What is a GDPR cookie policy? Guide to cookie compliance and GDPR cookies

Cookies are powerful tools for improving user experience, tracking engagement, and enabling analytics – but they also come with strict legal responsibilities. Under the General Data Protection Regulation (GDPR), websites must not only control how cookies are used but also clearly explain this through a dedicated cookie policy. This article offers a comprehensive guide to what a GDPR-compliant cookie policy should include and how to achieve full cookie compliance on your website.

Check your cookie compliance in minutes

Don’t leave your website’s privacy compliance to chance – take a compliance check now.

Introduction to GDPR and cookies

The GDPR is a data protection regulation that came into force in May 2018, aiming to protect the privacy of individuals in the European Union. One of the lesser-understood areas of the GDPR is how it applies to cookies and other tracking technologies.

The regulation is often applied alongside the ePrivacy Directive (also known as the ‘cookie law’), which sets out more specific requirements for storing information or gaining access to information stored in users’ devices.

Other global laws – like the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) – also influence cookie usage, making compliance a global privacy issue.

What are cookies?

Cookies are small text files stored on a user’s device by a website. They help websites remember user preferences, login details, shopping carts, and can be used to track user behavior for analytics or marketing. Cookies are often used alongside other tracking technologies such as beacons, fingerprinting, and LocalStorage.

Essential cookies:
These are strictly necessary for your website to function. They enable core functionalities such as secure log-in, session management, and shopping cart processes. Without them, a user would not be able to navigate or use key features of your site.

Preference cookies:
These cookies allow a website to remember choices you’ve made in the past, like your selected language, region, or layout settings. They enhance user experience by tailoring the site to your preferences. 

Statistics/analytics cookies: 
These help website owners understand how visitors interact with their websites. Data collected is often aggregated and anonymous, but under GDPR, consent is still needed if they can identify or track users.

Marketing/advertising cookies: These track visitors across websites to display personalized ads. They create user profiles and are often set by third-party advertisers or platforms.

First-party cookies:
These are set by the website the user is visiting directly. They’re often used for authentication, session maintenance, and user preferences.

Third-party cookies:
These are set by domains other than the one the user is visiting. Commonly used in advertising, retargeting, and social media integrations, they raise more compliance concerns.

Non-essential cookies:
Any cookie that isn’t crucial to the website’s core functionality – such as analytics or advertising cookies – is considered non-essential and requires user consent. 

When and why cookies are considered personal data

Cookies are considered personal data under GDPR when they collect or process data that can be used to identify an individual, either directly or indirectly. For example:

Protect ad personalization
in EU/EEA and Switzerland

Preserve remarketing capabilities
despite stricter consent requirements

Maintain analytics accuracy 
with modeled conversion data

Even if a single data point doesn’t identify someone, when combined with other data, it can constitute personal data under the GDPR. As a result, most cookies – especially third-party or analytics cookies – fall under the scope of personal data processing.

The legal basis for cookie use under GDPR

The main legal basis for using cookies that process personal data is explicit consent. Users must take an affirmative action (like clicking ‘Accept’) after being properly informed. Under GDPR, valid consent must be:
  • Freely given: Users should not be coerced or manipulated into accepting cookies.
  • Specific and granular: Consent must be given for each cookie category (e.g., analytics, marketing).
  • Informed: Users need clear, accessible information about what they’re consenting to.
  • Unambiguous: A clear affirmative action must be taken (e.g., clicking “Accept”).
  • Reversible: Users must be able to withdraw consent at any time as easily as they gave it.


Legitimate interest is not a valid basis for using cookies that track users or process their personal data.

Cookie compliance under GDPR and ePrivacy

Cookie compliance is shaped by both the GDPR and the ePrivacy Directive. 
Here’s how they work together:
  • The ePrivacy Directive (also known as the “cookie law”) regulates the storage of and access to information on users’ devices, including cookies.
  • The GDPR governs how personal data collected through those cookies is processed and protected. 
Together, they require websites to:
  • Obtain prior consent before placing non-essential cookies
  • Provide transparent information about cookie purposes and third-party data sharing
  • Enable users to withdraw consent at any time
  • Store proof of consent and demonstrate compliance if audited
Placing cookies and other tracking technologies
Tracking technologies like cookies, fingerprinting, LocalStorage, and RFID tags can only be used after valid consent has been obtained – except for those strictly necessary for the service.
  • LocalStorage & SessionStorage: Similar to cookies, but not automatically sent with every request.
  • Fingerprinting: Collects attributes like browser type, time zone, and language to uniquely identify users without using cookies.
  • RFID tags: Used in physical tracking but subject to the same principles when tied to online services.
Blocking these technologies until consent is given is essential for GDPR cookie compliance.

