GDPR and Cookies

GDPR does not care about cookies that much.

But it's more important than you think.

Basically every website uses cookies, which are often essential for basic website functionalities, but a lot of them serve for analytical and marketing purposes.

GDPR does not care about cookies too much, but the few sentences in the regulation means a lot to you, as a website owner.

1Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. 2This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

Most of the 3rd party plugins which you may often use, like Facebook or Instagram widget, Google Analytics and other tracking solutions use cookies to uniquely identify the user. Unique identification is performed via generating Unique ID, which is then stored in the device of the user.

Should the Unique ID stored in Cookie be treated as a personal data?

Probably yes.

Since it can be used to precise identification of a particular person, then yes. And it's true, that using the Unique ID in combination with IP address you can supposedly identify the particular person.

What does it mean?

That's simple. If you want to store and use personal data of the visitors of your website, first you need to have their valid opt-in consent. Usual Cookie Consents widgets widely used on a thousands of websites do not comply with GDPR because they don't use the requested opt-in consent and do not offer the user the right choice. According to GDPR, user has to have a clear ability to choose whether he wants to allow you storing his personal data or not. If not - you as a website owner - should not deny him using the website. That's why usual cookie consent widgets are out of the play.

So what do I have to do?

  1. At first you need to obtain valid consents from your users. Before obtaining consents, you're not allowed to store any cookies containing personal data.
  2. Moreover, all consents should be stored somewhere, where you can be able to access it and provide to user and/or authorities - with clear identification of when and who (Unique ID) provided the consent.
  3. Finally, you should be able provide the users the opt-out functionality to change their mind and withdraw their consent.
All of these functionalities are provided by!

Get code for your website!