Tracking Cookies and the GDPR: why not all cookies are the chocolate chip kind

Tracking Cookies and the GDPR: why not all cookies are the chocolate chip kind

by Usercentrics
Jun 25, 2021
Book a demo
Learn how our consent management solution can improve privacy and user experience for your users.
Get your free data privacy audit now!

You might have heard a thing or two about internet or browser cookies. These tracking cookies are a type of technology that you need to get to know better, especially when it comes to data privacy. Let’s start with something simple. Namely, what are cookies to begin with? And most importantly, how does the GDPR influence the different types of cookies on your browser?


Let’s start at the very beginning. Cookies are small crumbs of data that are set in a user’s web browser as soon as a user visits a website. These cookies like to collect information, such as the user’s IP address and other information. This is why many marketers see cookies as beneficial, and we don’t blame them. 

The purpose of the cookie is to help the website keep track of your browser activity. Don’t fret: this isn’t always a bad thing. For example, many online retailers use cookies to keep track of the items in a user’s shopping cart as they explore the site. If websites didn’t set cookies, your shopping cart would reset to zero every time you clicked a new link on the site. But just like with everything in life, not all cookies are created equally. There are session cookies and first-party and third-party persistent cookies, also known as tracking cookies.

What are tracking cookies and what are they used for?

Tracking cookies are a bit different than your average session cookie mentioned above. These cookies collect specific types of information for third parties, such as search history, geographic location, purchasing trends and other bits and pieces of information. 


What’s the difference between regular session cookies and tracking cookies? The name says it all. Tracking cookies are set by websites other than the one a user is browsing. They build up a repertoire of information regarding each user, which is then traced from website to website. 

Think of this as an information string that is being pulled onto each website a user visits, and then accumulating data until the end of the browsing session. The data is then sold to third parties, other companies or websites whose main focus is creating personalized ad targeting campaigns, social media widgets and web analytics. Pretty much everywhere you go online cookies are being used: Google, Facebook, Twitter, Amazon and more, making it difficult to browse without tracking.

Tracking cookies and the GDPR – the right to be informed

Things get a little more tricky when it comes to using tracking cookies and being fully compliant with the GDPR. With the latest data privacy regulations, website providers must let their visitors know when the websites are using cookies, especially third-party tracking cookies. 


Once visitors know that tracking cookies are being set, such as through a privacy policy, they have to be able to provide their consent for each data processing service that collects information. Without consent, the data collected cannot be passed on or sold, and a company can risk large fines if they pass it on to third parties, according to the most recent ruling by the ECJ.


This means: no data can be tracked without the user first acknowledging and accepting the collection of data.


While collecting information such as search history, purchase information and location doesn’t seem too bad, the reality is that the amount of information collected doesn’t stop there. 


“Device information, the time and date when a user clicked on something, the ads a user focuses on, as well as TV shows that are watched are just a small part of the information that is collected,” says Justin Brookman privacy expert at Consumer Reports, “Consent for this must be requested.”

It is no surprise that data-driven marketing cannot be successful without valid consent, making data obtained with consent worth gold for marketers. However, not all consent is created equal. In fact, “The way in which you collect consent is just as relevant,” says Hans Skilrud, CEO of Termageddon a privacy policy generator.


  1. Freely: consent must be voluntary.
  2. Informed: for whom, what, why and how long? Valid consent is only given when the person affected is aware of all circumstances. 
  3. Explicit: the user must actively agree to give consent. Pre-checked boxes are not enough.
  4. Granular: consent must be given for each and every data processing service.
  5. In advance: no user data can be collected prior to the opt-in. 
  6. Documented: website operators are subject to burden of proof in the event of an audit.
  7. Easy to withdraw: the user has the right to withdraw any consent given at any time.


How users stay in control of their data:

When using cookies, it is important that users remain in control of their data and are aware of why it is being collected and for whom. In a study conducted by Ponemon institute, as many as 86 percent of respondents said they are “very concerned when using Facebook and Google,” while 66 percent of respondents said they are “very concerned when shopping online or using online services.” This mirrors increasing consumer mistrust, where two-thirds of consumers (68 percent) are more concerned about the privacy and security of their personal information than they were three years ago. 


“This lack of empowerment can have devastating effects on consumers’ privacy if it goes unchecked,” Ponemon researchers noted. 


That’s why it’s important for users to know why website providers set cookies, and most importantly to have a clear overview of which cookies are set. Being in control of data also means that users can revoke their consent at any time and be able to give consent only for specific data processing services. Website providers must offer consumers choice: to opt in granularly and to revoke consent at any time.

Confused with all of the regulatory changes? You don’t have to be.

According to a study conducted by Pew Research, the lack of understanding about data privacy laws among the general public is staggering, 63 percent of Americans say they understand very little or nothing at all about the laws and regulations that are currently in place to protect their data privacy. Don’t be part of that statistic. We offer plenty of webinars and articles to help you stay informed and up to date on the latest policy changes. If you have questions and want to tune in to our latest panel discussions, Tech That Talks brings key expert speakers from around the world together to discuss and answer your questions in a live setting.

With Usercentrics, your journey to full compliance doesn’t stop at the CMP. You get legal experts, dedicated support and guidance every step of the way.

Home Resources Article Tracking Cookies and the GDPR: why not all cookies are the chocolate chip kind

Related Articles

Consent Management for Customer Data Solutions

Consent Management for Customer Data Solutions

Using Data Warehouses and CDPs to store and manage customer data on companies’ own servers means opportunities and...

South Africa’s Protection of Personal Information Act – an overview

South Africa’s Protection of Personal Information Act – an overview

South Africa’s POPIA is a data privacy law that preceded the GDPR by five years. We look at how...