Got Cookies? Here’s a Recipe for GDPR Website Compliance


News on the internet travels as fast as light. Therefore, I wouldn’t be surprised if you have already heard about General Data Protection Regulation (GDPR) before–the latest law affecting worldwide internet privacy.

The widespread coverage on GDPR is relevant, since every company that comes in contact with someone located in the EU can potentially be fined for infringement.

Here’s a guide on what you really need to know about how GDPR will affect your website’s cookie policy. It may be the difference in smooth sailing or paying a huge fine.

For starters, it helps to cover cookies (internet cookies of course), GDPR regulations and the steps required to make sure your website is compliant.

What are cookies and what are they used for?

Some websites store information files in your browser called cookies. They are added to your browser when you visit the website (or perform a specific action in the website) and remain there until you erase them or they expire.

The main purpose of cookies is so that the website can “remember” a visitor and provide a better experience in following visits.

Financial and service companies can use cookies to serve custom user interfaces (i.e. “Welcome back, John”), auto-fill login credentials, recommend products and services based on the user´s on-site activity, and retaining customer address and payment information. Even Google Analytics uses cookies to track users who visit your website.

Cookies are also used for advertising purposes. They enable advertisers to potentially use targeting methods based on website activity and allow them to deploy retargeting ads. Ever browse a specific product on Amazon and then see ads of that exact same product all over the place? Those are advertisers using cookies to show you ads.

Cookies exist in almost all modern websites. Using cookies is totally legal and acceptable and has no “dark” purpose. Your website is probably using them, and there is no reason to discontinue their usage.

What is the GDPR?

The General Data Protection Regulation is a European regulation that came into force on May 25, 2018. The aim of GDPR is to put individuals back in control of their personal data and make EU citizens aware of the kind of data held by institutions. GDPR could be a deathblow to the misuse of online data.

For businesses, GDPR creates a set of problems that must be addressed immediately. You will need to ask permission more often and explain exactly how you use data. Also, you will need to be more transparent as to how you share user data with third-party providers.

GDPR is not a knee-jerk reaction to recent data breaches or specific threats. It has been thoroughly discussed over three years with several institutions and it is not the first time EU lawmakers are regulating the use of visitors’ data. However, GDPR is the strongest regulation of its kind up to date.

Does GDPR affect my business even if I am not based in the EU?

GDPR may affect any website that tracks users’ browsing activities, regardless of where the website behind the business is located.

Having mentioned this, there are, of course, certain subtleties depending on the relationship of your business with EU based customers.

If your company has direct business with clients based in the EU or it is advertising to users located in the EU then it must fully comply with GDPR.

However, if your business does not serve clients in the EU and your website is specifically created for the US market then you do not have to worry about GDPR. But, if your website has references to EU users and customers then GDPR will apply.

What are the risks of being non-compliant?

Failure to comply can result in major fines. The fines will range from 20 million Euros, or up to 4% of global annual turnover — whichever is greater.

Hilton Was Fined $700,000 for a Data Breach. But under GDPR, it would be $420 million. This comparison is a great example of how GDPR completely changes the game in terms of fines.

Currently, not even regulators are ready to enforce the law. They are figuring out how to oversee so many websites. Therefore, we recommend taking advantage of this time buffer to get your GDPR compliance ready. The full wrath of regulators will be felt soon. If you are still not complaint read on.

How does GDPR affect cookie policies?

This law goes well beyond the regulation of how cookies are used. But to comply with the full scope of the law cookies are an essential element you need to consider. The repercussions for any organization that uses cookies to track users’ browsing activity can be significant.

Some of the main cookie policies affected by GDPR include user consent and affirmation:

  • Consent must be given affirmatively by users visiting your website by clicking an opt-in box or choosing settings or preferences on a settings menu. Consent can no longer be implied.
  • You must make it possible to both accept and reject cookies on your website. If a user accepts cookies they need to have an opt-out option if they change their mind.
  • Users who do not give cookie consent should have access to the same functions of the website.
  • If you ask for consent through opt-in boxes in a settings menu, users must always be able to return to that menu to adjust their preferences.
  • Every 12 months, the consent should be renewed upon the user’s first visit to the site.

We review the more technical aspects of compliance in the next section.

How to ensure your website is GDPR compliant

There are a few basic steps every company should take as soon as possible to make sure they are fully compliant to GDPR.

Let’s say you are a New York based finance firm that seeks to attract leads in Germany with a white paper. What would you need?

  • A cookie consent affirmation pop-up that explicitly states what cookies are used by the website. This also means that you should not be tracking users on your website with Google Analytics until they give you specific permission to do so.
  • A checkbox (without a pre-checked X in it) that confirms the user agrees to be contacted. If you are sharing their contact info with third parties you will need to add an additional checkbox.
  • Explain in the form what you will be doing with the email address and any additional data you collect.
  • The consent form must explain exactly how users’ data is going to be used.
  • In case there is a data breach in your company you need to be ready to inform regulators within 72 hours.
  • Review and identify all the personal customer information that you and your third-party partners collect and store on your website and distribute. For example, what information are you collecting and are you and your third-party partners asking permission to collect this information?


Pro tips: You can check whether cookies are enabled or disabled on your website here. You can check what cookies are installed in your browser here and which cookies does a specific site use here. You may remove your cookies anytime by erasing your browsing history.


Interested in discussing how we can help your website become GDPR compliant? Let’s talk.