What does GDPR mean for your website cookies?

88 pages. 99 articles. The GDPR is long and winding. Here are the top 5 takeaways you need to know about GDPR and website cookies.
Table of Contents
We know. The General Data Protection Regulation is difficult to read. It is full of legal language and numerous paragraphs on how to protect EU citizens’ data. Let’s admit it, the GDPR is not exactly a page-turner.
However, it has had – and continues to have – a massive impact on how businesses and the public sector handle clients’ and citizens’ data.
So, here we break down the GDPR and give you 5 key issues from the regulation that affect how you (should) manage data and privacy on your website.

What is the GDPR?

Approved by the European Parliament in April 2016 and came into effect on the 25th of May 2018, the GDPR stands for General Data Protection Regulation. It is the core of Europe’s digital privacy legislation.
It is designed to harmonize data privacy laws across Europe, protect all EU citizens regarding data privacy and reshape the way organizations across the region approach data privacy.

Worldwide applicability

The GDPR applies worldwide! The regulation does not only apply to businesses and organizations within the EU but also to those located outside of the EU if they offer goods, services, or monitor the behavior of EU citizens (data subjects).
Therefore, the GDPR also applies to companies collecting and processing personal data from citizens in the EU, irrespective of the company’s physical geolocation.
Your company headquarters are located in the US, but you have a website that sells goods in Sweden. Your website collects and processes user data through first and third-party cookies whenever Swedish customers visit your site. If you cannot claim legitimate interest, you have to abide by EU regulations. This also applies to the third-party services on your site, e.g., Google Analytics, Facebook Pixel, YouTube, etc.

Handling personal data

Processing personal information requires consent. If you (the data controller) collect and process your visitors’ personal information, you are subject to the requirements on data handling in the GDPR.
According to the EU, personal data is any information related to a person (the data subject) which can be used to identify the person directly or indirectly. This can be a name, email address, social network information, IP address, etc.
However, the EU also operates with the definition of sensitive data, which is any personal data that may reveal racial or ethnic origin, political opinions, religious or personal beliefs, or membership in various organized societies. Data concerning health, sexual orientation, biometric and genetic data are also categorized as sensitive data.
As the data controller, you are also responsible for the data collected by third parties on your website, i.e., first and third-party cookies which process visitors’ data (Google, Facebook, YouTube, Addthis, Doubleclick).
Your company website uses Google Analytics to explore website traffic. Google deploys a number of cookies (first-party) in your visitor’s web browser every time the user visits your site. These cookies collect and process personal information about the visitor, which may identify the visitor directly or indirectly. The data collected by Google Analytics is used for online profiling and direct marketing, and this requires explicit user consent.


Consent is at the core of the GDPR. Website owners must acquire their website users’ consent before setting cookies that process the users’ data.
The GDPR is very clear on this topic. Consent must be obtained prior to data processing.
Consent is to be explained in a simple, easy-to-understand language. Silence or inactivity does not constitute consent. Consent must be clear and affirmative – and explicitly given by the user.
Consent is purpose-specific. Suppose a user buys something from your webshop and provides an email address. In that case, it does not mean you can automatically add it to the list of newsletter subscriptions (unless the user has explicitly agreed to it).
When a person visits your website, it is prompted by your cookie pop-up banner. The banner informs the visitor that the website uses cookies. That’s good. However, it is not enough simply to state that the website uses cookies. You are also obliged to ask for the user’s consent to store cookies in the browser. If it is rejected, then cookies are not allowed to process any personal information.

Access to data

Website visitors and customers always have the right the request any information a company holds on them. They also have the right to be forgotten. A company must delete all data it holds on the data subject (databases, file systems, backup repositories, email addresses, and telephone numbers. People also have the right to withdraw a consent given on a website. This is a keystone in the GDPR.
A visitor has given consent to your website processing her data. You have stored the consent in a secure database as EU law requires. If the user decides to withdraw their consent, as a data controller, you are to provide the user with this opportunity, and it should be as easy for the user to withdraw the consent as it was to give in the first place.


The fines for violating the GDPR are rather hefty. Businesses found to violate the regulation risk fines up to 4% of annual global turnover or €20 million, whichever is higher.
Since the GDPR came into effect in May 2018, some of the world’s largest AdTech companies have already found themselves in the spotlight. National Data Protection Authorities are beginning to stir, and they are backed up by the European Data Protection Board.
Your website has a cookie banner – as required. Maybe you found it somewhere on the internet as a freemium product. It justly informs your users of cookies, but it does not collect users’ consent; it does not offer the possibility to reject cookies; it does not block cookies prior to the consent, and it does not store consents in case of inspection. Thereby you risk fines from the DPA because your banner does not comply with the GDPR.
In January 2019, the French Data Protection Authority (CNIL) handed Google a fine of €50 million euros for lack of transparency on their online services; in February, the Bavarian DPA investigated 40 large German companies and found almost all of them to violate the GDPR on their websites, and the list is growing.

Choose your level of compliance – get a pro cookie consent solution

Cookie Information offers a consent solution that is tailored to your website(s) needs. You can have multiple websites in your solution, as many subpages as you like, and you can set the frequency of cookie scans from daily to monthly.
With our consent solution, you can become 100% GDPR compliant.

Our Consent Solution contains:

  • Professional cookie consent pop-up banner (can be customized to your desire)
  • A solution that collects and stores consent (in case of inspection)
  • Privacy controls (so the user can choose to decline tracking)
  • SDK-implementation (to prevent cookies from being set prior to consent)
Try out Cookie Information’s Consent Solution for your website(s) today. Start with a 30-day free trial.