The GDPR is a EU regulation that represents the most significant initiative on data protection in 20 years. The purpose is to protect “natural persons with regard to the processing of personal data and on the free movement of such data”, e.g. the website user. Cookies are mentioned once in the 88 pages long regulation. However, those few lines have a significant impact on the compliance of cookies: (30): “Natural persons may be associated with online identifiers […] such as internet protocol addresses, cookie identifiers or other identifiers […]. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.” In other words: when cookies can identify an individual, it is considered personal data.
GDPR and cookies