What is a GDPR cookie policy? Guide to cookie compliance and GDPR cookies

Cookies are powerful tools for improving user experience, tracking engagement, and enabling analytics – but they also come with strict legal responsibilities. Under the General Data Protection Regulation (GDPR), websites must not only control how cookies are used but also clearly explain this through a dedicated cookie policy. This article offers a comprehensive guide to what a GDPR-compliant cookie policy should include and how to achieve full cookie compliance on your website.

Check your cookie compliance in minutes

Don’t leave your website’s privacy compliance to chance – take a compliance check now.

Introduction to GDPR and cookies

The GDPR is a data protection regulation that came into force in May 2018, aiming to protect the privacy of individuals in the European Union. One of the lesser-understood areas of the GDPR is how it applies to cookies and other tracking technologies.

The regulation is often applied alongside the ePrivacy Directive (also known as the ‘cookie law’), which sets out more specific requirements for storing information or gaining access to information stored in users’ devices.

Other global laws – like the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) – also influence cookie usage, making compliance a global privacy issue.

What are cookies?

Cookies are small text files stored on a user’s device by a website. They help websites remember user preferences, login details, shopping carts, and can be used to track user behavior for analytics or marketing. Cookies are often used alongside other tracking technologies such as beacons, fingerprinting, and LocalStorage.

Essential cookies:
These are strictly necessary for your website to function. They enable core functionalities such as secure log-in, session management, and shopping cart processes. Without them, a user would not be able to navigate or use key features of your site.

Preference cookies:
These cookies allow a website to remember choices you’ve made in the past, like your selected language, region, or layout settings. They enhance user experience by tailoring the site to your preferences. 

Statistics/analytics cookies: 
These help website owners understand how visitors interact with their websites. Data collected is often aggregated and anonymous, but under GDPR, consent is still needed if they can identify or track users.

Marketing/advertising cookies: These track visitors across websites to display personalized ads. They create user profiles and are often set by third-party advertisers or platforms.

First-party cookies:
These are set by the website the user is visiting directly. They’re often used for authentication, session maintenance, and user preferences.

Third-party cookies:
These are set by domains other than the one the user is visiting. Commonly used in advertising, retargeting, and social media integrations, they raise more compliance concerns.

Non-essential cookies:
Any cookie that isn’t crucial to the website’s core functionality – such as analytics or advertising cookies – is considered non-essential and requires user consent. 

When and why cookies are considered personal data

Cookies are considered personal data under GDPR when they collect or process data that can be used to identify an individual, either directly or indirectly. For example:

Protect ad personalization
in EU/EEA and Switzerland

Preserve remarketing capabilities
despite stricter consent requirements

Maintain analytics accuracy 
with modeled conversion data

Even if a single data point doesn’t identify someone, when combined with other data, it can constitute personal data under the GDPR. As a result, most cookies – especially third-party or analytics cookies – fall under the scope of personal data processing.

The legal basis for cookie use under GDPR

The main legal basis for using cookies that process personal data is explicit consent. Users must take an affirmative action (like clicking ‘Accept’) after being properly informed. Under GDPR, valid consent must be:
  • Freely given: Users should not be coerced or manipulated into accepting cookies.
  • Specific and granular: Consent must be given for each cookie category (e.g., analytics, marketing).
  • Informed: Users need clear, accessible information about what they’re consenting to.
  • Unambiguous: A clear affirmative action must be taken (e.g., clicking “Accept”).
  • Reversible: Users must be able to withdraw consent at any time as easily as they gave it.


Legitimate interest is not a valid basis for using cookies that track users or process their personal data.

