Cookie Policy

The General Data Protection Regulation (GDPR) and the ePrivacy Directive (ePD) affect how website owners may use cookies and other online trackers for site visitors from the EU. Under the GDPR, your website is required to enable EU residents to provide or decline consent for personal data processing, meaning at a website level they must be able to control the activation of cookies and trackers that collect their personal data.

This is the crux of GDPR cookie compliance — and the future of our digital markets and infrastructure.

We explain the most important things to know when dealing with the EU’s GDPR, GDPR cookies, and data privacy compliance on your website. We’ll also show you how Cookiebot Consent Management Platform (CMP) by Usercentrics handles these requirements for you.

The General Data Protection Regulation (GDPR) is a European regulation that governs the collection and processing of personal data from individuals in the EU. 

Under the GDPR, it is the legal responsibility of website owners and operators to make sure that personal data is collected and processed lawfully. A website belonging to a company located outside the EU is required to comply with the GDPR if it collects data from visitors, customers, or users inside the EU.

Even though cookies are mentioned only once in the GDPR, cookie consent is nonetheless a cornerstone of compliance for websites with EU users. This is because one of the most common ways for personal data to be collected and shared online is through the use of various website cookies. The GDPR sets out specific rules for the use of cookies.

Consent is a commonly used legal basis for data processing under the GDPR, including cookie use. It gives users control over access to their data. When consent is obtained with a tool like a consent management platform, it enables clear documentation and secure storage of consent preferences, which can be provided to data protection authorities. 

The GDPR requires website owners to provide information about data processing — including via cookie use — and users’ rights. A website may only collect personal data from users after they have given their explicit consent for specifically stated data processing purposes (and potentially for specific data processing services).

Websites must comply with the following GDPR cookie requirements:

• Prior and explicit consent must be obtained before any activation of cookies (apart from whitelisted, necessary cookies) if consent is the chosen legal basis.
• Users must be able to provide granular consent, i.e. users must be able to activate some cookies rather than others and not be forced to consent to either all or none.
• Consent must be freely given, i.e. not allowed to be forced or due to manipulation.
• Consents must be as easily withdrawn or changed as they are given.
• Consents must be securely stored as legal documentation.
• Consent must be renewed at least every 12 months. However, some national data protection guidelines recommend more frequent renewal, e.g. 6 months. Check your local data protection guidelines for compliance.

Typically, GDPR cookie compliance is achieved on websites through the use of cookie banners and clear cookie policy texts. These banners provide users with information about data processing. They enable users to select and accept specific cookies for activation while rejecting others if they so choose when they visit a site.