Thinking about using tracking cookies? If you plan to log data from European Union (EU) residents, you’d better be GDPR-compliant. The General Data Protection Regulation (GDPR) is one of the world’s strictest consumer privacy laws. It regulates the authority of companies to collect, store, and process data—and failures to comply could cost your company tens of millions of pounds.

The GDPR is designed to protect consumer data, which includes cookie data. Here’s what you need to know about the GDPR and cookie consent.

What is a Cookie?

Cookies are “are small blocks of data created by a web server while a user is browsing a website and placed on the user’s computer or other device by the user’s web browser. Cookies are placed on the device used to access a website, and more than one cookie may be placed on a user’s device during a session.”

These cookies can help companies create highly specific, targeted ads. You probably use cookies every day, whether you’re staying logged in to your email’s web-based provider or you’re shopping for new shoes. If your company plans to collect that data from EU customers, however, the GDPR may apply.

What is GDPR Cookie Consent?

The GDPR only mentions cookies once in Recital 30:

“Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”

In other words, if your cookies help you identify specific users, you need to comply with the GDPR. 

GDPR Cookie Consent Requirements

The GDPR has seven basic principles for collecting and storing data. They are:

  1. Lawfulness, fairness and transparency
  2. Purpose limitation
  3. Data minimization
  4. Accuracy
  5. Storage limitation
  6. Integrity and confidentiality (security)
  7. Accountability

Each of these principles must be considered when a company is creating their own GDPR privacy policies. 

To comply with GDPR cookie consent and privacy laws, companies should:

  • Require user consent before cookies, except those which are strictly necessary
  • Provide accurate and specific information about any data each cookie tracks, and why, in plain language—before consent is given
  • Document and store consent
  • Allow access to services even if users refuse cookies
  • Make it possible and easy to withdraw consent

GDPR Cookie Consent Examples

When it comes to creating cookie consent forms, the consent should be freely given, specific, informed and unambiguous. That means you’ll need to display a banner or pop-up somewhere on your website, which allows the user to accept, decline or customize the tracking cookies you use.

Here are some excellent examples of cookie consent banners. Note how each one meets the standards above: they allow the user to set their preferences, whether that’s for some cookies, all, or none. The users are allowed to determine how their data will be used, and they can still access the website.

While the GDPR doesn’t specifically address cookies, it’s always wise to keep it in mind. Whether or not the law is amended to take cookies into account, it can certainly be interpreted to include cookies. For most business owners, it simply makes sense to tailor your cookie policy to the GDPR and other strict regulations.

Do I Have to Comply?

Because the GDPR is so broad, some of the provisions are vague—including when it comes to tracking cookies. There are two exceptions to the rule: first, if your data collection is limited to “purely personal or household activity,” you don’t need to worry about complying. The second is if your organization has less than 250 members. You’re still governed by the GDPR, but you’re not subject to the same record-keeping requirements that larger organizations may be.

Generally, if you’re a business who regularly sells or interacts with the EU, you should plan to create a GDPR-compliant cookie policy. 

Stay in Compliance with SixFifty Solutions

SixFifty is your answer to GDPR privacy questions. We make it easy to generate comprehensive privacy policies for the GDPR. Rest assured you’re always in compliance when you allow our proprietary legal technology to do the hard work on your behalf.

If you’re ready to get started or have further questions, schedule a demo with SixFifty today.


Meili Bell

Written by Meili Bell

Meili Bell is the Content Manager at SixFifty. She spends her workdays writing, editing, project managing and reading about the intersection of law and technology. Meili comes to SixFifty from Gifted Music School, a nonprofit music school for the most dedicated young musicians in the region, where she was program director of the school’s flagship program for the last ten...

Full Bio and other articles by