Cookie Compliance Resources & Glossary

Cookie compliance involves a specialized vocabulary drawn from EU regulation, data protection law, and web technology. This glossary defines the key terms you will encounter, followed by a curated collection of official resources and authoritative references for further study.

Glossary of Key Terms

A–C

CMP (Consent Management Platform): A software tool or service that manages the collection, storage, and enforcement of user consent for cookies and other tracking technologies. A CMP typically provides the cookie banner interface, stores consent records, and controls which scripts are allowed to execute based on the user's choices. Examples include Cookiebot, OneTrust, Usercentrics, and open-source solutions like Klaro.

CNIL (Commission Nationale de l'Informatique et des Libertés): The French Data Protection Authority. The CNIL has been the most active European regulator in cookie enforcement, issuing the largest cookie-related fines and publishing the most detailed cookie compliance guidelines. Its interpretations and enforcement actions frequently set the standard that other DPAs follow.

Consent: In the GDPR context, a freely given, specific, informed, and unambiguous indication of a data subject's wishes, signified by a clear affirmative action. For cookies, this means the user must actively choose to allow non-essential cookies through a deliberate action such as clicking an "Accept" button. Silence, pre-ticked boxes, inactivity, and continued browsing do not constitute valid consent.

Cookie: A small text file placed on a user's device by a website. Cookies are used for a wide range of purposes, from maintaining login sessions (strictly necessary) to tracking browsing behavior across the web (advertising). Technically, a cookie is a name-value pair with associated metadata including domain, path, expiration, and security flags.

Cookie banner: The user interface element (typically a bar, modal, or popup) that appears when a user first visits a website, informing them about the site's use of cookies and requesting their consent. A compliant cookie banner provides clear information, offers genuine choices (accept, reject, customize), and does not set non-essential cookies until the user responds.

Cookie policy: A document (typically a dedicated webpage or section of the privacy policy) that provides detailed information about all cookies used on a website, including their names, purposes, types, durations, and the third-party providers that set them. The cookie policy fulfills the GDPR's transparency obligations and the ePrivacy Directive's requirement for "clear and comprehensive information."

Cookie wall: A mechanism that blocks access to website content unless the user consents to all cookies. Cookie walls are controversial and their legality varies by jurisdiction. The EDPB has stated that cookie walls undermine the "freely given" requirement of valid consent, as the user faces a take-it-or-leave-it choice. Some national DPAs (notably the French Conseil d'Etat) have allowed cookie walls under limited conditions where the user has a genuine alternative means of accessing the content.

D–E

Dark pattern: A user interface design choice that manipulates users into making decisions they would not otherwise make. In the cookie context, dark patterns include: making the "Accept" button visually dominant while hiding the "Reject" option, using confusing language, requiring more clicks to reject than to accept, and employing confirm-shaming tactics. The EDPB published specific guidelines on dark patterns in data protection interfaces in February 2023.

Data controller: The entity that determines the purposes and means of processing personal data. For cookies set by a website, the website operator is typically the data controller. For third-party cookies, there may be joint controllership between the website operator and the third party, depending on the degree to which each party influences the purposes and means of data collection.

Data processor: An entity that processes personal data on behalf of a data controller, following the controller's instructions. A hosting provider or a CMP vendor acting solely under the website operator's instructions would be a data processor. The distinction matters because controllers bear primary responsibility for compliance, while processors must comply with the controller's instructions and the terms of a data processing agreement.

Data subject: A natural person whose personal data is processed. In the cookie context, data subjects are the website visitors whose data is collected through cookies. Data subjects have rights under the GDPR including the right to access, rectification, erasure, restriction of processing, data portability, and the right to object.

DPA (Data Protection Authority): The independent public authority responsible for monitoring and enforcing data protection law in each EU member state. DPAs have the power to investigate complaints, conduct audits, issue guidance, and impose fines. Each member state has at least one DPA (Germany has multiple, one per state plus the federal BfDI). Examples: CNIL (France), Garante (Italy), ICO (UK), Datatilsynet (Denmark/Norway).

DPO (Data Protection Officer): A person designated by a data controller or processor to oversee GDPR compliance. The GDPR requires certain organizations to appoint a DPO, including public authorities and organizations whose core activities involve large-scale monitoring of data subjects. While not directly related to cookies, the DPO typically oversees the organization's cookie compliance program.