What should be in a GDPR-compliant cookie policy?

A GDPR-compliant cookie policy is not just a legal formality—it’s a vital part of your website’s transparency and data privacy strategy. The goal of the policy is to clearly inform users about how cookies and similar tracking technologies are used, what data is collected, why, and how users can control it. To meet the expectations of regulators and privacy-conscious users, your cookie policy must be:

Easily accessible
(linked in the website footer, cookie banner, and privacy center)

Written in clear, user-friendly language (no legalese)
Cookie Information CMP allows your team to focus on core marketing activities (Illustration)

Regularly updated
(especially when new cookies or third-party services are introduced)

Here’s what your cookie policy should contain, section by section:

1. List of all cookies in use

Provide a categorized list of all cookies and similar tracking technologies set by your website. The most common categories include:
  • Strictly necessary (essential)
  • Preference (functionality)
  • Statistics (analytics)
  • Marketing (advertising/retargeting)
example

2. Cookie name and provider

Clearly identify each cookie by name and who sets it. This helps users recognize whether the cookie is first-party – set by your domain – or third-party – set by an external service like Google, Meta, Hotjar, etc..
example

_fbp – Set by Facebook (third party)
_gid – Set by yoursite.com (first party) 

3. Purpose of each cookie

Explain in simple terms what each cookie does. Users should understand why the cookie exists and what benefit or function it provides.

example

“Used to keep you logged in while you browse our site.”
“Tracks which pages you visit so we can improve our content.”
“Used to deliver ads that are more relevant to you.”

4. Cookie duration (expiration time)

Indicate whether the cookie is a session cookie (deleted when the browser closes) or a persistent cookie (stored for a defined period). Specify how long persistent cookies remain active.

example

Session cookie: expires when the user closes the browser
Persistent cookie: expires after 12 months

5. Data sharing and third parties

State whether any personal data collected through cookies is shared with third parties, and if so, identify them. Also, include links to those third parties’ privacy policies when possible.

example

6. Legal basis and consent information

Mention that the placement of non-essential cookies is based on explicit user consent as required by the GDPR and the ePrivacy Directive. Clearly explain how and when consent is obtained.

example

“Non-essential cookies will only be set after you have given your explicit consent 
via our cookie banner.”

7. Instructions for withdrawing or changing consent

Explain how users can withdraw or modify their consent at any time. Provide a direct link to the consent preferences or cookie settings area. This is essential for maintaining valid, revocable consent.

example

“You can change or withdraw your consent at any time by clicking ‘Cookie Settings’ at the bottom of any page.”

‘Cookie settings’ can be replaced with similar terminology, ensuring it’s clear, or your cookie widget, depending on what you have implemented on your site.

8. Contact information

Provide details on how users can contact your organization with questions about your cookie use or privacy practices. This can be your DPO or general privacy contact.

example

“If you have any questions about our use of cookies or how we handle your personal data, please contact privacy@yoursite.com.”

9. Date of last update

To demonstrate accountability, include the date your cookie policy was last updated. This helps users and regulators know how current your disclosures are.

10. Optional: Consent history or records access

To demonstrate accountability, include the date your cookie policy was last updated. This helps users and regulators know how current your disclosures are.

Keeping your cookie policy up to date

Your cookie policy is a living document. It should be updated:

• Every time new cookies are added to your site
• When existing tools or services change their behavior
• If data sharing arrangements change (e.g. switching ad networks)
• In response to new regulatory guidance (e.g. from CNIL, ICO, Datatilsynet)

How to obtain and manage cookie consent

To comply with GDPR and ePrivacy, websites must implement a transparent and user-centric consent process. This process should guide users to make informed choices and give them full control over their data.

Implement a cookie consent banner

  • Block all non-essential cookies until consent is given
  • Be easily visible and not hidden behind interactions
  • Clearly explain what cookies are used and for what purpose
  • Provide buttons for “Accept all,” “Reject all,” and “Customize settings”

Follow consent requirements

  • No pre-ticked boxes
  • Consent must be actively given, not assumed.
  • Let users choose which categories of cookies to allow.
  • Users must be able to withdraw consent as easily as they gave it.

Store and document consent

  • You must store records of user consent (often for 5 years). This includes the time, date, and content of the consent given.

How a CMP helps you manage cookie compliance and maintain a GDPR-compliant cookie policy

A Consent Management Platform (CMP) plays a central role in maintaining a GDPR-compliant cookie policy by ensuring your website always reflects the actual cookies and tracking technologies in use. It does this by automatically scanning your site, detecting both first- and third-party cookies, and dynamically updating your cookie policy with accurate, categorized information—such as cookie names, purposes, providers, and expiration times.

