How the GDPR affects cookie policies

Cookies are mentioned only once in the GDPR (General Data Protection Regulation), but the repercussions are significant for any organisation that uses them to track users’ browsing activity. Recital 30 of the GDPR states:

Natural persons may be associated with online identifiers […] such as internet protocol addresses, cookie identifiers or other identifiers […].

This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

In short: when cookies can identify an individual via their device, it is considered personal data.

This supports Recital 26, which states that any data that can be used to identify an individual either directly or indirectly (whether on its own or in conjunction with other information) is personal data.

What it means

Not all cookies are used in a way that could identify users, but the majority are and will be subject to the GDPR. This includes cookies for analytics, advertising and functional services, such as survey and chat tools.

To become compliant, organisations will need to either stop collecting the offending cookies or find a lawful ground to process that data.

Most organisations rely on consent (either implied or opt-out), but the GDPR’s strengthened requirements mean it’s much harder to obtain legal consent.

The consequences of this were discussed during the 2016 Data Protection Compliance Conference and its findings described by Cookie Law:

  • Implied consent is no longer sufficient. Consent must be given through a clear affirmative action, such as clicking an opt-in box or choosing settings or preferences on a settings menu. Simply visiting a site doesn’t count as consent.
  • ‘By using this site, you accept cookies’ messages are also not sufficient for the same reasons. If there is no genuine and free choice, then there is no valid consent. You must make it possible to both accept or reject cookies. This means:
  • It must be as easy to withdraw consent as it is to give it. If organisations want to tell people to block cookies if they don’t give their consent, they must make them accept cookies first.
  • Sites will need to provide an opt-out option. Even after getting valid consent, sites must give people the option to change their mind. If you ask for consent through opt-in boxes in a settings menu, users must always be able to return to that menu to adjust their preferences.

Achieving compliance

Soft opt-in consent is probably the best consent model, according to Cookie Law:

This means “giving an opportunity to act before cookies are set on a first visit to a site. If there is then a fair notice, continuing to browse can in most circumstances be valid consent via affirmative action.

Organisations are flouting their requirements

Although most organisations have adopted a soft opt-in consent model, many refuse to do so. They have instead set up a ‘cookie wall’, which blocks users’ access until they consent to the site’s tracking activities.

Users still have a choice – of sorts. They can either agree to the site’s terms or go elsewhere.

However, according to the Dutch Data Protection Authority, this isn’t a valid choice in terms of GDPR compliance.

In guidance published in March 2019, the Dutch DPA stressed that consent must be given freely and voluntarily, and that isn’t possible if users are denied access by rejecting the site’s cookie policy.

It added that cookie walls are acceptable when they are used to ensure “proper functioning of the website” and for “general analysis of the visit on that site”.

The regulator released the guidance after it received “dozens” of complaints from visitors who were turned away from sites after declining the cookie policy.

In response, the Dutch DPA has sent letters warning the organisations in question to amend their cookie policies, and has said it will be monitoring the use of cookies more closely in the future.

Are you sure your policies are GDPR-compliant?

The cookie wall issue is an example of how hard it can be to interpret the GDPR’s requirements. Their complexity will inevitably have organisations looking for compliance shortcuts, but if you’re not careful, you could get caught out.

You can make sure you don’t fall into that trap with the help of our GDPR Starter Bundle. The Bundle provides all the resources and tools you need to ensure your organisations compliance with the GDPR.

GDPR Starter Bundle- IT Governance


A version of this blog was originally published on 15 September 2017.

19 Comments

  1. Prash 21st November 2017
  2. wahaj 6th February 2018
    • Luke Irwin 7th February 2018
  3. Robert Iles 13th February 2018
  4. Clare Bullock 27th February 2018
    • Niall McCreanor 19th April 2018
  5. ldev 28th March 2018
    • Niall McCreanor 25th April 2018
  6. Nick 12th April 2018
    • Niall McCreanor 25th April 2018
  7. pete 12th April 2018
    • Niall McCreanor 25th April 2018
  8. Jaimie 16th April 2018
  9. Ray 7th May 2018
  10. Olivier Marcel 7th May 2018
    • Luke Irwin 9th May 2018
  11. Chad 31st August 2018
  12. Eric 14th June 2020

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.