Logo Logo


The General Data Protection Regulation (GDPR) and the ePrivacy Directive (ePR) affect how you as a website owner may use cookies and online tracking of visitors from the EU.


Try our free compliance test to check if your website’s use of cookies and online tracking is GDPR/ePR compliant.

Is your website compliant with the laws concerning personal data and privacy? What about the cookies? How can you check your website, and how can you meet the requirements? What are the risks if you don’t comply?

What are the rules and regulations for the use of internet cookies?

Internet cookies are set on users’ browsers by websites, and from there, they can track and monitor the users.

That’s why the use of cookies and similar tracking technologies are subject to rules and regulations protecting personal data and privacy.

What laws your website must obey depends on a variety of factors, such as the type and purpose of your website, what sector it belongs to, your location, and where your users come from.

On 25 May 2018, the EU enforced the most strict and encompassing regulation for data protection ever formulated. The General Data Protection Regulation (GDPR) affects all types of websites and blogs, that have users from the EU.

This means that even if your website is based in e.g. the US or Asia, the regulation applies to you, if you have EU citizens amongst your users.

Next in line from the EU is the ePrivacy Directive, which is in the process of becoming an actual regulation.

See the world map of data protection laws by the law firm DLA Piper for a visual overview of protection laws defined by geography.

Checklist for compliant cookie consent (GDPR and ePrivacy)

Your website may use cookies, but you need to have your users’ consent to it first. Or, alternatively, have another lawful reason for processing data. In most cases (such as marketing and analytics cookies) however, consent is the only lawful reason that applies.

Personal data in the GDPR is any information relating to a person, directly or indirectly, including data regarding their “physical, physiological, genetic, mental, economic, cultural or social identity” (Article 4 in the law text).

Within this broad definition, cookies that track users’ location or IP address, hold contact information or invoicing details, or that process data about their habits, interests and online behaviour, are all subject to the GDPR.

If you have any such cookies in operation on your website, you need your users’ consent prior to the setting of the cookies.

For the cookie consent to be compliant, it has to meet the following GDPR and ePrivacy requirements:

See Article 7, Conditions for consent, for the original phrasing in the GDPR.

How do I get compliant cookies?

In reality, cookies in and of themselves cannot be compliant. It’s what you do with the cookies that matter, e.g. that they are paused until proper consent has been obtained for their operation, and that the data they track is sent to adequate countries, etc.

To meet the requirements and obtain full cookie compliance on your website, you need to implement the following on your website:

You can develop and maintain these elements yourself, or you can subscribe to a consent management tool that takes care of these processes for you.

Cookiebot is a fully compliant consent management solution for your website featuring the following functions:

Read more about the functions on Cookiebot’s functions page.

Cookie checker: Does my website set cookies? Test my website

Many website owners themselves don’t have the complete picture of what cookies are in operation on their own website.

This is due to the nature of cookies: They can be of first or third party provenance, be temporary or permanent, and serve a vast number of different purposes.

In other words, website cookies are numerous and inconsistent, and getting an insight once and for all won’t do, as they tend to change often.

Try our website scan, if you are in doubt about the cookies on your website.

The free version audits up to five pages of your website and sends you a complete report about the cookies and known tracking technologies in use on these pages, including information about their provenance, duration and purpose.

Sign up to Cookiebot if you want a complete and regular scan of all of the pages on your site. With Cookiebot, you can easily take care of all of the aspects of your website cookies, so that their use is compliant with data protection regulations and privacy laws.

What is a compliant cookie message?

A compliant cookie message gives full transparency and disclosure about the cookies in operation on the website, without overwhelming the user (this is an actual requirement in the GDPR).

The compliant cookie message informs the user about what cookies are in operation, for what purpose, their duration and their provenance, along with the possibility to prevent them from being launched.

The compliant cookie message displays on the website upon the user’s first visit to the site, and then again, if the user has consented to cookies, upon the user’s first renewed visit once 12 months have elapsed (the GDPR only requires the consent be “regularly renewed”, the ePrivacy Directive suggests once a year).

Here is one of Cookiebot’s cookie message templates:

compliant cookie banner 
The user can opt in and out of the different categories of cookies directly in the banner. Detailed information about all of the cookies folds out directly from the banner:

Cookiebot banner displaying cookies grouped by categories 
Test your website and get a quote or sign up to Cookiebot directly, get hassle-free cookie compliance for your website today!


The GDPR (official law text)

The ePrivacy Directive (official law text)

World map of data protection laws by DLA Piper

Lawfulness of processing (Article 6 GDPR)

Conditions for consent (Article 7 GDPR)

Make your website’s use of cookies and online tracking GDPR/ePR compliant today

Try for free