Go to content
How does GDPR affect cookie usage?

Also see: Studio 24’s practical guide to GDPR

Cookies are used to track users. Where possible, we advise limiting the use of cookies and the length of time they exist for.

However, they are necessary for a wide range of services on websites, for example:

  • Shopping cart – session cookie to remember user’s cart
  • Multi-page form – session cookie to remember data from page-to-page
  • Form security – sessions to store temporary data to stop cross-site request forgery (CSRF) attacks

We believe the above examples constitute “legitimate interest” lawful basis for GDPR.

We recommend running all sites using cookies over HTTPS (in fact, just use HTTPS on all your websites).

The upcoming ePrivacy regulation (see below) states the responsibility for blocking first or third-party cookies should move to web browsers and that cookie banners are ineffective and unnecessary. We agree with this.

We recommend having a clear privacy statement and you do all you can to minimise user tracking via cookies.

Please note, this means third-party cookies too. For example, using social network sharing tools can be convenient but they often come with a lot of unnecessary tracking. Make sure you know what third party services track your users!

Analytics cookies

The big question is how analytics cookies, such as Google Analytics, are affected by GDPR.

Technically any identifiable personal data needs to gain permission from the user. However, it is not technically feasible to ask for permission first then set Google Analytics cookies (since you lose around 80% of your traffic data). Due to this, we’ve seen a proliferation of cookie banners on the web, which users mostly ignore.

The upcoming ePrivacy regulation (see below) states the responsibility for blocking first or third-party cookies should move to web browsers and that cookie banners are ineffective and redundant. We agree with this.

Analytics tools set third-party cookies, which users are going to be more and more likely to block in the future. Other tools, such as Matomo, offer options to track analytics data on your own domain which mean they use first-party cookies and are less likely to be blocked.

However, Google Analytics does not respect Do Not Track settings in browsers which allow users to opt-out of tracking. We recommend adding JavaScript to block Google Analytics if they have Do Not Track set, see the guide here. 

You also need to ensure you are not sending any personal information in page URLs:

  • Review page URLs, titles and other data dimensions and make sure that no other personally identifiable information is being collected. An example of this could be capturing a page URL containing: “email=querystring” parameter.
  • Make sure that you are not tracking the data users enter into forms on your website as this will be collected by GA
  • Filters do not apply enough cover for being compliant, the data collected will still be processed by GA, this must be addressed at code level.

By default, the only information (aside from any other set up you have) GA really stores is IP address, this is used for geolocation. This is relatively simple to adjust so you are not storing a user’s full IP address.

There is an ‘anonymization’ feature in GA, this can be added at code level OR if you are using Tag Manager you can edit your GA settings variable like this:

  1. Go to your Google Analytics settings variable in Google Tag Manager,
  2. Click on ‘more settings’
  3. Choose fields to set, then add a new field named ‘anonymizeIp’ set value to ‘true’

Alternatively, you can edit this at code level, see more on how to do this. The impact of this is your geographic reporting will be slightly affected, and accuracy slightly reduced.

ePrivacy regulation and a better future for cookie consent

The EU is also revamping ePrivacy legislation, which was due to come into force on 25th May but is at present still in discussion with EU governments. That’s a shame since it included guidelines to simplify the use of cookies on websites.

The ePrivacy guidelines recognise the current cookie consent popups do not work. They recommend focus shifts to web browsers and device manufacturers, who need to make privacy and cookie options clearer to users allowing them to easily opt out of things like third-party tracking.

If and when the ePrivacy law is approved, there will no longer be a requirement for cookie consent banners for common use cases. The current ePrivacy draft law includes:

  • “storing of cookies for the duration of a single established session on a website to keep track of the end-users input when filling in online forms over several pages”
  • “measuring web traffic to a website”

You would still have to gain explicit user consent for any potentially intrusive user tracking, then you do need to gain consent. For example, if you’re a social network tracking users across the web.

See more on Heather Burn’s excellent blog on ePrivacy and the cookie law.