Are Cookies personal data
Home Resources Articles Cookies & GDPR Checklist: Do's & Don'ts

Cookies & GDPR Checklist: Do’s & Don’ts

Since 25 May 2018, website operators have been asking themselves whether cookies fall under the GDPR or not. So let's ask ourselves whether cookies fall under the DSGVO or the forthcoming ePrivacy Regulation. What is the actual legal basis and which myths surrounding cookies are true, which ones are false?
by Usercentrics
Jul 30, 2019
Are Cookies personal data
Table of contents
Show more Show less
Book a demo
Learn how our consent management solution can improve privacy and user experience for your users.
Get your free data privacy audit now!

Since 25 May 2018, website operators have been asking themselves whether cookies fall under the GDPR or not. So let’s ask ourselves whether cookies fall under the DSGVO or the forthcoming ePrivacy Regulation. What is the actual legal basis and which myths surrounding cookies are true, which ones are false?

We clarify all unanswered questions and clear up the myths and rumors surrounding cookies and GDPR.

“Cookies are not personal data, which is why GDPR does not apply.”

This statement is not entirely correct. The basic data protection regulation regulates the processing of personal data. A personal reference is given if the information can be used to identify a person. According to recital 30 of the GDPR, identification is also possible via online identifiers such as IP addresses or cookie identifiers.It therefore depends on the type of cookie involved and whether it allows the processing of personal data.

Thus, the assumption that cookies will only be regulated under the future ePrivacy Regulation is also wrong. This misunderstanding is probably due to the fact that it is intended for it to replace the ePrivacy Directive of 2002 and the Cookie Directive of 2009. However, the forthcoming ePrivacy Regulation will cover the processing of electronic communications data, even without a personal reference. Read more about ePrivacy below.

As a rule, cookies collect personal data irrespective of the intended use, which is more important than ever to provide users with information. The website operator is therefore obliged to inform the user of the website about the collection and processing of his or her personal data. The duty to provide information does not only include exactly which data are collected, but also how they are processed, for what purpose and on what legal basis. Furthermore, the website operator must provide information on how long the data is kept and how the objection to the processing of the data takes place.

Since most cookies may only be loaded with the prior consent of the user, a cookie banner should not only provide information but also obtain the explicit consent of the user.

Not everyone who implements a cookie banner on their website is automatically GDPR-compliant and within the legal framework. This is because the banner must meet certain requirements. GDPR defines 7 criteria according to which consent must be collected in order to be valid within the meaning of the Basic Data Protection Ordinance. This means that the website operator must obtain the user’s consent via its cookie banner in accordance with these criteria in order to be on the “safe side”.

We explain which criteria these are in our article “7 Criteria for a GDPR-compliant Consent“.

“The ePrivacy Regulation will not affect the use of cookies.”

The ePrivacy Regulation, which is expected to come into effect in 2020, contains additional new provisions for the use of cookies. Cookies, which are only used for the technical operation of a website, do not require the user’s consent. However, cookies used for tracking or advertising purposes still require the explicit, active and voluntary prior consent of the user. The ePrivacy Regulation is intended to counteract and eliminate tracking walls. Accordingly, all websites must be made accessible, even if the user has not consented to the use of cookies.

Checklist – Do’s at a glance

As you can see, the above mentioned myths and assumptions about cookies are only correct in parts and are mostly in the wrong context. This leads to a lot of confusion for website operators.

The following points should be noted in order to use cookies DSGVO-compliant as a website operator:

Duty to provide information

Cookie banners or pop-ups should indicate the use of cookies on each web page. Furthermore, users must be informed if their data are used to create profiles within the meaning of Art. 21 GDPR and/or if their data can also be transferred to third parties in different countries. This is particularly the case if the providers behind the cookie technologies are based in the USA, for example.

The cookie banner must ensure that the user can give his consent in advance, voluntarily, explicitly, informed and granularly for each web technology (or bundled for individual use areas). Furthermore, there must be a straightforward and simple way to object to the processing of personal data.

Loading cookies

Cookies may not process or collect any data without a legal basis. Therefore, there must be a technical link between the cookie banner and the web technology, ensuring that cookies are not loaded until the user has given his consent. If the user refuses processing, it must be ensured that no cookies are set.

Legally compliant documentation

In the event of a review by the data protection authority, the website operator must comply with its documentation obligation and be able to demonstrate the users’ consent. To ensure that all data is available during the check, various data points should be documented, such as time stamps, user agents or the version of the consent texts. Also important is the condition under which the consent was given, i.e. how large was the “Accept” button compared to the “Reject” button and was the choice really voluntary, i.e. could the user use the site even when rejecting cookies without any disadvantages.


According to GDPR, the objection must be as simple as the opt-in. This means that external links to a third page for opt-out are not sufficient. In addition, it must be ensured that no further data is collected and forwarded from the moment of the objection, i.e. the opt-out must also be technically linked to the cookie and, at best, documented.


Usercentrics GmbH bietet keine Rechtsberatung an. Der Inhalt dieses Artikels ist nicht rechtsverbindlich. Der Artikel stellt die Meinung von Usercentrics dar.

Related Articles

Google tools in a cookieless world hero

Key Google tools providing cookieless solutions

Google has sophisticated tools that enable companies to obtain high quality data and evolve marketing strategies. Become...


Navigating IT compliance: standards, tips and tools

Learn everything you need to know in this guide to IT compliance. We’ll cover key practices and standards, and...