Logo Logo


The General Data Protection Regulation (GDPR) and the ePrivacy Directive (ePR) affect how you as a website owner may use cookies and online tracking of visitors from the EU.


Try our free compliance test to check if your website’s use of cookies and online tracking is GDPR/ePR compliant.

GDPR compliance is the new law of the digital lands - how to achieve gdpr compliance is Cookiebot's expertise

Though the Internet was invented in the 80s and cookies in the 90s, it wasn’t until 2018 that the EU achieved a uniform law across all twenty-eight member states to protect the privacy of its citizens on the world’s digital infrastructures.

Sure, there is the ePrivacy Directive of 2002 (updated in 2009), which was nationally implemented in various ways; which did give rise to the earliest cookie banners and which is still in place today.

But it wasn’t until the General Data Protection Regulation of 2018 that the EU in sweeping fashion made digital privacy protection a uniform law across the continent.

Cookies came into being in 1994 to serve as the memory of the Internet. Invented by Lou Montulli while working for Netscape, these small text files served the purpose of giving websites recall ability. Their name was coined from the concept of a “magic cookie” used to describe a data packet received and sent back by early Unix programmers.

The world hasn’t been the same since.

Today, we live in hyper-cookied times.

Websites harbor myriads of third-party cookies that allow for the harvest and combination of user data in comprehensive psychographs on each individual to be used for behavioral advertisement and targeted marketing. As the great privacy scandals of late has shown, these have also been weaponized to violate democratic elections in the US and UK.

Once, cookies were the ability of the Internet to remember. Today, they have become its ability to predict.

With the GDPR, the EU has taken up the big fight against privacy intrusive practices and laid out a roadmap to a future of balanced, respectful processing of personal information on our digital highways.

In this article, we’ll map out the topic of GDPR compliance, provide you with several GDPR checklists, discuss the requirements for GDPR cookie compliance and enlighten you on your legal and ethical responsibilities as a website owner and/or operator under the new law of the digital lands.

1. GDPR compliance – what is the GDPR?

The General Data Protection Regulation, or GDPR, is the now well-known EU law that came into effect in May 2018 with the purpose to create a uniform standard of data protection law in the European Union – and beyond.

It lays down the rules for the protection of natural persons and their right to privacy with regard to the processing and free movement of personal data.

In other words, it rules how companies and organizations are allowed to process the personal data of European citizens.

In a sense, the GDPR is the first uniform, legal step towards shaping an understanding of what data really is – and how we should think about it. Data is not just exhaust that giant ad tech companies can suck up for free, as has been the dominant practice for a decade on the Internet.

GDPR compliance means thinking about data is a new wayGDPR compliance means thinking about data in a new way.

GDPR compliance regulates the flow of EU data on the Internet.

On the contrary, the GDPR lays the foundation for a new way of thinking about the data we generate with our online behavior: it ultimately belongs to the user and it is therefore the user who must consent to any collection and processing of it.

GDPR compliance entails respecting user privacy and anonymity. Below we present you with a GDPR compliance checklist, so you can get started.

Even though it is a European law, its purpose is data protection and the protection of the right to privacy for all EU citizens, and so any website in the world who services Europeans and process their personal data is required to achieve GDPR compliance.

In total, the GDPR empowers EU citizens with eight individual rights, including the right not to have one’s personal data collected and processed without prior consent.

GDPR checklists

We realize that you can get drowned in information as a website owner looking for a consent solution, and that some simple GDPR checklists are a much easier way to get ahead on your GDPR compliance.

In the following part, we will present you with some GDPR checklists for cookie compliance on your website.

GDPR checklist on valid consent

In this GDPR compliance checklist, we give an overview of what constitutes valid consent according to the GDPR:

You find more about consent in Article 7 of the GDPR.

GDPR compliance mandates a secure storage of the consent given by a website's users.

GDPR compliance also means storing securely the consent of all users to a website.

GDPR checklist on legal requirements for websites

In this checklist, we look at what you need to have on your website in order to achieve GDPR compliance when it comes to cookies and tracking:

GDPR cookie compliance is best secured through a ready-at-hand consent and compliance solution like Cookiebot. We empower your website with all of the above requirements for GDPR compliance.

Try Cookiebot for free today.

GDPR checklist on how to handle personal data

In this GDPR checklist, we list the requirements for handling of personal data.