Beyond generating the policy content, a CMP ensures the legal foundation for your policy is solid. It collects and stores valid consent, blocks non-essential cookies until permission is given, and gives users an easy way to update or withdraw consent at any time. This combination of technical enforcement and transparent communication is what makes your cookie policy truly GDPR-compliant – not just on paper, but in practice.

Why consent management matters for marketers

For marketers, implementing a Consent Management Platform (CMP) like Cookie Information goes far beyond legal compliance – it’s a strategic move for maintaining data quality and campaign performance. 

Get a CMP that helps you be cookie-compliant

Make it easy to manage consent, update your cookie policy, and stay GDPR-compliant.

When cookies are handled correctly, you can collect consented, reliable data that fuels analytics, 
A/B testing, personalization, and digital advertising. Without a CMP, non-consented users are often excluded from tracking altogether, leading to gaps in your data and skewed performance metrics. 
A CMP ensures that you only process data with valid consent – resulting in cleaner, more actionable insights.

It also helps preserve the effectiveness of digital advertising by ensuring that tracking and retargeting cookies are only activated when legally permitted, so you avoid wasting ad spend on non-consented traffic.

Cookie Information’s CMP integrates smoothly with tools like Piwik PRO Analytics Suite, allowing marketers to track user behavior compliantly, and feed consented data into connected platforms such as a Customer Data Platform (CDP). This makes it possible to build accurate customer profiles and power automated journeys – without risking non-compliance or data integrity issues.

How a CMP helps you manage cookie compliance and maintain a GDPR-compliant cookie policy

Google Analytics (GA) is one of the most widely used tools for measuring website traffic and user behavior. However, because it sets cookies that collect personal data – such as IP addresses, unique user IDs, device/browser information, and behavioral patterns – it falls squarely under the scope of the General Data Protection Regulation (GDPR). This means that using GA legally in the EU requires prior, explicit user consent before any GA cookies are set.

But compliance goes beyond just getting consent. The legal use of Google Analytics in the EU has been increasingly challenged by data protection authorities due to one critical issue: EU–US data transfers.

The EU–US data transfer problem

When GA collects user data, it transmits it to servers located in the United States, where it is processed by Google LLC. Under the GDPR, such transfers are only allowed if the destination country ensures an adequate level of data protection – which, as of today, the US does not. 

After the Schrems II ruling by the Court of Justice of the European Union (CJEU), the previous legal mechanism for these transfers – the Privacy Shield framework – was invalidated. Despite efforts like Standard Contractual Clauses (SCCs), regulators have determined that they do not sufficiently protect EU citizens’ data from US surveillance laws.

Enforcement actions against Google Analytics

Several European Data Protection Authorities (DPAs) have issued rulings declaring that standard GA implementations are not GDPR-compliant. Key examples include:

CNIL (France):
Ruled that GA’s use violates GDPR due to unlawful data transfers to the US.

Austrian DSB:
Found that even with IP anonymization, GA’s setup still results in GDPR breaches.

Italian Garante:
Ordered several sites to stop using GA or face fines. 

These decisions make it increasingly risky for organizations in the EU (or serving EU users) to rely on Google Analytics – even when Consent Mode or anonymization features are enabled.

What you need to know about Google and EU-US data transfers

  • Google Analytics requires prior user consent under GDPR.

  • Data collected via GA is transferred to the US, raising legal concerns.

  • Regulators have ruled that standard implementations of GA are not compliant, even with technical safeguards.

There’s currently no US-based analytics solution that fully complies with EU data protection expectations—unless used in extremely restricted or anonymized ways.

Recommended alternative to Google Analytics: Piwik PRO

If you want to continue gathering insights while maintaining GDPR compliance and minimizing legal risk, consider switching to a European-hosted analytics solution like Piwik PRO.

Piwik PRO offers:
• Full GDPR compliance – Data stays within the EU, with no reliance on US cloud services.
• EU-based hosting – Choose servers located in Germany, the Netherlands, or other EU jurisdictions.
• Consent-based tracking – Works seamlessly with CMPs to only track users after valid consent.
• Feature parity with GA – Includes dashboards, custom events, goal tracking, tag management, and more.
• Support for internal use cases – Can also be used in healthcare, finance, and public sector environments where compliance is critical. 

Unlike GA, Piwik PRO gives you full control over your data, ensures user privacy by design, and reduces the risk of enforcement or complaints.

Common mistakes that break cookie compliance

Even with the best intentions, many websites fall short of GDPR cookie compliance due to avoidable errors – both in how cookies are implemented and how they’re described in the cookie policy. A compliant cookie policy must reflect actual practices, and any mismatch can put your business at risk of enforcement or user complaints. Here are some of the most common mistakes to avoid.

