Please call +44(0)5603 852239 or email

GDPR Violation by Cookies

Yes, something as simple a cookies!

Most businesses have websites that use browser tracking ‘cookies’ or capture some private information from customer/visitors, a visit by an EU Citizen could bring you into the scope of the GDPR…and you would not even know, until its too late.

GDPR on Cookies

Cookies are mentioned once in the GDPR, in Recital 30:

Natural persons may be associated with online identifiers…such as internet protocol addresses, cookie
identifiers or other identifiers…. This may leave traces which, in particular when combined with unique
identifiers and other information received by the servers, may be used to create profiles of the natural
persons and identify them.  What this essentially tells us it that cookies, where they are used to uniquely
identify the device, or in combination with other data, the individual associated with or using the device,
should be treated as personal data.

This position is also reinforced by Recital 26, which states that where data can reasonably be used, either alone or in conjunction with other data to single out an individual or otherwise identify them indirectly, then it is personal data.

Use of pseudonymous identifiers (like strings of numbers or letters) which is what cookies typically contain to give them uniqueness, still makes them personal data.

So under the GDPR, any cookie or other identifiers, uniquely attributed to a device and therefore capable of identifying an individual, or treating them as unique even without identifying them, is personal data.

This will certainly cover almost all advertising/targeting cookies; lots of web analytics cookies; and quite a few functional services like survey and chat tools that record user ids in cookies.