What Does GDPR Say About Cookies?

Cookies, IP addresses, and similar online identifiers are addressed explicitly in Recital 30 of the General Data Protection Regulation (GDPR), which states: “Natural persons may be associated with online identifiers [...] such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags.” This classification underscores that cookies, when used to identify individuals—either directly or indirectly—constitute personal data (GDPR Recital 30).

Key findings from legal and regulatory analysis include:

• Cookies as Personal Data: The GDPR recognizes cookies as personal data when they can identify a user, even in combination with other data.
• Consent Requirement: Article 6 and Recital 32 require valid consent prior to the deployment of non-essential cookies. Consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes or inactivity do not constitute consent (EDPB Guidelines 05/2020).
• Transparency: Websites must clearly inform users about the types and purposes of cookies before obtaining consent. This includes:
  • The identity of the data controller
  • The exact purposes for which cookies are used
  • Third parties involved
• Right to Withdraw Consent: Users must be able to withdraw consent as easily as it was given (GDPR Article 7(3)).
• Accountability: Organizations must be able to demonstrate that valid consent has been obtained for all non-essential cookies.

Empirical studies indicate significant compliance gaps among websites, with many failing to implement mechanisms for granular consent, or defaulting to non-compliant opt-out models (Degeling et al., 2019). Regulatory actions have reinforced the necessity for explicit opt-in mechanisms, particularly for tracking and advertising cookies.

In summary, under GDPR, cookies that can identify an individual are personal data; therefore, their use is tightly regulated through requirements for informed, explicit consent and transparency. Failure to comply can result in substantial penalties, as demonstrated by recent enforcement actions in the EU.