Cookies are powerful tools for improving user experience, tracking engagement, and enabling analytics – but they also come with strict legal responsibilities. Under the General Data Protection Regulation (GDPR), websites must not only control how cookies are used but also clearly explain this through a dedicated cookie policy. This article offers a comprehensive guide to what a GDPR-compliant cookie policy should include and how to achieve full cookie compliance on your website.
Check your cookie compliance in minutes
Don’t leave your website’s privacy compliance to chance – take a compliance check now.
The GDPR is a data protection regulation that came into force in May 2018, aiming to protect the privacy of individuals in the European Union. One of the lesser-understood areas of the GDPR is how it applies to cookies and other tracking technologies.
The regulation is often applied alongside the ePrivacy Directive (also known as the ‘cookie law’), which sets out more specific requirements for storing information or gaining access to information stored in users’ devices.
Other global laws – like the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) – also influence cookie usage, making compliance a global privacy issue.
Cookies are small text files stored on a user’s device by a website. They help websites remember user preferences, login details, shopping carts, and can be used to track user behavior for analytics or marketing. Cookies are often used alongside other tracking technologies such as beacons, fingerprinting, and LocalStorage.
Essential cookies:
These are strictly necessary for your website to function. They enable core functionalities such as secure log-in, session management, and shopping cart processes. Without them, a user would not be able to navigate or use key features of your site.
Preference cookies:
These cookies allow a website to remember choices you’ve made in the past, like your selected language, region, or layout settings. They enhance user experience by tailoring the site to your preferences.
Statistics/analytics cookies:
These help website owners understand how visitors interact with their websites. Data collected is often aggregated and anonymous, but under GDPR, consent is still needed if they can identify or track users.
Marketing/advertising cookies: These track visitors across websites to display personalized ads. They create user profiles and are often set by third-party advertisers or platforms.
First-party cookies:
These are set by the website the user is visiting directly. They’re often used for authentication, session maintenance, and user preferences.
Third-party cookies:
These are set by domains other than the one the user is visiting. Commonly used in advertising, retargeting, and social media integrations, they raise more compliance concerns.
Non-essential cookies:
Any cookie that isn’t crucial to the website’s core functionality – such as analytics or advertising cookies – is considered non-essential and requires user consent.
Cookies are considered personal data under GDPR when they collect or process data that can be used to identify an individual, either directly or indirectly. For example:
Protect ad personalization
in EU/EEA and Switzerland
Preserve remarketing capabilities
despite stricter consent requirements
Maintain analytics accuracy
with modeled conversion data
Legitimate interest is not a valid basis for using cookies that track users or process their personal data.
Easily accessible
(linked in the website footer, cookie banner, and privacy center)
Regularly updated
(especially when new cookies or third-party services are introduced)
Here’s what your cookie policy should contain, section by section:
Cookie Name | Type | Description |
---|---|---|
PHPSESSID | Essential | Maintains session state |
_ga | Analytics | Google Analytics cookie to track visits |
fr | Marketing | Facebook tracking cookie |
_fbp – Set by Facebook (third party)
_gid – Set by yoursite.com (first party)
Explain in simple terms what each cookie does. Users should understand why the cookie exists and what benefit or function it provides.
“Used to keep you logged in while you browse our site.”
“Tracks which pages you visit so we can improve our content.”
“Used to deliver ads that are more relevant to you.”
Indicate whether the cookie is a session cookie (deleted when the browser closes) or a persistent cookie (stored for a defined period). Specify how long persistent cookies remain active.
Session cookie: expires when the user closes the browser
Persistent cookie: expires after 12 months
State whether any personal data collected through cookies is shared with third parties, and if so, identify them. Also, include links to those third parties’ privacy policies when possible.
“Marketing cookies may send data to Google and Facebook for ad targeting purposes. You can view their privacy policies here and here.”
Mention that the placement of non-essential cookies is based on explicit user consent as required by the GDPR and the ePrivacy Directive. Clearly explain how and when consent is obtained.
“Non-essential cookies will only be set after you have given your explicit consent via our cookie banner.”
Explain how users can withdraw or modify their consent at any time. Provide a direct link to the consent preferences or cookie settings area. This is essential for maintaining valid, revocable consent.
“You can change or withdraw your consent at any time by clicking ‘Cookie Settings’ at the bottom of any page.”
‘Cookie settings’ can be replaced with similar terminology, ensuring it’s clear, or your cookie widget, depending on what you have implemented on your site.
Provide details on how users can contact your organization with questions about your cookie use or privacy practices. This can be your DPO or general privacy contact.
“If you have any questions about our use of cookies or how we handle your personal data, please contact privacy@yoursite.com.”
To demonstrate accountability, include the date your cookie policy was last updated. This helps users and regulators know how current your disclosures are.
To demonstrate accountability, include the date your cookie policy was last updated. This helps users and regulators know how current your disclosures are.
Your cookie policy is a living document. It should be updated:
• Every time new cookies are added to your site
• When existing tools or services change their behavior
• If data sharing arrangements change (e.g. switching ad networks)
• In response to new regulatory guidance (e.g. from CNIL, ICO, Datatilsynet)
Automated tools like Cookie Information’s Consent Management Platform can scan your site regularly and generate an always-accurate cookie policy, complete with consent logs for audits.
PRODUCTS