Skip to content

Navigating the GDPR and cookies: What you need to know for 2025

While the GDPR doesn’t explicitly mention how to use cookies, its data protection and privacy requirements do impact cookie usage. Learn how to achieve and maintain compliance with EU data privacy laws while maximizing opt-in rates and making the most of cookie technologies.
Resources / Blog / Navigating the GDPR and cookies: What you need to know for 2025
Published by Usercentrics
10 mins to read
Apr 8, 2025

Regardless of where your business is based, General Data Protection Regulation (GDPR) cookie compliance is crucial for any website with visitors from the EU. Your approach to managing cookie consent must align with this strict regulation’s requirements to avoid fines and penalties.

Cookie compliance and data privacy compliance are legal necessities. But they also present an opportunity for you to build trust with customers, who are growing increasingly aware of their rights and have more concerns about their data privacy. 

“Consumers increasingly won’t do business with companies they don’t trust, and a cookie banner is an immediate way of showing you respect data privacy,” states Usercentrics CMO Adelina Peltea. 

This guide breaks down EU cookie consent rules in plain terms to help you achieve compliance and build trust with your audience while making the most of the tracking technology. Below, you’ll discover practical strategies for implementing cookie notices and banners that comply with the GDPR.

Art. 4 GDPR defines personal data as any information that can identify an individual. This includes online identifiers that cookies retrieve and store in order to identify, profile, and segment users. 

Recital 30 is the only section of the privacy law that explicitly mentions cookies, clarifying that they “may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.”

Non-essential cookies therefore qualify as personal data under the privacy law. Companies that use them and have EU-based users are obligated to comply with GDPR requirements. 

Essential vs. non-essential cookies under the GDPR

How do you know if your cookie usage is subject to these requirements? The GDPR differentiates between essential and non-essential cookies. In other words, those needed for your website to run smoothly versus those used for analytics and advertising.

For example, cookies that an online store uses to save items in a customer’s cart or keep them logged in to their account are essential. However, third-party cookies that the same store uses to track browser history and suggest products are non-essential and require explicit consent from each first-time visitor. 

You would need to obtain new consent from users if your purposes for collecting and processing personal data change, if the users clears their browser settings, or if their consent choices expire (often after 12 months). 

You’re not required to obtain consent for the use of essential cookies, but you must explain to users what they do and why they’re necessary in your cookie policy.

Art. 7 GDPR includes strict guidelines around how to obtain valid consent. You must:

  • Inform users how you use cookies to process data
  • Make this information visible and easily accessible
  • State the request for consent in plain language
  • Grant access to your services regardless of whether users deny consent
  • Keep a detailed record of your consent management
  • Enable users to withdraw consent and reject cookies at any time

Although the GDPR doesn’t state how you should obtain consent, it’s standard practice to use cookie hints such as pop-ups and banners.

Also note that what it means to grant access to sites and services even if users deny consent is evolving. At one point, this largely meant you couldn’t bar access to a website or its functions if users did not consent to data collection and processing. 

However, “consent or pay” models are gaining traction, and data protection authorities in Europe are releasing guidelines for these models that conform to requirements of data privacy and consumer protection law.

The ePrivacy Directive addresses key aspects about the confidentiality of electronic communications and the tracking of internet users. The “cookie law” was designed to complement the GDPR, and many ePrivacy requirements overlap with the GDPR. 

The ePD requires websites to obtain user consent before they deploy cookies. It also requires them to enable users to withdraw their consent at any moment. 

While the ePD was enacted in 2002, it took some time before cookie banners became a common site online. They gained traction much more quickly after the GDPR came into effect in 2018.

Following a structured approach can help you meet EU cookie requirements. We recommend the following steps, which we’ll explain in greater detail throughout this section.  

  1. Understand what types of cookies your site uses and why, and who has access to the data
  2. Align your cookie policy with GDPR and ePrivacy requirements
  3. Use a GDPR-friendly consent management platform (CMP) to automate compliance
  4. Give your users clear, accessible choices via your cookie banner
  5. Document user consent choices in case you need to demonstrate valid consent

“For a ‘best in class’ cookie banner, you need to provide clear, granular information and user-friendly consent options to your users, which they need to be able to easily change in the future. Clear consent options build trust with users, but so does consistent branding, so pay attention to the appearance of your banner and take the time to customize it.” Eike Paulat, Director of Product at Usercentrics

1. Understand the types of cookies your website uses

Start by conducting a data privacy audit to scan your website for cookies. Understanding your cookie usage is the first step toward GDPR compliance, since consent can’t be informed if users aren’t aware of all data collection and processing purposes.