The data must be:

  1. processed lawfully, fairly and in a transparent manner in relation to the data subject
  2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes
  3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (also known as data minimization)
  4. accurate and, where necessary, kept up to date
  5. kept in a form which permits identification of data subjects for no longer than necessary for the purposes for which the personal data are collected
  6. processed in a manner that ensures appropriate security of the personal data

You can find more on how to handle personal data in Article 5 of the GDPR.

GDPR checklist for legal bases of data processing

Another useful GDPR requirements’ checklist is one that presents you with the legal bases for data processing.

For most websites, it is the legal basis of consent that is relevant, but it might be useful for you to know what other bases exist for data processing in the European Union.

In this GDPR checklist, you find the legal bases for processing of data as required by the GDPR:

When processing personal data of EU citizens, one of the above legal bases must be presented. If this is not possible, you are not allowed to process personal data.

You find more on the legal bases for data processing in Article 6 of the GDPR.

2. GDPR compliance - what are the rules for cookies?

If your website processes any information of EU citizens, you must obtain the consent of your users prior to the activation and setting of such cookies, the GDPR rules.

This is the very crux of what the GDPR dictates on the use of cookies for companies, organizations and websites in general.

Reminder - what are "cookies"?

Cookies are text files that are set on a user’s browser by websites with the intention to track and monitor their behavior.

That’s why the use of cookies and similar tracking technologies are subject to the rules and regulations protecting personal data and privacy stipulated by the GDPR.

GDPR compliance means asking users for explicit consent before handling sensitive personal information

GDPR compliance for websites means obtaining consent before any cookie activation.

Many website owners themselves don’t have the complete picture of what cookies are in operation on their website. This is due to the nature of cookies – they can be of first- or third-party provenance, be temporary or permanent, and serve a vast number of different purposes.

In other words, website cookies are numerous and inconsistent, and getting an insight once and for all won’t do, as they tend to change often.

So, what are "compliant cookies"?

Well, in reality, cookies in and of themselves cannot be compliant. It’s what you do with the cookie that matters. Cookie compliance according to the GDPR really has nothing to do the technology of the cookies themselves. Cookies are not illegal by their own nature.

No, GDPR cookie compliance has all to do with what you do with cookies – how you use them and for what purpose.

For your website to achieve GDPR cookie compliance, it must abide by the specific rules that the regulation has set down for the use of cookies and similar tracking technology. Even though the word cookie is only mentioned once in the official GDPR law text, it does specify very clearly how a website has to handle user data and the personal information of their visitors.

The core of GDPR cookie compliance for websites can be summed up in this mantra:

You must obtain and store securely the freely given consent of your users before any processing of their data can take place on your website.

Website tracking, such as analytics programs and marketing schemes, need to abide by the GDPR requirements – such as not having pre-ticked marketing cookies as a default.

3. GDPR compliance - two types of data, two types of consent

The GDPR lays out two types of consent. These two types correspond to the two types of data, personal and sensitive.

What is "personal data"?

Personal data is any information relating to a person, directly or indirectly, including data regarding their “physical, physiological, genetic, mental, economic, cultural or social identity”, as the GDPR reads in its article four. 

In short, any data that can identify you as a person.

Within this broad definition, cookies that track user locations or IP addresses, collect and hold contact information or invoicing details, or which process data about user habits, interest and online behavior, are all subject to the mighty rule of the GDPR.

What is "sensitive data"?

But the GDPR also categorizes a second, more serious group of data and sets down even stricter rules for the processing of these. It’s called sensitive data. This is data about religious convictions, sexual orientation, political opinions and the likes.

Sensitive data require explicit consent.

What is "explicit consent"?

Explicit consent is mandatory for a website to obtain from a user, if that website processes sensitive data. This type of consent is affirmative, i.e. a user has to actively opt-in by clicking or swiping yes to the activation of, say, the cookies that process this information.

What is "active consent"?

Active consent is required for all other personal information. It’s the most widely seen type of consent on the web today, typically in the form of a cookie consent banner (as you can see below), which manages the consent of a website’s users and blocks all non-necessary cookies until that consent is obtained.

However, this type of consent is also known as implied consent or the soft opt-in, because it is not strictly affirmative, e.g. continued scrolling on a website will often constitute consent from a user and will activate preference and statistics cookies.

Marketing cookies must always be un-ticked as default, i.e. not turned on by implied consent. If a user does not activate marketing cookies by affirmatively ticking the box, continued scrolling a site should not constitute the activation of marketing cookies, according the GDPR.

ICO and CNIL has updated their guidelines for even stricter cookie compliance in Britain and France!

4. GDPR compliance - consent manager and compliance bot

So, if you have a website, by now you’re probably convinced that you need to achieve GDPR compliance.