EDPB (European Data Protection Board): The independent EU body that ensures consistent application of the GDPR and promotes cooperation between national DPAs. The EDPB (which replaced the Article 29 Working Party) issues guidelines, recommendations, and binding decisions. Its guidelines on consent (Guidelines 05/2020) and on dark patterns are key references for cookie compliance.

ePrivacy Directive (Directive 2002/58/EC): The EU directive governing privacy in electronic communications, including the use of cookies. Article 5(3) is the primary legal basis for the cookie consent requirement. As a directive, it must be transposed into national law by each member state, leading to variations in implementation. It is set to be replaced by the ePrivacy Regulation, which remains under negotiation.

F–G

First-party cookie: A cookie set by the domain the user is visiting. For example, if a user visits example.com and example.com sets a cookie, that is a first-party cookie. First-party cookies are typically used for essential functions (sessions, preferences) and first-party analytics. They are generally considered less invasive than third-party cookies because they cannot track users across different websites.

GDPR (General Data Protection Regulation): Regulation (EU) 2016/679, the EU's comprehensive data protection law effective since 25 May 2018. The GDPR provides the legal framework for what constitutes valid consent (applied to cookies through the ePrivacy Directive's reference), the rights of data subjects, the obligations of data controllers and processors, and the enforcement regime including fines of up to 4% of global annual turnover or 20 million euros.

GPC (Global Privacy Control): A browser-level signal that communicates a user's preference to opt out of the sale or sharing of their personal information. Unlike the older Do Not Track (DNT) signal, GPC has legal backing under the CCPA/CPRA and several other US state privacy laws. When a user enables GPC in their browser, websites subject to these laws must treat it as a valid opt-out request. GPC is also increasingly recognized in Europe, though it is not yet legally mandated under EU law.

Google Consent Mode: A feature of Google's tag infrastructure that adjusts the behavior of Google tags (Analytics, Ads, etc.) based on the consent status communicated by the website's CMP. Consent Mode v2, required for EEA ad personalization since March 2024, introduces ad_user_data and ad_personalization parameters alongside the existing ad_storage and analytics_storage. When consent is denied, Google tags adjust their behavior to avoid setting cookies, though they may still send limited, cookieless pings depending on configuration.

I–L

IAB TCF (Interactive Advertising Bureau Transparency and Consent Framework): An industry-developed framework for managing consent in the digital advertising ecosystem. The TCF provides a standardized way for CMPs, advertisers, and publishers to communicate consent signals across the ad tech supply chain. Version 2.2 is the current standard. The TCF has faced legal challenges, notably the Belgian DPA's 2022 ruling that IAB Europe's processing of the TC string constituted personal data processing. The framework remains widely used but its legal status continues to evolve.

Legitimate interest: One of the six lawful bases for processing personal data under GDPR Article 6(1)(f). Legitimate interest requires a balancing test between the controller's interests and the data subject's rights and freedoms. For cookies, the use of legitimate interest as a lawful basis is highly contested. The prevailing European regulatory view is that consent (not legitimate interest) is the appropriate basis for non-essential cookies, because the ePrivacy Directive specifically requires consent for storage on the user's device.

O–P

Opt-in: A consent model where personal data processing (or cookie setting) does not occur unless the user takes an affirmative action to permit it. The EU cookie model is opt-in: no non-essential cookies until the user consents. Opt-in provides stronger privacy protection but requires a consent mechanism before any tracking begins.

Opt-out: A consent model where personal data processing (or cookie setting) occurs by default, and the user must take action to stop it. The US cookie model (under CCPA and similar state laws) is generally opt-out: tracking happens unless the user objects. Opt-out places the burden of action on the user rather than the website operator.

Persistent cookie: A cookie that remains on the user's device for a defined period after the browser is closed. Persistent cookies are used for remembering preferences, maintaining login sessions across visits, and tracking behavior over time. They have a set expiration date and will remain until that date passes or the user deletes them. The duration of persistent cookies should be proportionate to their purpose.

Personal data: Under the GDPR, any information relating to an identified or identifiable natural person. This includes obvious identifiers (name, email) and less obvious ones (IP addresses, cookie identifiers, device fingerprints). Recital 30 of the GDPR explicitly states that online identifiers such as cookie identifiers may constitute personal data. In practice, nearly all cookies that uniquely identify a browser or user qualify as personal data.

Prior consent: Consent obtained before the action it authorizes takes place. For cookies, prior consent means obtaining the user's agreement before any non-essential cookies are set on their device. This is a fundamental requirement of Article 5(3) of the ePrivacy Directive. Setting cookies first and asking for consent afterward, or deleting cookies retroactively if consent is denied, does not satisfy the prior consent requirement.