For instance, you may believe your website only uses first-party cookies. After an audit, you might discover that YouTube videos you’ve embedded place cookies to track visitor activity. Third-party cookies can also be deeply embedded and set by vendors your company doesn’t contract with directly.

Auditing tools like Usercentrics CMP’s scanner will detect cookies and other trackers in use on your website and automatically categorize and block them until consent is obtained. 

When you run your first website scan, you’ll receive a report of the cookies in use, whether you’re obtaining adequate consent, and what your compliance risk level is.

Start scan

Once you understand what tracking cookies you use, draft a cookie policy to display on your website. This helps you inform visitors about your cookie practices and maintain transparency per EU privacy compliance requirements. Your policy should include the following details:

  • The types of cookies and other tracking technologies you use
  • What data these tracking technologies collect
  • What your business does with any data collected
  • How you protect this information
  • How long you store this information
  • Whether you share this data with third parties
  • The user’s rights under the GDPR and all other applicable data laws and how they can exercise them

[inset]

You don’t have to write your cookie policy from scratch. With the Usercentrics Privacy Policy Generator, create a dynamic privacy policy that reflects your current cookie usage and complies with GDPR requirements.

[/inset]

Use a CMP to automate consent management. This software requests and collects consent from each visitor through cookie pop-ups and banners and applies their consent choices across your entire site as per GDPR requirements.

Users can also update their privacy preferences at any time or revoke their consent. The automated scanner updates the cookies and trackers in use for you as well, so users always have access to updated information, per GDPR requirements.

The CMP will also block tags from firing until users give consent, preventing noncompliant cookie use and data collection for users protected by privacy laws.

If you have website visitors in various EU countries, Usercentrics CMP and its geolocation functionality will adapt and include consent management requirements according to each member state’s individual laws and interpretation of the ePrivacy Directive as well. 

For example, Spanish cookie laws state that you can’t block access to your website through cookie walls. It should be noted, however, that the consent or pay model has become commonly used among publishers in Spain.

Learn more

For the cookie banner you display on your website to meet the GDPR’s requirements for informed, explicit consent, it should include the following features:

  • High visibility: Banners should be placed somewhere visitors can immediately see them, but should not prevent access to the site.
  • Granular consent options: Website visitors should have the ability to choose among specific cookie categories for their consent preferences, such as yes to analytics and no to advertising, for example.
  • Prominent buttons: The ‘accept’ and ‘reject’ options must be equally easy to see and select. Manipulative design and dark patterns are frowned upon by authorities and illegal under some laws.
  • Clear phrasing: Your request should be easy to understand even to someone unfamiliar with data privacy and protection law. Avoid ambiguous phrasing that might persuade a user to accept cookies (another form or dark pattern or “nudging”).
  • Blank options: All default settings should either be blank or set to opt-out. There should be no pre-ticked boxes or other elements that make opt-in the default.
  • Accessible settings: Once users have selected their consent preferences, it must be simple to change them. Many sites keep a smaller banner with a link to cookie settings at the bottom of the page or use an icon accessible from around the site to re-access the cookie banner.

“The main challenges of achieving and maintaining GDPR compliance are ensuring that consent is obtained in a way that’s informed and explicit. You need to ensure a positive user experience at all points of their interactions with the cookie banner as well.”
Adelina Peltea, CMO of Usercentrics

“Records of all consent actions need to be securely stored and accessible in case of request” underlines Peltea.

Establish a system to record and securely store user preferences so you can demonstrate compliance if challenged by a user or regulatory body. This preparation will help protect you against potential legal action and penalties and is also best practice for data security.

Organized records also make audits more efficient. If you manage a large organization with potentially thousands of visitors each day, regular audits and organized recordkeeping can prevent disruption to your operations.

Here’s what you need to record:

  • Each visitor’s cookie preferences over time
  • Visitor location (for relevant regulations)
  • Device and browser in use
  • Date and time stamps for every consent action

Use this checklist to see if your cookie use practices comply with GDPR requirements.

