GDPR cookie consent explained

What is a cookie consent under the GDPR?

What exactly are the rules for consent to cookies in the GDPR? And how do they apply to you?

What is consent for cookies in the GPDR?

According to the General Data Protection Regulation (GDPR), the requirements for consent are quite clear: 

the data subject (the internet user) has to provide a freely given consent in order for the data controller (the website) to begin collecting and processing his or her personal data“.

This is regardless whether the data are collected by the website’s own cookies (first party) or by other services (third-party cookies).

A valid consent is a freely given, specific, informed and unambiguous indication by your website’s user that you may store cookies onto his or her device (computer/tablet/smartphone).

Link: What is the GDPR?

Table of Contents

Why do you have to collect consent to cookies?

According to the ePrivacy Directive (the European Cookie Law), you are required to obtain your users’ consent for using cookies (i.e. placing cookies on their devices).

This is why the internet saw the birth of all these cookie notices stating “we use cookies – ok“.  

However, since most cookies collect users’ personal data for processing, the rules for consent in the GDPR apply: 

Examples of third-party services which place tracking cookies (and therefore require valid consent): 

  • Google Analytics
  • Facebook Pixel
  • Hotjar
  • YouTube
  • + virtually every single third party provider setting tracking cookies through your website. 

Link: Collect data for Google Analytics and ads without cookies

gdpr-vs-cookies

What is personal data under the GDPR?

Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

GDPR article 4

Looking at the definition in the GDPR, we have a list of identifiers: 

  • name
  • identification number
  • location data
  • online identifiers
  • more factors (e.g. biometric data) 

Looking specifically at online identifiers, Recital 30 of the GDPR provides us with this non-exhaustive list:

  • Internet protocol (IP) addresses;
  • cookie identifiers; and
  • other identifiers such as radio frequency identification (RFID) tags.

These are identifiers which refer to information related to a persons tools, applications or devices like computers, smartphones or tablets. Also, any information that can identify a specific device, such a fingerprinting, are also classified as online identifiers. 

how to comply with data protection regulation

Who does the GDPR apply to?

But they are not my cookies!” Here’s why the GDPR apply to you.

The GDPR applies to any website or app which collect and/or process EU citizens personal data. This is regardless of the website being located within or outside of the EU. 

It is the website owner, administrator or the company’s Data Protection Officer (DPO) who is responsible for making sure the site complies with the GDPR in relation to the data cookies collect and process. 

The website is the “data controller” and is therefore responsible for collecting valid consent to cookies and data processing.  

This, even though the cookies are not owned by the company, but are third-party cookies e.g. Google Analytics, Facebook Pixel, YouTube or Addthis. The third-party services are the data processors.

Link: Am I a data controller or data processor?

Checklist to comply with the GDPR when using cookies

Is your current cookie pop-up doing all that? Have a free compliance check. 

overlay-v2-mockup_branded

How can you comply with the GDPR?

We can help you reach the level of GDPR compliance you desire. We are a global privacy-tech company offering privacy solutions to both public and private sector. 

Our Consent Solution is used by more than 1500 clients and yearly we collect 15 billion consents.

Become GDPR compliant today! 

Try our Consent Solution with its professional cookie consent pop-up for free – 30 days!

Cookie information's Cookie Consent Solution includes:

Free Webinar

How to perform GDPR compliant analytics and digital marketing

The guide to cookie consent in Sweden, Norway & Finland