Cookies consent under the GDPR


Cookies consent under the GDPR

In the past few months, discussions surrounding consent and cookies under the GDPR have been everywhere. We covered the basics of consent management in another article that you can find here. This time we are going more in detail and we will cover the topic of cookies in the GDPR.

A cookie is a very small file that is downloaded to your device when you visit a website. Most websites use some form of cookies at the moment. These files usually contain data like the site’s name and a unique user ID. Most commercial websites use them, whether they are banks, online publishers, blogs or e-commerce. They are used a wide variety of purposes such as website analytics – counting visitors and their behavior, targeted advertising, recording user preferences or for authentication.

Where are we at now?

At the moment there is in place the EU Cookie Law. It applies to all member states of the European Union and websites outside of the EU have to comply if they target people within the member states.

Cookies are generally divided into essential and non-essential. The essential cookies are those necessary for providing the information requested by the user. All the other cookies are considered non-essential. Included here are identifiers used for analytics, cookies from advertisers or third parties, including affiliates and those that identify a user when he returns to the website. The EU cookie law is meant to target the non-essential category.

Until now, compliance with this law meant a statement placed at the bottom or at the top of the website, that lets the user know cookies are being used. Most of us are familiar with the famous phrase “By using this website, you accept cookies” or something similar. This informed users, it’s true, but did it really give them an alternative? The GDPR aims to change this in the future, by giving users a real and informed choice.

The GDPR’s say on cookies

In the GDPR, we see cookies mentioned in Recital 30, which states:

Natural persons may be associated with online identifiers…such as internet protocol addresses, cookie identifiers or other identifiers…. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

The idea is relatively simple: cookies can be used to uniquely identify a person, therefore they should be treated as personal data. It will affect those identifiers used for analytics, advertising, but also those used for functional services like chats and surveys.

What has to change?

  • The users must have a choice. The fact that they use a website does not mean they agree to all cookies. The type of phrase used at the moment is barely informative enough and it certainly doesn’t give a choice. A website owner will not be able to constrict users to accept cookies in exchange for information.
  • Like all other consent under the GDPR, consenting to cookies needs to be a clear affirmative action. An example is clicking through an opt-in box or choosing settings from the menu. Pay attention to not have pre-ticked boxes on the consent form!
  • Let’s not forget about opt-out. The GDPR clearly states that a data subject should be able to withdraw consent as easily as they gave it. With cookies this will generally mean that they should be able to revoke consent through the same action as when they gave consent. For example, if they consented by clicking through some boxes, they have to be able to find the same form to revoke consent.

To sum up

If you’re feeling confused about how the GDPR will affect your website and the cookies you use, you’re not alone. It is certain that consent management will become a crucial step for any business activity. So how can you make sure you are compliant?

First of all, let the data subject know exactly what types of cookies you’d like to use. Also, let them choose which ones they agree to. For example, there’ll be the cookies strictly necessary for the normal website functions. These cookies cannot be switched off because the website wouldn’t work properly anymore. However, these identifiers do not store any personal data. Make sure the users understands this! Moving on, there’ll be the cookies used for analytics. These are not mandatory for the website’s functionality, therefor they cannot be imposed to the data subject. If the user switches them off you won’t be able to properly monitor your website’s performance. Again, make sure the data subject understands all this, but give him the choice to switch them off.

Another category is that of functional cookies. Many of these are provided by third parties. For instance, if you use Vimeo or Youtube to show videos on your website, they’ll have their own identifiers. Without them, the videos will likely not work. However, they are optional to the user. Finally, it goes without saying that identifiers used for advertising or affiliate links are optional. Including in the consent form the name of the files you’ll store on the user’s computer might also be helpful, as it will increase the trust of those with medium to high experience with computers.

Final thoughts

Consent management will definitely not be an easy task for many businesses and website owners. Many also question how the average user with little knowledge of the GDPR will react to being asked so many questions regarding consent. Will they be confused? Probably at first. It will be up to each business to create a consent form that is easy to understand, while being at the same time comprehensive and informative. On the long term, we are positive that these changes will be beneficial for everyone.



About the author

Laura Vegh is the Chief Security Officer at, a passwordless security solution. She has a PhD in Systems Engineering, focused on cyber-physical systems security.