top of page

Cookies: how to comply with GDPR/ePrivacy?

The purpose of this article is to inform and help professionals ensure that they comply with their legal obligations when using cookies on their website in accordance with the European Data Protection Regulation (RGPD) and the European e-privacy Directive 2002/58/EC (ePrivacy).

Any organization with a website should ensure that it publishes the necessary information about the cookies their website uses. This can be done through a dedicated article in the website's Privacy Policy or in a dedicated cookie policy, and this information should be accessible via a direct link from every web page on the site. Information on the use of cookies is distinct from general terms and conditions of sale, or general terms and conditions of use, which serve other purposes and meet different legal obligations of the website owner.

What is a cookie?

A cookie is a text file automatically saved in the browser of any User when visiting a website. This text file may contain personal data and/or information relating to the browsing habits of any User visiting a website.

Why is it important to detail the use of cookies on your site according to GDPR/ePrivacy?

  1. Cookies can sometimes be used to identify an individual, making them personal data.

  2. Cookies collect and store information, and are therefore part of the data processing process.

What are your obligations under the GDPR/ePrivacy?

Separating your cookie policy from your privacy policy is possible, but including mandatory cookie information in a clause of your privacy policy is also possible.

In both cases, it is important that visitors to your site are given the following information:

  • Which cookies are used

  • What personal data is collected by the cookies used

  • How long cookies last and how personal data collected by each cookie is stored

  • Who is the supplier of each cookie

  • What each cookie does

  • What happens to the data collected and processed via cookies, and whether it is shared with anyone else

  • How users can modify cookie settings or revoke their consent.

Do I need a cookie banner?

When visiting your website for the first time, any user must be informed about the use of cookies on your website by making the information set out above available in accordance with the GDPR and ePrivacy.

To do this, a cookie banner must appear on your site, and this banner must meet the following requirements:

  • Inform users that your website uses cookies

  • Clearly indicate which action will signify the user's specific consent

  • be sufficiently visible for all cookie information to be perceptible and understandable

  • Have a link to a cookie/privacy policy or make available to the user details of the purposes of cookies, their use and related third-party activities.

It is very common to use an external service provider to analyze cookies and document their use on a website. These providers usually offer an all-inclusive package that allows you to add a compliant banner to your site that manages the cookies used by your site and ensures that they are blocked in the event of non-consent by a user.

MERCASAFE recommends CookieFirst© for general cookie management and banner installation on your site.

Need help writing your privacy and cookies policy?

The MERCASAFE Privacy and Cookie Policy template is available in our Mercasafe Packages for your site and at prices tailored to small and medium-sized businesses.


bottom of page