Knowledge base article

Cookies under the GDPR & ePrivacy, and how to be compliant

7 minutes reading time

Are you tired of constantly seeing cookie banners pop up on every website you visit? Are you wondering if you need to put them on your website? Well, let’s find out why cookie banners are important. In this article, I will explain what you need to take into account when dealing with the Cookie Law, the GDPR, and cookies on your website. .

What is a browser cookie?

A browser cookie is a small piece of data that is stored in your web browser. Technically a cookie is an unencrypted string for max 4kb which can be set with an expiration date. It is actually quite old technology, about 20 years old. When you visit a website, the website may send a cookie to your browser, which is then stored on your computer. The next time you visit the same website, your browser will send the cookie back to the website, allowing the website to remember your previous activity.

Cookies are commonly used to personalize your browsing experience, track your activity on a website, and save your login credentials so you don’t have to enter them every time you visit a website. However, they can also be used for more nefarious purposes, such as tracking your online activity and collecting personal information without your knowledge or consent. Because of this, many browsers offer the ability to block or delete cookies.

Which types of cookies are there?

As you can see cookies have many different functions. Because of this, there are also different types of cookies. Cookies can be categorized by how long they last, who places them, and their function.

Session cookies

These cookies are temporary cookies that are stored in the user’s browser while they are visiting a website. They are deleted when the user closes their browser or after a certain period of time has elapsed. Session cookies are used to store information that is needed while the user is using the website, such as items in a shopping cart.

Persistent cookies

These are stored on the user’s device for a set period of time, even after the user has closed their browser. Persistent cookies are often used to store user preferences or to track a user’s activity across multiple visits to a website.

First-party cookies

These cookies are set by the website that the user is visiting and are only accessible by that website. First-party cookies are typically used to store user preferences or to track the user’s activity on the website. These are frequently used as a replacement for third-party cookies..

Third-party cookies

These notorious cookies are set by a domain other than the website that the user is visiting. Third-party cookies are often used for tracking and advertising purposes. Now, the use of these cookies has been banned. Even Google Chrome will deprecate them in the near future.

Secure cookies

These are transmitted over an encrypted connection and are used to secure the transmission of sensitive information, such as login credentials or financial data.

HTTP-only cookies

These cookies can only be accessed by the server and are not accessible by client-side scripts, such as JavaScript. HTTP-only cookies are often used for security purposes to protect against cross-site scripting (XSS) attacks.

I hope that cleared up some of the confusion around the different cookie types. Now, you might be wondering; but if these cookies have been around for a while, why do we need to use cookie banners now all of the sudden? You guessed it, privacy laws.

What is the Cookie law (ePrivacy directive)?

Cookie compliance issues do not originate from the GDPR, as many people believe. To protect electronic privacy, including the use of email marketing and cookies, a directive called ePrivacy Directive 2002/58/EC (also called “the cookie law”) was created before that. Rather than repealing the GDPR, the ePrivacy Directive complements it in a sense.

Cookie Law compliance should be considered before GDPR compliance if you use cookies. In legal jargon, the Cookie Law takes precedence over the GDPR because it is a “lex specialis.”

A Cookie Banner Law protects the privacy rights of consumers, allowing them to consent to companies collecting, storing, and using their personal information. As you probably know, website users must explicitly consent to cookies being used on their websites. If you do not comply with this you might get into trouble.

What happens if you don’t comply with the Cookie Law?

There are no specific penalties set in the EU Cookie Legislation because it is not a law. Laws and penalties must be established by local governments instead. As a result, the penalties you may receive if you do not comply may vary from state to state.

Typically, local regulators will take one of the following actions if you aren’t in compliance:

  • Request additional information: Your local regulator may ask for additional information before making changes
  • Request for changes: Your local regulator may request that you make changes to your site if they determine it is not compliant
  • Enforcement: The local regulator will give you specific actions to complete within a set period
  • Fines: Guidelines for what qualifies for a fine vary from country to country, as do the maximum fine amounts

Plenty of reasons to consult your lawyer. But don’t worry. Just make sure you comply with the guidelines of the Cookie Law and you will be fine.

How do you comply with the Cookie Law?

Then of course the next question is, how do I do that? Again, I want to state that you should always consult legal counsel but in general the Cookie Consent Law and GDPR require websites to comply with the following requirements:

  • Cookies should only be used with the consent of website users
  • You should provide clear and comprehensive information about the purposes for collecting and processing personal data, what information each cookie tracks, and why
  • Provide an easy option to withdraw website user Cookie Consent to use cookies at any time. The Cookie Consent withdrawal should be as easy for users as it was for them to give their consent
  • Provide website services to users even if they opt out of certain cookies
  • The Cookie Consent received from website visitors should be documented and stored
  • To ensure compliance with EU cookie laws, it is also recommended to include links to legal documents such as the Privacy Policy or Cookie Policy, where website users can find detailed information about cookie usage and personal data management

As you can see there are quite a few factors to hold into consideration. Let’s look at some of the specifics like the cookie policy.

What are cookie policies and what are they used for?

A cookie policy informs website and application visitors how your company tracks data and protects their privacy online. Cookies policies are commonly used to inform users about usage for the following purposes:

  • Retargeting ads to social media visitors
  • Keeping track of items in a digital shopping cart
  • Using web analytics to track user interaction
  • The ability to save customer language preferences

These are practical applications of a cookie policy and so might differ per company. However, there are a few conditions that every cookie policy must meet. It must:

  • Indicate which cookies were installed (first-party, third-party etc.)
  • Indicate which third parties install, manage, and access cookies through your website/app, along with links to their respective policies
  • Give a detailed explanation of the purposes for which cookies are used
  • Be available in all languages in which the service is provided

Besides a cookie policy, your website also needs a cookie banner when you service inhabitants of the EU.

What is a cookie banner and what are its requirements?

Websites display cookie banners informing users that cookies are being used. There is usually information about what types of cookies are used on the website and how they are used.

You should also provide a link to the website’s privacy policy, which should provide more detailed information about cookies. You can choose whether to accept cookies or decline them, or you can customize your cookie preferences. The cookie banner must:

  • Your site should inform users that cookies are used
  • Users must have the option to opt-out
  • It should be clear which action constitutes consent
  • It should be sufficiently conspicuous to be noticed
  • The user should be able to access a cookie policy or information about cookies’ purposes, usage, and related third-party activities

It is important to remember that the requirements listed above are the minimum requirements. There may be differences in cookie banner content requirements from country to country, depending on the views of the respective DPA.

The takeaway

Well, that was a lot of information. If you made it this far, great! The most important takeaway from this article is that you need to be careful with the use of cookie banners on your website. If not, you might be violating regulations and ignoring your users’ wishes. You probably came to this article because you want to avoid those situations.

Luckily there are out-of-the-box solutions for the use of cookies on your site. Think of Cookiescript or Cookieyes. These make it very easy for you to implement a cookie banner and policy on your site.

Hopefully, you learned something, and see you at the next one!

Profielfoto Freek Kampen

By Freek Kampen

Data & Analytics specialist and co-owner of New North Digital. With a background in online advertising, I solve tracking and data issues for entrepreneurs and agencies. Feel free to get in touch!


Continue learning

Looking for more answers?

Check out our knowledge base for more articles and glossary terms. Level up your knowledge with our articles on core concepts in web analytics.

Continue learning
Compare list
Get help

Send us a message