News top

GDPR and Cookies

While the EU does not have strict regulations for cookies, the GDPR does mention the small data files that browsers download to user’s computer, containing various information such as user ID’s, browsing statistics, session info, authentication, etc.


If you’ve spent a fair bit of time online, undoubtedly, you’ve run into the extremely common pop-up requiring your consent to the usage of cookies. This is related to the EU Cookie Law, which aims to regulate the usage of non-essential cookies, like analytics and behavior statistics (as opposed to essential cookies – used for security, shopping carts and other session information).

Cookies are mentioned only once in the GDPR:

“Natural persons may be associated with online identifiers…such as internet protocol addresses, cookie identifiers or other identifiers” … “This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”

The reasoning is that cookies can contain data that can be used in combination with other data to identify a person – this means that it is personal data under the GDPR.

The fact that cookies are considered personal data has a few implications:

  • They need to be optional –so far, cookies have been a must – they do not offer a choice to the user, simply that by browsing the website, consent is given. This will have to change with the GDPR as consent now needs to be a choice;
  • Not only that, it has to be a clear choice – meaning that consent cannot be implied by ticking the consent form by default. It needs to be explicitly stated and affirmed by the user;
  • Withdrawing consent for cookies – going along the same line of thought, users must be allowed to withdraw their consent to cookies as well as to “be forgotten”, meaning all cookies with their personal data should be erased.


An important note is that the user must be informed of the necessity of essential cookies (as an integral part of websites) and his choice to opt-out of non-essential cookies, which are not mandatory for the website to function properly.

The most elegant and efficient solutions to the problem of cookie consent under GDPR are yet to be tested out and discovered, but preparing adequately by implementing the required functionalities in your website in some way is definitely the right way to go. GDPR compliance doesn’t have to be complicated – start now with GDPRQ!


A honlap utolsó módosításának időpontja: 2019.03.08