Cookiebot is the leading GDPR compliant consent management solution in the world. Our scanning technology finds all cookies and similar tracking on your website, then it automatically blocks it until your users have given their consent.

Cookiebot features the following functions:

  1. Monthly website scan with complete cookie and tracking detection.
  2. Cookie report with full disclosure of all cookies and tracking that can be used as a GDPR compliant cookie policy.
  3. Automatically updated cookie declaration for your website’s privacy policy.
  4. Customizable cookie consent banner displaying all cookies grouped in four comprehensive categories that the user can opt in and out of directly in the banner.
  5. Secure storage of all given consents.
  6. Annual renewal of consent upon the user’s first revisit to the website.
  7. Enabled withdrawal (or change of consent state) for users directly in the cookie declaration.

Cookiebot is simple and fast to use, implemented from the cloud into your website’s source code. We enable one hundred percent GDPR compliance when it comes to cookies and tracking. Try our consent and compliance bot for free today.

Try our consent and compliance bot for free today.

What is a GDPR compliant cookie message?

A GDPR compliant cookie message gives full transparency and disclosure about the cookies in operation on the website, without overwhelming the user (an actual requirement in the GDPR).

A compliant consent banner informs the user about what cookies are in operation, for what purpose, their duration and their provenance, along with the possibility to prevent them from being launched.

Find out what to write in your cookie consent banner.

The cookie compliance message displays on the website upon the user’s first visit to the site, and then again, if the user has consented to cookies, upon the user’s first renewed visit once every 12 months.

GDPR an ePR compliant cookie consent banner

A GDPR compliant Cookiebot consent banner seen on the web.

Your users can opt in and out of the different categories of cookies directly in the banner. Detailed information about all of the cookies folds out directly from the banner.

GDPR compliant cookie consent banner unfolded for more details

A GDPR compliant Cookiebot consent banner with unfolded details.

Cookiebot empowers your users with real consent and enables total GDPR compliance for you and your domains.

5. GDPR compliance – what are the consequences of non-compliance?

The consequences of not being GDPR compliant… well, they can be grave. And not only for your users and their privacy, which might well be infringed and violated by third parties and their data harvesters, but for you and your website or company as well.

The GDPR has a pretty hefty enforcement power – with fines of up to 4% of a company’s annual global turnover or €20 million – whichever is highest.

GDPR fines

Whichever is highest is crucial provision in the GDPR, because this can in fact turn out to be quite a lot!

The British data protection agency ICO has issued an intention to fine British Airways a whopping €204 million, likely for a breach of Article 32 of the GDPR concerning “security of processing”, for an incident involving the hack and harvesting of half a million passengers’ personal data.

In a similar incident, it has issued an intention to fine Marriott International, the hotel chain, €110 million for an incident involving the exposure of a variety of personal data up to 339 million guests worldwide.

Check out all the GDPR fines issued so far on Privacy Affairs.

GDPR compliance means protecting the privacy and autonomy of website users.

The GDPR protects the anonymity of EU citizens - violations are being heavily fined.

The French data protection authority CNIL fined Google €50 million in January 2019 for violations of Article 5 (lack of transparency), Article 13/14 (insufficient information) and Article 6 (lack of legal basis).

On smaller scale, the Danish data protection authority Datatilsynet fined the Danish furniture company IDdesign €200.000 for the processing of personal data for a longer period than necessary for the purposes for which they were processed.

The latter example is perhaps a more relatable story for smaller, independent website owners the world over – violations of the GDPR aren’t always premeditated, simple laziness and negligence can land you in deep trouble.

Try our consent and compliance bot for free today.


With the GDPR, the EU and the world reached a new threshold for privacy protection.

GDPR compliance for a website means rethinking what data is – respecting users and their private lives, asking for their consent to use any details of them and their lives before collection and processing takes place.

Using a consent solution like Cookiebot is the balanced way of respecting your users’ private, anonymous lives, while not breaking your statistics and online marketing revenue.

GDPR compliance does not mean the end of your online business model – try for yourself and see for free today.


The GDPR (official law text)

The ePrivacy Directive (official law text)

ICO has updated their guidelines on what constitutes valid consent in the UK

CNIL has updated their guidelines on what constitutes valid consent in France

GDPR enforcement tracker

World map of data protection laws by DLA Piper

Lawfulness of processing (Article 6 GDPR)

Conditions for consent (Article 7 GDPR)

Make your website’s use of cookies and online tracking compliant today

Try for free