Is a Cookie Policy Required Under GDPR?

Yes, under the General Data Protection Regulation (GDPR), a cookie policy is required if your website uses cookies that collect personal data or track user behavior. This applies even if your business is located outside the EU, as long as you target or monitor users within the EU or EEA.

What Is a Cookie Policy?

A cookie policy is a document that informs users about the types of cookies your website uses, why they are used, how long they remain active, and how users can manage or withdraw their consent. It is typically part of your broader privacy documentation, either as a standalone policy or included within your privacy policy.

Why Is a Cookie Policy Important?

Under GDPR and the ePrivacy Directive (2002/58/EC) (also known as the “Cookie Law”), transparency and informed consent are essential. A clear and accessible cookie policy helps you:

• Comply with legal obligations by informing users about data collection.
• Gain valid consent for non-essential cookies (e.g., for tracking or marketing).
• Build trust by demonstrating a commitment to user privacy.

What Should a GDPR-Compliant Cookie Policy Include?

To comply with GDPR and ePrivacy requirements, your cookie policy should clearly state:

• What cookies are and why they are used.
• Which types of cookies your website sets (e.g., necessary, analytics, marketing).
• A list of cookies used, including their names, purpose, and expiration.
• Information about third-party cookies.
• How users can manage or revoke consent (e.g., via a cookie banner or settings panel).
• Links to your privacy policy and any relevant tools.

Legal Basis for Cookie Consent

The legal basis for using cookies that are not strictly necessary is explicit consent under:

• Article 6(1)(a) of the GDPR
• Recital 30 of the GDPR
• Article 5(3) of the ePrivacy Directive

This means users must take an affirmative action — such as clicking “Accept” — before you can store or access non-essential cookies on their device.

Conclusion

If your website uses any non-essential cookies, a cookie policy is not only recommended — it is required by law. Make sure your policy is up to date, accessible, and consistent with your consent management practices.

By combining a transparent cookie policy with a compliant cookie banner, you ensure your site meets GDPR and ePrivacy requirements and respects user privacy.