What does GDPR mean for your website cookies?

88 pages. 99 articles. The GDPR is long and winding. Here are the top 5 takeaways you need to know about GDPR and website cookies.

We know. The General Data Protection Regulation is difficult to read. It is full of legal language and numerous paragraphs on how to protect EU citizens data. Let’s admit it, the GDPR is not exactly a page-turner.

However, it has had – and continues to have – a massive impact on how businesses and the public sector handle clients’ and citizens’ personal data.

So, here we break down the GDPR and give you 5 key issues from the regulation which have an effect on how you (should) manage data and privacy on your website.

What is the GDPR?

Approved by the European Parliament in April 2016 and came into effect the 25th of May 2018, the GDPR stands for General Data Protection Regulation and it is the core of Europe’s digital privacy legislation.

It is designed to harmonize data privacy laws across Europe, to protect all EU citizens regarding data privacy and to reshape the way organizations across the region approach data privacy. 

Link: The General Data Protection Regulation

Worldwide applicability

The GDPR applies worldwide! The regulation does not only apply to businesses and organizations within the EU, but also to those located outside of the EU if they offer goods, services or monitor the behavior of EU citizens (data subjects).

Therefore, the GDPR also applies to companies collecting and processing personal data from citizens in the EU, irrespective of the company’s physical geolocation.


Your company headquarters are located in the US, but you have a website which sells goods in Sweden. Whenever Swedish customers visit your site, your website collects and processes their personal data through first and third-party cookies. If you cannot claim legitimate interest, then you have to abide with EU regulation. This also applies to the third-party services on your site, e.g. Google Analytics, Facebook Pixel, YouTube etc.

Link: Who does the GDPR apply to?

Handling personal data

Processing personal information requires consent. If you (the data controller) collect and process your visitors’ personal information, you are subject to the requirements on data handling in the GDPR.

According to the EU, personal data is any information related to a person (the data subject) which can be used to identify the person directly or indirectly. This can be name, email address, social network information, IP-address etc.

However, the EU also operates with the definition sensitive data which is any personal data which may reveal racial or ethnic origin, political opinions, religious or personal beliefs, or membership to various organized societies. Data concerning health, sexual orientation, biometric and genetic data are also categorized as sensitive data.

As the data controller, you are responsible also for the data collected by third-parties on your website i.e. first and third-party cookies which process visitors’ personal data (Google, Facebook, YouTube, Addthis, Doubleclick).  

Link: Am I a data controller or data processor?


Your company website uses Google Analytics to explore website traffic. Google deploys a number of cookies (first-party) in your visitor’s web browser every time the user visits your site. These cookies collect and process personal information about the visitor which may identify the visitor directly or indirectly. The data collected by Google Analytics are used for online profiling and direct marketing, and this requires explicit user consent.

Link: List of Google Segments

Link: What constitutes data processing?

Consent is at the core of the GDPR. Website owners must acquire their website users’ consent before setting cookies that process the users’ personal data.

The GDPR is very clear on this topic. Consent must be obtained prior to data processing.  

Consent is to be explained in a simple, easy to understand language. Silence or inactivity does not constitute consent. Consent must be clear and affirmative – and explicitly given by the user.

Consent is purpose specific. If a user buys something from your web shop and provides an email address, it does not mean you automatically can add it to the list of newsletter subscriptions (unless the user has explicitly agreed to it).


When a person visits your website, she is prompted by your cookie pop-up banner. The banner informs the visitor that the website uses cookies. That’s good. However, it is not enough simply to state that the website uses cookies, you are also obliged to ask for the user’s consent to store cookies in her browser. If she rejects, then cookies are not allowed to process her personal information.

Link: What constitutes consent?

Access to data

Website visitors and customers always have the right the request any information a company holds on them. They also have the right to be forgotten. A company must delete all data it holds on the data subject (databases, file systems, back up repositories, email addresses and telephone numbers. People also have the right to withdraw a consent given on a website. This is a keystone in the GDPR.


A visitor has given consent to your website processing her data. You have stored her consent in a secure database as required by EU law. Now, she has changed her mind, and wants to withdraw her consent. As a data controller you are to provide her with this opportunity, and it should be as easy for her to withdraw her consent as it was to give in the first place.

Link: EU on consent withdrawal


The fines for violating the GDPR are rather hefty. Businesses found violate the regulation risk fines up to 4% of annual global turnover or €20 million, whichever is higher.

Since the GDPR came into effect in May 2018, some of the world’s largest AdTech companies have already found themselves in the spotlight. National Data Protection Authorities are beginning to stir, and they are backed up by the European Data Protection Board.


Your website has a cookie banner – as required. Maybe you found it somewhere on the internet as a freemium product. It justly informs your users of cookies, but it does not collect users’ consent; it does not offer the possibility to reject cookies; it does not block cookies prior to consent and it does not store consents in case of inspection. Thereby you risk fines from the DPA because your banner does not comply with the GDPR.

Link: What are the GDPR fines?

In January 2019, the French Data Protection Authority (CNIL) handed Google a fine of €50 million euros for lack of transparency on their online services; in February the Bavarian DPA investigated 40 large German companies and found almost all of them to violate the GDPR on their websites, and the list is growing.

Link: CNIL fines Google €50 million for lack of transparency

Link: Bavarian DPA investigates 40 large German companies for breaches to the GDPR

Cookie Information offers a consent solution which is tailored to your website(s) needs. You can have multiple websites in your solution; as many subpages as you like; and you can set the frequency of cookie scans from daily to monthly.

With our consent solution you can become 100% GDPR compliant.

Our Consent Solution contains:

  • Professional cookie consent pop-up banner (can be customized to your desire)
  • A solution which collects and stores consents (in case of inspection)
  • Privacy controls (so the user can choose to decline tracking)
  • SDK-implementation (to prevent cookies from being set prior to consent)

Try out Cookie Information’s Consent Solution for your website(s) today. Start with a 30-day free trial.

Share on facebook
Share on twitter
Share on linkedin
Share on email

No credit card needed

Start your free trial

250,000 clients already trust us with their website's cookie compliance ​

Is your website GDPR cookie compliant?

We'll give you the answer quickly - completely free
Free Webinar

How to perform GDPR compliant analytics and digital marketing

The guide to cookie consent in Sweden, Norway & Finland