| Cookies aren't regulated by the GDPR[0] but instead by the ePrivacy Directive.[1] Article 5(3) of that directive states that "Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user." In other words, unless the cookies are strictly necessary to providing you with the service then you must provide users information about what the cookies are used for, and you must offer an opt-out. (It's also worth pointing out the generality of this Directive, too: It doesn't only apply to cookies, but also to things like localStorage). The ePrivacy Directive is, as its name suggests, a Directive which is addressed to member states of the European Union which have all written it in to domestic law. In the UK, for example, it was implemented as PECR[2]. [0] The ePrivacy Directive does reference the old legislation that the GDPR replaces, so you should consider the reference in the ePD to Directive 95/46/EC as a reference to the GDPR. This means the standard of "consent" is the GDPR's standard now. [1] https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A... [2] https://ico.org.uk/for-organisations/guide-to-pecr/what-are-... |