Cookies are an important tool that can give businesses a great deal of insight into their users’ online activity. Despite their importance, the regulations governing cookies are split between the GDPR and the ePrivacy Directive.

Cookies are small text files that websites place on your device as you are browsing. They are processed and stored by your web browser. In and of themselves, cookies are harmless and serve crucial functions for websites. Cookies can also generally be easily viewed and deleted.

However, cookies can store a wealth of data, enough to potentially identify you without your consent. Cookies are the primary tool that advertisers use to track your online activity so that they can target you with highly specific ads. Given the amount of data that cookies can contain, they can be considered personal data in certain circumstances and, therefore, subject to the GDPR.

Before analyzing what the GDPR and the ePrivacy Directive have to say about cookies, it is essential to have a basic understanding of the different types of cookies.

• by their duration: session vs persistent cookies
• by their provenance: first-party vs third-party cookies
• by their purpose:
  • strictly necessary
  • to save user preferences
  • for marketing purposes ("tracking cookies")
  • for statistics / performance tracking

When people complain about the privacy risks presented by cookies, they are generally speaking about third-party, persistent, marketing cookies. These cookies can contain significant amounts of information about your online activity, preferences, and location. The chain of responsibility (who can access a cookies’ data) for a third-party cookie can get complicated as well, only heightening their potential for abuse. Perhaps because of this, the use of third-party cookies has been in decline since the passage of the GDPR