GDPR Cookie Consent: The Ultimate Guide


To achieve ePrivacy Directive and GDPR compliance, you must obtain cookie consent before placing cookies in your visitors’ devices. 

The ePrivacy Directive is responsible for the current framework that guides website owners on how to use cookies in a compliant way. 

On the other hand, although the General Data Protection Regulation dedicates minimal focus on cookies, it introduced changes to the ePrivacy Directive’s standards for the handling of personal data of identifiable natural persons. 

Consequently, GDPR provides extra protections for users when you place cookies in their devices to gather and process the kinds of personal information that fall under the scope of the EU’s pioneer data privacy law, the GDPR. 

This guide is focused on helping you gather valid GDPR cookie consent from your website visitors and avoid possible GDPR fines for non-compliance. Here are the topics covered in this ultimate guide; 

  • What are cookies? 
  • What is cookie consent? 
  • Why do I need to obtain GDPR cookie consent?
  • ePrivacy Directive and cookies
  • GDPR and Cookies 
  • How do I obtain Valid GDPR cookie consent?
  • What are GDPR cookie notice requirements? 
  • What are the possible penalties of GDPR cookie consent violations?
  • What should I include in my GDPR cookie Consent banner? 
  • How does Secure Privacy help with GDPR cookie consent? 

What are Cookies? 

Usually, when you visit a website, small files containing data are stored in your device via the browser. 

Cookies are important because they can hold different kinds of data that is vital for the desired functionality of your website. 

The kinds of data that they hold include; 

  • How a visitor accessed your website
  • The location of the user
  • The visitor’s language preferences
  • Users’ online activity for relevant ad targeting and better user experiences

What are the Different Types of Cookies? 

In general, cookies are classified based on three crucial principles; 

  • Purpose

Strictly necessary cookies – also known as essential cookies, this category of cookies is important since it facilitates your browsing of a website and making use of its features such as accessing the safe sections of the page.

 For example, the cookies that make it possible for e-commerce stores to keep items in your cart while shopping online fall under this subcategory.

Although both the GDPR and the ePrivacy Directive do not require websites to seek consent for strictly necessary cookies, what they do and their importance should be made clear to users.  

Preference Cookies – The cookies under this subcategory make it possible for a website to recall the choices you have made previously, such as language preference, the region for which you would like to receive reports, or your login details to allow you to sign in automatically. Preference cookies are also referred to as functionality cookies.

Statistics cookies – These cookies gather information about your activities on a website such as the kind of pages you accessed and the kind of links you clicked on. 

A key aspect to take into consideration in this context is the fact that this data cannot be used to identify you. This is because the information is aggregated, which simply means it is anonymized. 

For this reason, statistics cookies are focused on enhancing website functions. In the event that these cookies are from third-party analytics service providers, the objective of their use remains the same so long as the information they collect is used exclusively by the website owner. 

Marketing Cookies – Lastly, promotional cookies capture your online activity to assist advertisers in delivering more relevant advertising or to limit the number of times you see an ad. 

Marketing cookies can share personal data with third-parties or adtech agencies for the purpose of digital marketing.

 It is essential to know that this type of cookies are persistent and are predominantly of third-party provenance.  

  • Duration 

Session Cookies –  temporary cookies that expire the moment you close the browser. 

Persistent cookies – refers to the cookies that are stored in your device until you either delete them or your browser erases them depending on their date of expiration. 

Essentially, all persistent cookies have an expiry date written into their code, although this duration may vary. 

  • Provenance 

First-party cookies – Primarily, these cookies are stored on your device or computer directly by the website you access. 

Third-party cookies – refer to cookies placed in your gadget by a third-party such as an advertiser or an analytic system. In most cases, they are not stored in your devices by the website you are visiting. 

Nonetheless, it is essential to note that some cookies may not fit neatly into these categories while others may qualify for multiple categories.

The ePrivacy Directive and Cookie Consent 

The EU ePrivacy Directive was adopted in 2002 and amended in 2009. 

This data privacy directive is referred to as the EU Cookie Law since its most notable impact was the introduction of cookie consent banners after its implementation. 

On the one hand, the ePrivacy Directive reinforces the General Data Protection Regulation. 

However, in some cases, it overrides the GDPR and focuses on crucial aspects of the privacy of electronic communications and the tracking of internet users in a broader scope. 

What is Cookie Consent? 

When your website visitor allows you to store cookies in their browser to collect specific information about them, this action is referred to as providing cookie consent. 

Both the GDPR and ePrivacy regulation emphasize that you need to obtain valid cookie consent to process the different types of personal information you collect with the help of cookies legitimately. 

Why Do I Need to Obtain GDPR Cookie Consent? 

As we have already seen, cookies gather user information in a variety of ways. 

