[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"blog-slug_blog_3_1":3,"blog-slug_blog_cookies-101_1000_1":40},{"article":4,"articles":15,"meta":33,"languages":39},{"id":5,"title":6,"excerpt":7,"locale":8,"slug":9,"authorSlug":10,"automaticTranslated":11,"publishedAt":12,"updatedAt":13,"doFollowLinks":11,"showIndex":11,"showCallToActions":11,"articleType":14},3060,"The EU wants to kill cookie banners","The EU wants to end annoying cookie pop-ups by letting users set their consent once in their browser. If passed, websites will have to respect those choices.","en","the-eu-wants-to-kill-cookie-banners-by-moving-consent-to-your-browser","iron-brands",false,"2025-11-20T05:40:14.356Z","2025-11-20T06:13:15.812Z","blog",[4,16,26],{"id":17,"title":18,"excerpt":19,"locale":8,"slug":20,"authorSlug":10,"automaticTranslated":11,"publishedAt":21,"updatedAt":22,"ctaTitle":23,"ctaDescription":24,"doFollowLinks":11,"showIndex":25,"showCallToActions":11,"articleType":14},3019,"Google is tracking you (even when you use DuckDuckGo)","Google tracks users even on DuckDuckGo via Analytics and embeds. A new study shows how deep Google’s web tracking really goes.","google-is-tracking-you-even-when-you-use-duck-duck-go","2025-07-14T08:56:41.709Z","2025-07-14T11:26:01.386Z","If you care about privacy, you don't use Google Analytics","Ditch the tracking, keep the insights. Try Simple Analytics.",true,{"id":27,"title":28,"excerpt":29,"locale":8,"slug":30,"authorSlug":10,"automaticTranslated":11,"publishedAt":31,"updatedAt":32,"doFollowLinks":11,"showIndex":11,"showCallToActions":11,"articleType":14},3018," German court rules Meta’s tracking tech violates GDPR","German court rules Meta’s tracking tech violates GDPR, allowing lawsuits without proof of harm. Big risks ahead for sites using Meta pixels.","german-court-rules-meta-s-tracking-tech-violates-gdpr","2025-07-10T08:20:51.111Z","2025-07-10T12:16:26.327Z",{"pagination":34},{"page":35,"pageSize":36,"pageCount":37,"total":38},1,3,362,1084,{},{"article":41},{"contentHtml":42,"content":43,"inlineMedia":44,"id":46,"title":47,"excerpt":48,"locale":8,"slug":49,"authorSlug":50,"automaticTranslated":11,"publishedAt":51,"updatedAt":52,"doFollowLinks":11,"showIndex":25,"showCallToActions":25,"articleType":14,"languages":53},"\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"2424\">When people discuss online privacy, cookies always come up. But how do cookies work, and what rules apply?\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"2424\">You might think that cookies need consent. After all, so many websites annoy you with cookie banners! But the rules are more complex than that and not all cookies are treated equally by the law. So, let’s shed some light on cookies and their legal requirements in the EU.\u003C/ContentEditable>\n\u003Col class=\"counters\">\u003Cli>\u003CNuxtLink to=\"#what-are-cookies-and-what-are-they-for\">What are cookies, and what are they for?\u003C/NuxtLink>\u003C/li>\u003Cli>\u003CNuxtLink to=\"#how-are-cookies-regulated-in-europe\">How are cookies regulated in Europe?\u003C/NuxtLink>\u003C/li>\u003Cli>\u003CNuxtLink to=\"#what-types-of-cookies-are-there\">What types of cookies are there?\u003C/NuxtLink>\u003Col>\u003Cli>\u003CNuxtLink to=\"#first-party-vs-third-party\">First-party vs. third-party\u003C/NuxtLink>\u003C/li>\u003Cli>\u003CNuxtLink to=\"#essential-vs-non-essential\">Essential vs. non-essential\u003C/NuxtLink>\u003C/li>\u003Cli>\u003CNuxtLink to=\"#unique-vs-non-unique\">Unique vs. non-unique\u003C/NuxtLink>\u003C/li>\u003C/ol>\u003C/li>\u003Cli>\u003CNuxtLink to=\"#how-are-cookies-regulated\">How are cookies regulated?\u003C/NuxtLink>\u003Col>\u003Cli>\u003CNuxtLink to=\"#non-essential-cookies-require-consent\">Non-essential cookies require consent…\u003C/NuxtLink>\u003C/li>\u003Cli>\u003CNuxtLink to=\"#-but-essential-cookies-do-not\">… but essential cookies do not\u003C/NuxtLink>\u003C/li>\u003Cli>\u003CNuxtLink to=\"#extra-rules-from-the-gdpr-may-apply\">Extra rules from the GDPR may apply\u003C/NuxtLink>\u003C/li>\u003Cli>\u003CNuxtLink to=\"#what-if-i-use-cookies-for-multiple-purposes\">What if I use cookies for multiple purposes?\u003C/NuxtLink>\u003C/li>\u003Cli>\u003CNuxtLink to=\"#consent-is-opt-in\">Consent is opt-in\u003C/NuxtLink>\u003C/li>\u003C/ol>\u003C/li>\u003Cli>\u003CNuxtLink to=\"#what-about-apps\">What about apps?\u003C/NuxtLink>\u003C/li>\u003Cli>\u003CNuxtLink to=\"#are-cookies-good-for-web-analytics\">Are cookies good for web analytics?\u003C/NuxtLink>\u003C/li>\u003C/ol>\u003CCtaTwo />\u003CContentEditable  id=\"what-are-cookies-and-what-are-they-for\" parent=\"\" tag=\"h2\" :articleId=\"2424\">What are cookies, and what are they for?