initial consent. A link in the footer or a floating icon are common approaches.
  10. Store consent records. Keep a log of when each user gave consent, what they consented to, and the version of the cookie policy in effect at that time.
  11. Respect consent choices technically. Ensure that declining consent actually prevents the corresponding cookies from being set. This requires blocking scripts before consent, not just deleting cookies after the fact.
  12. Maintain a cookie policy that is current, accurate, and written in plain language. Update it whenever you add new cookies or third-party services.
  13. Handle data subject requests. Have a process for responding to erasure requests that includes data collected via cookies.
  14. Scan regularly. Run automated cookie scans at least monthly and after every deployment to catch new cookies introduced by updated scripts or plugins.

Cookie compliance under the GDPR is not a one-time exercise. It requires ongoing attention as your website evolves, new scripts are added, and regulatory guidance is updated. The organizations that treat it as a continuous process rather than a checkbox exercise are the ones that avoid enforcement actions — and build trust with their users in the process.

Reglur og lög ePrivacy-tilskipunin

Uppfyllir vefsíðan þín vefkökureglurnar?

Skannaðu vefsíðuna þína ókeypis og finndu allar vefkökur á nokkrum mínútum.

Skannaðu vefkökurnar þínar ókeypis