On the other hand, the GDPR defines personal data as any information that can be linked to an individual directly, indirectly, or by reference to a unique identifier such as an IP address. 

Therefore, the EU’s pioneer cookie law outlines legal bases for the collection and processing of personal information. The first and most important legal base for processing personal information under the GDPR is consent. 

This is why you need to obtain valid GDPR cookie consent on your website to guarantee compliance. 

ePrivacy and Cookies, What does it Say?

Adopted in 2002, and repealed in 2009, the ePrivacy Directive, established the framework for governing the use of cookies by website owners. 

This is why it is commonly called the EU’s Cookie Law because it introduced cookie consent banners or pop-ups after its adoption. 

Today, it supports, and in some cases, overrules the GDPR when it comes to managing specific issues about the privacy of electronic communication and the tracking of EU residents on the internet. 

To use cookies in an ePrivacy compliant way, you should; 

  • Obtain user consent before you place any cookies on your visitor’s device except in the case of strictly necessary cookies
  • Offer accurate and clear information about the data each cookie captures and its purpose in plain language before seeking consent
  • Maintain logs of the consent obtained from users 
  • Permit users to access your service regardless of whether they opt-out of the use of specific types of cookies
  • Simplify how users withdraw their consent as it was for them to grant their consent, to begin with

GDPR and Cookies, What does it Say? 

The intersection between GDPR and cookies is best explained by the EU data protection law’s rules for collecting and processing personal information. 

Since you can use cookies to identify a person, GDPR compliance requirements require you to meet the six principles of processing personal information, which are; 

  • You must process personal information in a legal, fair, and open way
  • You must collect and process personal data only for specific and legitimate purposes 
  • You must minimize the collection of personal data to only what is necessary for your stated purposes 
  • You must ensure that the personal information you collect is accurate and ensure you have timely measures to rectify inaccurate data
  • You should store user information for as long as it is necessary to satisfy your stated purpose only
  • You need to implement relevant security measures to prevent data breaches when processing the information you collect from your users. 

How do I Obtain Valid GDPR Cookie Consent? 

Taking the legal bases for processing personal data into account, the GDPR outlines specific obligations you need to satisfy to be considered compliant with these requirements. 

Generally; 

  • You need to know the cookies you have on your website and the cookie category they belong to
  • You must explain how you use cookies in your cookie notice for GDPR 
  • You must inform users about the existence of your GDPR cookie notice 
  • You must make it possible for users to provide clear and explicit consent for you to place cookies in their browsers
  • You must ensure that you only store non-essential cookies after a user has agreed to the deployment of those cookies
  • You must allow users to change their cookie preferences at any time, or withdraw their consent easily.
  • You must respect your users’ preferences and consents 
  • You must keep retrievable logs of the consent and preferences of your users

It is important to note that your ability to achieve GDPR cookie compliance is dependent on your cookie notice, cookie consent banner, and cookie consent management strategy

When is Cookie Consent Considered GDPR-Compliant? 

According to the latest EDPB guidelines on cookies, valid GDPR cookie consent is obtained from the user only when it is; 

  • Informed
  • Unambiguous 
  • Freely given
  • Specific
  • Easily withdrawn

To learn more about the specific elements of GDPR-compliant cookie consent, read our blog on the latest EDPB Cookie Consent Guidelines

What are GDPR Cookie Notice Requirements? 

A cookie policy, which is also referred to as a cookie notice explains the cookies on your website and their purpose. 

Therefore, cookie notice for GDPR compliance must; 

  • Explain to users the type of cookies you use on your website
  • Provide the categories under which each cookie on your website falls
  • Outline the purpose of each cookie
  • Reveal any other types of tracking technologies you use such as pixel tags, google analytics, and web beacons, etc.
  • Inform users about how to manage their preferences

You need to be aware that your GDPR cookie notice supports your privacy policy, but does not replace it. 

Learn more about how you can make your website privacy policy GDPR compliant here.

What are the Penalties of Violating GDPR Cookie Consent Requirements?

Failure to comply with GDPR cookie consent obligations can expose your company to several risks. The main risks are; 

  • Being fined in line with GDPR penalties for non-compliance 
  • Suffering damage to your company reputation regarding your company’s respect for the privacy of data subjects
  • Denial of access to your company data
  • Significant loss of trust in your business by your consumers 

Are there GDPR Cookie Consent Plugins I can Use to Avoid GDPR Fines? 

Your cookie consent compliance efforts can be streamlined and easy to manage with the help of a Consent Management Platform (CMP) software solution. 

A CMP such as Secure Privacy comes with a cookie consent banner that allows you to gather and keep data subject consents for your cookies in line with the ePrivacy Directive and GDPR compliance requirements. 