Cookie compliance under GDPR and ePrivacy

Cookie compliance is shaped by both the GDPR and the ePrivacy Directive. 
Here’s how they work together:
  • The ePrivacy Directive (also known as the “cookie law”) regulates the storage of and access to information on users’ devices, including cookies.
  • The GDPR governs how personal data collected through those cookies is processed and protected. 
Together, they require websites to:
  • Obtain prior consent before placing non-essential cookies
  • Provide transparent information about cookie purposes and third-party data sharing
  • Enable users to withdraw consent at any time
  • Store proof of consent and demonstrate compliance if audited
Placing cookies and other tracking technologies
Tracking technologies like cookies, fingerprinting, LocalStorage, and RFID tags can only be used after valid consent has been obtained – except for those strictly necessary for the service.
  • LocalStorage & SessionStorage: Similar to cookies, but not automatically sent with every request.
  • Fingerprinting: Collects attributes like browser type, time zone, and language to uniquely identify users without using cookies.
  • RFID tags: Used in physical tracking but subject to the same principles when tied to online services.
Blocking these technologies until consent is given is essential for GDPR cookie compliance.

What should be in a GDPR-compliant cookie policy?

A GDPR-compliant cookie policy is not just a legal formality—it’s a vital part of your website’s transparency and data privacy strategy. The goal of the policy is to clearly inform users about how cookies and similar tracking technologies are used, what data is collected, why, and how users can control it. To meet the expectations of regulators and privacy-conscious users, your cookie policy must be:

Easily accessible
(linked in the website footer, cookie banner, and privacy center)

Written in clear, user-friendly language (no legalese)

Regularly updated
(especially when new cookies or third-party services are introduced)

Here’s what your cookie policy should contain, section by section:

1. List of all cookies in use

Provide a categorized list of all cookies and similar tracking technologies set by your website. The most common categories include:
  • Strictly necessary (essential)
  • Preference (functionality)
  • Statistics (analytics)
  • Marketing (advertising/retargeting)
example

2. Cookie name and provider

Clearly identify each cookie by name and who sets it. This helps users recognize whether the cookie is first-party – set by your domain – or third-party – set by an external service like Google, Meta, Hotjar, etc..
example

_fbp – Set by Facebook (third party)
_gid – Set by yoursite.com (first party) 

3. Purpose of each cookie

Explain in simple terms what each cookie does. Users should understand why the cookie exists and what benefit or function it provides.

example

“Used to keep you logged in while you browse our site.”
“Tracks which pages you visit so we can improve our content.”
“Used to deliver ads that are more relevant to you.”

4. Cookie duration (expiration time)

Indicate whether the cookie is a session cookie (deleted when the browser closes) or a persistent cookie (stored for a defined period). Specify how long persistent cookies remain active.

example

Session cookie: expires when the user closes the browser
Persistent cookie: expires after 12 months

5. Data sharing and third parties

State whether any personal data collected through cookies is shared with third parties, and if so, identify them. Also, include links to those third parties’ privacy policies when possible.

example

6. Legal basis and consent information

Mention that the placement of non-essential cookies is based on explicit user consent as required by the GDPR and the ePrivacy Directive. Clearly explain how and when consent is obtained.

example

“Non-essential cookies will only be set after you have given your explicit consent 
via our cookie banner.”

7. Instructions for withdrawing or changing consent

Explain how users can withdraw or modify their consent at any time. Provide a direct link to the consent preferences or cookie settings area. This is essential for maintaining valid, revocable consent.

example

“You can change or withdraw your consent at any time by clicking ‘Cookie Settings’ at the bottom of any page.”

‘Cookie settings’ can be replaced with similar terminology, ensuring it’s clear, or your cookie widget, depending on what you have implemented on your site.

8. Contact information

Provide details on how users can contact your organization with questions about your cookie use or privacy practices. This can be your DPO or general privacy contact.

example

“If you have any questions about our use of cookies or how we handle your personal data, please contact privacy@yoursite.com.”

9. Date of last update

To demonstrate accountability, include the date your cookie policy was last updated. This helps users and regulators know how current your disclosures are.

10. Optional: Consent history or records access

To demonstrate accountability, include the date your cookie policy was last updated. This helps users and regulators know how current your disclosures are.

Keeping your cookie policy up to date

Your cookie policy is a living document. It should be updated:

• Every time new cookies are added to your site
• When existing tools or services change their behavior
• If data sharing arrangements change (e.g. switching ad networks)
• In response to new regulatory guidance (e.g. from CNIL, ICO, Datatilsynet)