\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"2424\">Cookies are small files stored inside your browser that exchange information with the server whenever you browse a website.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"2424\">While cookies are often associated for web analytics, they are used for all sorts of different purposes. Plenty of websites use cookies for anti-fraud, web security, and automated log-ins. The purpose of cookies matters because not all cookies are treated the same under EU law- more on that later.\u003C/ContentEditable>\n\u003CContentEditable  id=\"how-are-cookies-regulated-in-europe\" parent=\"\" tag=\"h2\" :articleId=\"2424\">How are cookies regulated in Europe?\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"2424\">Cookie rules are somewhat complex in the EU, so here is a short tl;dr to make it less confusing:\u003C/ContentEditable>\n\u003Cul>\n\u003Cli>If your cookies are essential for your website to function, then \u003Cstrong>you do not need consent\u003C/strong>.\u003C/li>\n\u003Cli>If your cookies are not essential, then you need \u003Cstrong>opt-in consent\u003C/strong> for using them. This typically means displaying a \u003Cstrong>cookie banner\u003C/strong>.\u003C/li>\n\u003Cli>If your cookie has a \u003Cstrong>unique identifier\u003C/strong>, then you have some duties under the GDPR. You may still be able to place those cookies without consent, if they are essential.\u003C/li>\n\u003C/ul>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"2424\">Again, this blog \u003Cstrong>will refer to EU law only\u003C/strong>. Different legislations regulate cookies differently: for instance, the UK and Brazil are closely aligned with European laws, while US regulations are typically more permissive.\u003C/ContentEditable>\n\u003CContentEditable  id=\"what-types-of-cookies-are-there\" parent=\"\" tag=\"h2\" :articleId=\"2424\">What types of cookies are there?\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"2424\">While all cookies function in a similar way, there are some distinctions between them, some of which matter for the law.\u003C/ContentEditable>\n\u003CContentEditable  id=\"first-party-vs-third-party\" parent=\"\" tag=\"h3\" :articleId=\"2424\">First-party vs. third-party\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"2424\">First-party cookies can be read only by the domain that wrote them in your browser, while third-party cookies can be read by different domains as well.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"2424\">For instance, if you visit Facebook and accept Meta’s \u003Cstrong>third party cookies\u003C/strong>, other websites will be able to read those cookies as well. This allows Meta to “personalize your experience” (read: serve targeted advertising based on invasive profiling, both on Facebook \u003Cem>and\u003C/em> on browsing other websites that rely on Meta for placing ads).\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"2424\">On the other hand, if you accept \u003Cstrong>first-party cookies\u003C/strong> from \u003Cem>\u003Ca referrerpolicy=\"strict-origin-when-cross-origin\" href=\"http://www.coolwebsite.com/?utm_source=simpleanalytics.com\" target=\"_blank\" rel=\"noopener nofollow\">www.coolwebsite.com\u003C/a>\u003C/em>, the site will be able to read them- _but a different domain such as \u003Cem>\u003Ca referrerpolicy=\"strict-origin-when-cross-origin\" href=\"http://www.awesomewebsite.com/?utm_source=simpleanalytics.com\" target=\"_blank\" rel=\"noopener nofollow\">www.awesomewebsite.com\u003C/a>\u003C/em> won’t.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"2424\">Third-party cookies are \u003Cstrong>highly invasive\u003C/strong>. This is why so many Internet users go out of their way to install \u003Cstrong>ad blockers\u003C/strong>, and why many browsers block third party cookies or limit the snooping in other ways (such as the cookie jars in Mozilla Firefox). This general backlash against cookies has been dubbed \u003Ca referrerpolicy=\"strict-origin-when-cross-origin\" href=\"https://www.eff.org/deeplinks/2019/07/adblocking-how-about-nah?utm_source=simpleanalytics.com\" target=\"_blank\" rel=\"noopener nofollow\">the biggest boycott in human history\u003C/a> and is making third-party cookies increasingly ineffective as a retargeting tool.\u003C/ContentEditable>\n\u003CContentEditable  id=\"essential-vs-non-essential\" parent=\"\" tag=\"h3\" :articleId=\"2424\">Essential vs. non-essential\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"2424\">Essential cookies are cookies that an app and website needs in order to work properly. For instance, cookies that are used to prevent DoS attacks against websites are essential, while web analytic cookies are non-essential.