What are the Requirements for GDPR Compliant Cookie Banners? 

For your cookie banner to be considered compliant with the General Data Protection Regulation, it must give your data subjects; 

  • A choice to accept or reject the placement of non-essential cookies
  • Clear information about the cookies you have on your website, including information about the necessary cookies and their purpose
  • a link to your privacy notice
  • information about your cookie providers such as Google Analytics, WordPress, Hubspot 
  • The expiry date of your cookies 
  • Information about third parties who may have access to the information you collect

It is important to note that the CJEU’s ruling in the Planet49 case also directed that; 

  • You must avoid using pre-checked buttons or boxes
  • Avoid using scrolling as a justification for obtaining valid GDPR cookie consent. 

Learn more about the key takeaways from the  CJEU’s ruling in the Planet49 case for businesses in our blog

Does Secure Privacy have a WordPress GDPR Cookie Consent Plugin?

Yes, it does. The key features of Secure Privacy’s WordPress plugin include;  

  • Universal Preference Center– Give your users full control over cookies stored on their computer, including the ability for users to revoke their consent.
  • Cross-Domain Consent when you want to collect user’s consent across multiple domains using a single cookie banner.
  • Fully customizable – upload your own logo, colors, fonts
  • Fully editable – change all text
  • Geo-location – if enabled, the Cookie Consent Banner will only be shown to visitors from the European Union or selected countries (ie. Canada, United States, Brazil, etc.)
  • Simple, beautiful & intuitive user interface
  • Set the position of the Cookie Consent Banner: at the top or bottom of your pages
  • Flexible – decide which scripts will be loaded by default or only when the user gives consent
  • Includes both ‘Accept’ and ‘Reject’ buttons
  • Consent expiration settings
  • Privacy policy generator – Generate a privacy policy on your website to be compliant with GDPR, CCPA & LGPD
  • Includes link to Privacy Policy page
  • Choose from two unique layouts
  • Mobile responsive design
  • SEO friendly
  • Available in 70+ languages
  • Cookie Declaration allows you to manually declare the exact type of cookies that your site uses, including the cookie name, provider, purpose, and expiration
  • Consent Log – gives you the ability to store user consent information in the event that you need to prove that consent was given.

Apart from WordPress, Secure Privacy also offers Google Analytics GDPR cookie consent plugin, Hubspot GDPR cookie consent plugin, as well as other cookie providers that you may have on your website? 

Does Secure Privacy work with Google Consent Mode? 

Yes, it does. 

Google Consent Mode is a new API for publishers and advertisers that you implement in your Consent Management Platform to gather valuable insights from the personal information you collect from users when using solutions such as Google Analytics and Google Ads, in a GDPR compliant way.

The Google Consent Mode API  is to bridge the gap between the adtech industry and data protection laws. 

Secure Privacy’s cookie consent banner integrates with Google Consent Mode by informing the API whether your data subject opted-in or opted-out of the use of cookies directly. 

If the user opted-out of the use of cookies from Google products such as Gtag and Google Analytics in your Secure Privacy CMP, Google uses pings instead of cookies for tracking users in line with GDPR cookie consent requirements

Read our blog to find out more about Google Consent Mode and how to achieve GDPR Cookie Consent compliance

How Can I Meet GDPR Cookie Consent Compliance Requirements with Secure Privacy? 

Secure Privacy’s GDPR compliance solution is packed with enterprise-level features such as; 

  • Advanced  ongoing website scanning with our unique GDPR cookie scanner that helps you detect all cookies and trackers on your website, and blocks the deployment of third-party cookies until consent is given 
  • Cross-domain consent to help you manage your data subject’s cookie consent preferences in a single step across multiple domains
  • Highly customizable and stylish GDPR cookie consent banners that allow your users to opt-in, or withdraw their cookie consent easily, as well as manage their preferences
  • A privacy policy generator that allows you to develop a customized cookie notice for your company automatically.
  • Logs and consents tracking in real-time to ensure you keep retrievable records of your data subjects’ consent status if requested by Data Protection Authorities (DPAs) 
  • Multiple language support with 70+ languages, which allows you to customize your cookie consent banner in the language of your target users
  • Future-proof cookie consent compliance solution that supports California’s CCPA, Brazil’s  LGPD alongside other upcoming data privacy regulations globally. 

If you would like to receive additional information about Secure Privacy and GDPR Cookie Consent compliance or to have our data protection expert carry out a quick ‘check-up’ of your website, cookie consent banner, or your cookie policy, book a call today.

Alternatively, you can sign up for your free trial of our complete GDPR compliance solution here. 

Additional Resources:

Discover how to make your website compliant with GDPR with our detailed compliance guide

Download your FREE GDPR e-book and have it delivered directly to your inbox