Before enabling cookies, your website:

  • Automatically prevents any non-essential cookies from loading
  • Uses a consent banner or popup to request consent for relevant regulatory requirements in the user’s preferred language
  • Displays your banner in visible and easily accessible locations
  • Includes a link to a detailed cookie policy in the banner
  • Enables users to choose which non-essential cookies to accept and reject
  • Leaves tick boxes, filters, and similar settings empty by default

While enabling cookies, your website:

  • Creates a timestamped record of user consent that is updated if they change preferences
  • Maintains access to all features and services regardless of the user’s response, potentially offering a paid option if they refuse consent for data use

After enabling cookies, your website:

  • Displays an easily accessible widget enabling users to change or withdraw consent
  • Stores user consent preferences, accessible for future site visits 
  • Detects and blocks newly added non-essential cookies until consent is given

On an ongoing basis, your website:

  • Keeps the cookie policy up to date to reflect changes to the GDPR and other legal requirements
  • Regularly undergoes audits to maintain compliance

Your cookie consent banner plays a vital role in privacy compliance management. Designing an effective banner can help you deliver better user experiences and meet requirements of various data privacy laws.

What’s more, the design, placement, and content of your banner will impact cookie consent rates and your ability to leverage users’ personal data to improve marketing performance.

Here’s how a comprehensive CMP like Usercentrics CMP supports you in designing a GDPR-compliant banner and optimizing your opt-in rates:

  • Customization: Usercentrics enables you to tailor the look and functionality of your cookie banner to your brand and relevant regulatory requirements.
  • Cookie blocking: TheUsercentrics CMP scans your website for non-essential cookies and prevents them from running tracking scripts before visitors select their consent preferences where required by privacy laws.
  • Geolocation support: The CMP automatically adjusts settings based on each visitor’s location to support compliance with privacy laws across the EU and the globe and improve user experience with functions like displaying preferred language.
  • Over 60 language options: Usercentrics will automatically display your banner in your visitors’ preferred language for more clarity and a better user experience. This feature also helps you meet the GDPR’s requirement for making your website policies accessible and easily understandable.
  • Inclusive features: Usercentrics CMP is certified for the Web Content Accessibility Guidelines (WCAG) 2.1 AA. This certification guarantees that all elements of your cookie banner are designed to provide an inclusive user experience.
  • Automated updates: Our CMP automatically updates as regulations evolve to reflect changes to the GDPR and other relevant privacy laws. 
  • Actionable insights:  Get in-depth data about user interactions and consent rates to drive optimization strategy. Set up in-tool A/B tests to iterate quickly to boost opt-in rates and, in turn, increase marketing monetization. 

GDPR compliance isn’t just about meeting legal obligations and avoiding fines. Privacy laws reflect an ever-expanding integration of tech in our lives and businesses, and concerns are growing among consumers about how companies use cookies and other tracking technologies for personal data processing.

A compliance management solution like Usercentrics CMP can help you successfully align with evolving GDPR cookie requirements and foster trust with your audience.  

Usercentrics delivers an easy and reliable way to collect and manage consent for cookies and similar tracking technologies, while enabling you to gather valuable insights about your customers to optimize marketing performance.

Learn more


*General Data Protection Regulation (GDPR) awareness for users in selected European countries in 2018 and 2022, Statista

Frequently asked questions

Does GDPR allow cookies?

Yes, the GDPR allows the use of cookies, but under specific conditions designed to protect user privacy and consent. The GDPR and ePrivacy Directive require users to be clearly informed about the types of cookies used and their purpose. Website operators must also obtain explicit, informed consent from users before setting non-essential cookies.

What is the GDPR cookie collection?

GDPR cookie collection refers to the process by which websites gather and store personal data through cookies in compliance with the General Data Protection Regulation (GDPR).

Under the GDPR, any cookie that collects identifiable information (such as IP addresses, location data, or browsing behavior) requires explicit, informed consent from users before deployment, except for essential cookies necessary for basic site functionality.

Websites must clearly inform users about what data cookies collect, how it will be used, stored, and shared, and provide users with the ability to accept or decline the collection of data via cookies, ensuring transparency and respecting user privacy rights.

What are the EU rules for cookies?

EU rules governing cookies are primarily outlined in the ePrivacy Directive and are supported by the General Data Protection Regulation (GDPR). These rules require websites to clearly inform users about cookies, specifying their purpose, duration, and any third-party involvement, and to obtain explicit, informed consent before deploying non-essential cookies, such as those used for advertising, analytics, or tracking.

Many European countries also have their own country-specific requirements for cookie use and user consent, so companies may need to comply with multiple legal requirements.

What is the cookie text for GDPR?

The cookie text for GDPR refers to the notice displayed on websites to inform visitors about the use of cookies, their purposes, and the handling of personal data in compliance with GDPR and the ePrivacy Directive. This notice can be a separate document or part of the privacy policy, and it should be linked from the cookie banner.