S–T

Session cookie: A cookie that exists only for the duration of the user's browser session and is deleted when the browser is closed. Session cookies are commonly used for maintaining login state, shopping cart contents, and other ephemeral data. Many session cookies qualify as strictly necessary and are therefore exempt from the consent requirement, though this depends on their specific purpose.

Strictly necessary cookie: A cookie that is essential for the website to function and to provide a service explicitly requested by the user. Strictly necessary cookies are exempt from the consent requirement under Article 5(3) of the ePrivacy Directive. Examples include authentication cookies, security cookies (CSRF tokens), load-balancing cookies, and user interface preference cookies that are essential for the service. Analytics cookies, advertising cookies, and social media cookies are not strictly necessary, regardless of how useful the website operator considers them.

Third-party cookie: A cookie set by a domain other than the one the user is visiting. For example, if a user visits example.com and a cookie is set by facebook.com (via a Facebook Pixel embedded on example.com), the Facebook cookie is a third-party cookie. Third-party cookies are primarily used for cross-site tracking and targeted advertising. Major browsers are restricting or eliminating third-party cookies: Safari and Firefox already block them by default, and Chrome has announced plans to deprecate them (though the timeline has shifted multiple times).

Tracking pixel: A tiny, invisible image (typically 1x1 pixel) embedded in a webpage or email that reports back to a server when loaded. While not technically a cookie, tracking pixels are a related tracking technology that often works in conjunction with cookies to track user behavior. They are subject to the same consent requirements as cookies under the ePrivacy Directive, because they involve accessing information on the user's device (the HTTP request transmits the user's IP address, browser information, and any associated cookies).

Official Resources

EU Legislation and Guidance

• GDPR full text — Regulation (EU) 2016/679 on EUR-Lex
• ePrivacy Directive full text — Directive 2002/58/EC on EUR-Lex
• ePrivacy Directive amendment (2009) — Directive 2009/136/EC
• EDPB Guidelines — All guidelines, including Guidelines 05/2020 on consent
• EDPB public consultations — Including the dark patterns guidelines

National DPA Cookie Guidance

• CNIL cookie guidelines (France) — The most detailed national cookie guidance, including the audience measurement exemption criteria
• Garante cookie guidelines (Italy) — Comprehensive 2021 guidelines with specific banner requirements
• ICO cookie guidance (UK) — Detailed practical guidance, still highly relevant for EU compliance despite Brexit
• Datatilsynet (Denmark) — Danish DPA guidance and decisions
• BfDI (Germany) — Federal Data Protection Commissioner

Google Consent Mode

• Google Consent Mode documentation — Official implementation guide
• Google Consent Mode v2 requirements — EEA requirements for Google Ads
• Advanced Consent Mode setup — Technical implementation details

IAB Transparency and Consent Framework

• IAB Europe TCF overview — Framework documentation and vendor list
• TCF 2.2 specifications — Technical specification for CMP implementers

US Privacy Laws

• California Attorney General CCPA page — Official CCPA/CPRA resources
• California Privacy Protection Agency — CPRA regulations and enforcement
• Global Privacy Control (GPC) — Specification and browser support

CJEU Case Law

• Planet49 (Case C-673/17) — Pre-ticked boxes do not constitute valid consent
• IAB Europe TCF (Case C-604/22) — TC string constitutes personal data

Further Reading

• W3C Tracking Preference Expression (DNT) — Background on Do Not Track and its successor technologies
• RFC 6265: HTTP State Management Mechanism — The technical specification for cookies
• MDN: Using HTTP cookies — Comprehensive developer reference
• SameSite cookies explained — Understanding the SameSite attribute and its impact on third-party cookies
• Google Privacy Sandbox — Google's initiative to replace third-party cookies with privacy-preserving alternatives

Cookie Compliance Tools

Maintaining cookie compliance requires the right tools. Passiro provides automated cookie scanning that crawls your entire website using a real browser engine, identifies all cookies and tracking technologies, categorizes them using a continuously updated database, and monitors for changes with scheduled scans and alerts. Combined with our accessibility scanning capabilities, Passiro gives you a comprehensive view of your website's compliance posture across both cookie privacy and digital accessibility requirements.

Learn more about Passiro's scanning capabilities or run a free scan of your website to see what cookies your site is setting today.