GDPR and Cookie Consent: What Businesses Need to Know

The European Union’s General Data Protection Regulation (GDPR) went into effect in 2018, affecting businesses around the world. The GDPR requires any business website with customers in the EU to explain what data it collects and how that data is used. And while the GDPR doesn’t provide guidance on website cookies specifically, its language about consent does apply to cookies.

In this post, we’ll look at cookie consent and the GDPR and what businesses can do to make sure they’re compliant.

What are website cookies?

A website cookie is a small package of data that a website sends to a user’s browser; the browser then returns the data unaltered. Cookies may be essential to a website’s functionality — for example, websites that require a login use cookies to “remember” a user who is navigating through a website, so that the user doesn’t have to log in on every page.

Cookies may also collect information for marketing purposes, such as products a user views, or the types of websites a user visits. Websites must include language that explains how they use cookies and for what purpose.

Cookies are generally classified by:

Duration

Cookies may expire at the end of a website session or when a user closes their browser. Persistent cookies are those that remain on a user’s hard drive until their pre-set expiration date, or until a user deletes them.

Provenance

This includes first-party cookies, placed by the website a user is visiting, and third-party cookies, such as advertising cookies.

Purpose

  • Strictly necessary cookies — These are first-party, session-based cookies essential to website functionality. Consent is not required for these, but the website must notify visitors that these cookies are in use and explain their function.
  • Preference cookies — These cookies store information about user preferences, such as location and login credentials.
  • Statistics cookies — These cookies collect information about how users interact with a website, then aggregate the data to offer a view of website performance, such as the most popular pages.

  • Marketing cookies — These are persistent (and usually third-party) cookies that track users' online behavior for the purpose of delivering targeted ads. These cookies may share information with other entities.

Cookie policy vs. privacy policy

The GDPR does not require websites to have a separate cookie policy, but the privacy policy must explain how the site collects and uses data. Websites should also give users the option to accept or reject all cookies, or modify their cookie preferences. One German study found that about half of all internet users click the “Accept” button without actually reading the cookie policy.
Monsido's Cookie Consent Banner
Looking for GDPR cookie consent examples? This one from Monsido covers all the bases.

GDPR vs. ePD

As we mentioned earlier, the GDPR doesn’t include a section on cookies — in fact, if you search the text of the GDPR, you’ll find that “cookie” is mentioned only once (in the preamble). An earlier set of regulations — the ePrivacy Directive (ePD) — does require businesses to request cookie consent, which is why ePD came to be known as “The Cookie Law.”

GDPR language covers how data is collected and used, and affords consumers certain rights to protect their privacy. That’s why it’s applicable to cookie policies.

The GDPR and Cookie Consent

GDPR’s language has the following implications for cookie consent:

Cookie consent should be affirmative

Users should be presented with an action (usually a clickable button) for accepting or rejecting cookies.

Cookie consent should be freely given

Users should have a clear choice about whether to allow cookies (an “Accept all” button is insufficient — a “Reject” option must be one of the available options).

Cookie consent should be informed

For a user to make an informed decision about consent, a website must clearly explain its use of cookies and the information they collect, as well as the purposes for collecting that information.

Cookie consent should be accessible

The method of approving or rejecting cookies must be accessible for all users. For example, the clickable buttons would need to be accessible by mouse, and by keyboard-only.

Cookie consent should be recorded

Websites should store information about consent — when and how users provided consent, and how the cookie policy was worded at the time.

Cookie consent should be changeable

This means that users who previously consented to cookies can retract their consent at any time.

Best practices for cookie management

In 2020, a French regulatory body fined Google $118.82 million USD for illegally transferring cookies to user devices without their consent. This is one of the largest GDPR-related fines to date, and it could be an indication that enforcement is ramping up.

To avoid potential fines, businesses can implement the following best practices:

Look into which cookies are on your site

Many businesses don’t have a way to keep track of third-party cookies they previously allowed on their website. Use a tool that can scan your site for cookies, from a solution that specializes in website compliance.

Explain what cookies are

To be compliant with data privacy laws, websites must use language that helps users understand what they’re agreeing to when they accept cookies. To that end, it’s important to explain what cookies are and how they work.

Offer a thorough explanation of how you use cookies

A good cookie policy offers users some introductory text, with a link that leads to an expanded explanation. While users might not read that explanation, providing it is a good way to shield yourself from complaints and fines.

Allow users to change their cookie preferences

Show users what types of cookies your site uses and allow them to change their cookie permissions for non-essential cookies.
A screenshot of Monsido's Advanced Cookie options
Monsido’s advanced cookie options allow users to adjust their preferences with a simple toggle button.

Review the accessibility of your cookie notification

A popup or GDPR cookie banner that introduces your privacy/cookie policy needs to be accessible for assistive reading technology.

Review your cookie policy annually

Because data privacy regulations are always evolving, it’s good practice to review your cookie policy at least once per year.

Consult an expert

Trying to determine which regulations apply to your site, which cookies are on your site, and whether your site is compliant can be time-consuming and stressful. Consult an expert that can evaluate your site and make recommendations that ensure compliance.

FAQs

What is a GDPR compliant cookie policy?

A compliant GDPR cookie consent policy covers all the key points: transparent language about the presence, purpose, and use of cookies; a clear menu of options; and accessible methods for consenting or rejecting cookies.

Do all cookies require consent in the EU?

Any cookie that is not essential to a website’s functionality requires consent in the EU.

Is GDPR cookie consent applicable to US websites?

The GDPR applies to any website with users in the EU regardless of where the website originated, so it does apply to US websites.

Monsido's Consent Manager

Monsido helps companies maintain compliance with data privacy regulations. In 2021, we added a new feature — Monsido Consent Manager — that quickly evaluates site compliance with cookie consent requirements and provides recommendations for improvement.

The Monsido team has years of experience analyzing websites and providing guidance on how to improve the user experience. Whether you’re looking to fine-tune your cookie policy or ensure every page on your site is accessible for users with disabilities, we can help.

A Simple Solution for Consent Management

Take control of your consent management 

Illustration of Monsido Consent Manager user view