1.

Pre-ticked boxes or implied consent
 Consent must be explicit and involve a clear affirmative action; default settings do not qualify.

2.

Vague or incomplete cookie descriptions in the policy
Users must be clearly informed about what each cookie does, who sets it, and how long it lasts.

3.

No option to withdraw or modify consent
Consent must be as easy to withdraw as it is to give—typically via a persistent link or settings panel.

4.

No option to withdraw or modify consent
Consent must be as easy to withdraw as it is to give—typically via a persistent link or settings panel.

5.

Failure to store and document user consent
Without a record of when and how consent was obtained, you cannot demonstrate compliance in case of an audit.

Frequently asked questions

A GDPR cookie policy is a detailed notice provided to users, informing them about the use of cookies and other tracking technologies on a website. It outlines what types of cookies are used, what data they collect, who sets them, how long they persist, and how users can manage or withdraw their consent. It’s a vital part of achieving transparency and legal compliance under GDPR.
A GDPR-compliant cookie policy must be clear, accessible, and comprehensive. It should include:
  • List of cookies: All cookies in use, categorized by purpose.
  • Cookie name and provider: Clarify whether it’s a first- or third-party cookie.
  • Purpose: Why the cookie is being used (e.g., analytics, marketing).
  • Duration: When the cookie expires (session or persistent).
  • Data shared: Whether data is shared with third-party services.
  • Withdrawal instructions: How users can change or withdraw consent.
  • Link to manage preferences: Include a link in your banner or footer.
Yes. Cookies that store information which can be used to identify an individual—such as tracking IDs, device information, and behavior patterns—are considered personal data under the GDPR. This is especially the case when cookies are combined with other data to create user profiles.
Yes. A cookie policy is a legal requirement under GDPR and the ePrivacy Directive. It ensures that users are fully informed before consenting to cookie use. Without one, you cannot demonstrate compliance or properly inform users about their rights and options.
You can obtain explicit consent through a cookie banner that appears on the user’s first visit to your site. This banner must clearly explain the use of cookies, offer the ability to accept or reject them, and allow customization of cookie settings. Consent must be freely given, specific, informed, and unambiguous.
Non-compliance can result in regulatory investigations, fines (which can reach up to €20 million or 4% of global turnover), and reputational damage. In addition, failure to comply could lead to a loss of trust from users who are increasingly aware of their privacy rights.
You should update your cookie policy whenever new cookies are added to your site, or when there are changes to existing cookies or third-party providers. Using a CMP that scans your site regularly and updates your policy automatically is the best practice.

Users should be able to withdraw their consent as easily as they gave it. This typically involves including a persistent link in your footer (e.g., “Cookie Settings”) or providing a dedicated preference center where users can modify or revoke their choices.

Does GDPR affect cookies from tools like Google Analytics?
Yes. Google Analytics sets cookies that process personal data and therefore fall under the GDPR. Consent must be obtained before these cookies are placed, and additional measures like IP anonymization should be implemented. Moreover, the EU-US data transfer issue may render GA non-compliant without additional safeguards.
What’s the difference between first-party and third-party cookies?

First-party cookies are set by the domain the user is visiting and are generally used for functionality and analytics. Third-party cookies are set by external domains (e.g., advertisers or social media platforms) and are primarily used for tracking and targeted advertising. GDPR applies to both, but third-party cookies often require more scrutiny due to the potential for cross-site tracking and data sharing.

Yes. Under GDPR and related data privacy laws, you must display a cookie consent banner that informs users about the cookies your website uses and gives them the ability to accept, reject, or customize their preferences. This banner is a key part of any valid consent mechanism and should appear before any non-essential cookies are set.
To obtain user consent, your website must use a compliant consent mechanism – typically a cookie banner – that explains the purpose of each cookie category and allows users to make an informed choice. Consent must be freely given, specific, informed, and revocable.
Can users reject cookies on my website?
Yes. GDPR requires that users have the ability to reject cookies just as easily as they accept them. Your cookie banner or settings panel must include an option to reject non-essential cookies and must not use dark patterns or pre-ticked boxes.
Cookies require consent when they are not strictly necessary for the operation of your website. This includes analytics, advertising, and social media cookies. According to data privacy regulations like the GDPR and ePrivacy Directive, you must obtain consent before setting these cookies.
Data privacy laws such as the GDPR and the California Consumer Privacy Act (CCPA) regulate how cookies can be used on websites. They require transparency, user choice, and in many cases, prior consent before placing cookies that track personal data.
Start by using a consent banner that aligns with GDPR requirements, document and store user consents, and regularly audit the cookies used on your website. A consent management platform (CMP) can automate much of this and help you stay compliant with evolving data privacy regulations.