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"2424\">This is the main distinction from a legal point of view because non-essential cookies \u003Cstrong>always require consent\u003C/strong> under EU law (more on that later). In fact, non-essential cookies are sometimes referred to as \u003Cem>optional\u003C/em> because of their generally stricter regulation under the law.\u003C/ContentEditable>\n\u003CContentEditable  id=\"unique-vs-non-unique\" parent=\"\" tag=\"h3\" :articleId=\"2424\">Unique vs. non-unique\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"2424\">Finally, let’s take a look at a third and often overlooked distinction. Some cookies include a \u003Cstrong>unique identifier\u003C/strong>- that is, a string of numbers that identifies an individual user (or more exactly, their browser). This identifier allows a website to monitor an individual user because no two cookies are the same.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"2424\">Common web analytics tools like Google Analytics and Adobe Analytics use identifying cookies to track people around the Internet and profile them based on their browsing habits. So, these are the kind of cookies privacy advocates (rightly) complain about. But identifying cookies have different, less invasive uses as well: for instance, many websites use them for anti-fraud, and e-commerce platforms often use them to track the products in your cart.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"2424\">Unique identifiers are relevant from a legal viewpoint because they count as personal data. So, \u003Cstrong>cookies with unique identifiers are always personal data\u003C/strong> and fall under the GDPR while cookies without unique identifiers do not.\u003C/ContentEditable>\n\u003CContentEditable  id=\"how-are-cookies-regulated\" parent=\"\" tag=\"h2\" :articleId=\"2424\">How are cookies regulated?\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"2424\">Cookies rules are mainly found in two legal sources: the \u003Cstrong>GDPR\u003C/strong> and the \u003Cstrong>ePrivacy Directive\u003C/strong>. The regulation of cookies is somewhat complicated because the two laws differ in terms of criteria, terminology, and scope.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"2424\">As we anticipated in our \u003Cem>td;dr\u003C/em>:\u003C/ContentEditable>\n\u003Cul>\n\u003Cli>Non-essential cookies always require opt-in consent.\u003C/li>\n\u003Cli>Non-essential cookies do not require consent at all.\u003C/li>\n\u003Cli>Some cookies come with other requirements under the GDPR- whether they are essential or not.\u003C/li>\n\u003C/ul>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"2424\">Let’s break these rules down bit by bit.\u003C/ContentEditable>\n\u003CContentEditable  id=\"non-essential-cookies-require-consent\" parent=\"\" tag=\"h3\" :articleId=\"2424\">Non-essential cookies require consent…\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"2424\">The ePrivacy Directive (more exactly, Article 5(3)) requires consent to access data stored on a user’s terminal equipment. This means that cookies can only be used with consent- but there are carve-outs, as we will see-\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"2424\">The Article also applies to \u003Cstrong>technologies other than cookies\u003C/strong> because it is worded very broadly. For instance, built-in trackers in mobile apps also require consent, as do advertising identifiers for mobile devices such as Google’s AAID or Apple’s IDFA.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"2424\">This mandatory consent rule is stricter than those found in the GDPR. The notion that the GDPR is all about consent, is misleading, as there are absolutely legitimate ways to collect data without consent (\u003CNuxtLink to=\"/blog\"  >as we explained here\u003C/NuxtLink>).\u003C/ContentEditable>\n\u003CContentEditable  id=\"-but-essential-cookies-do-not\" parent=\"\" tag=\"h3\" :articleId=\"2424\">… but essential cookies do not\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"2424\">The Directive includes a carve-out for data which are \u003Cem>“strictly necessary to provide an information society service”\u003C/em> at the user’s request.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"2424\">This carve-out is interpreted quite broadly by regulators and covers all the data which websites and apps need in order to function. This is why \u003Cstrong>essential cookies do not require consent\u003C/strong>, as we anticipated.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"2424\">For instance, let’s say you visit an ecommerce website and change the language to Spanish. Your language preference is probably stored through a cookie. This is an essential cookie: if you are to browse the website, then the website \u003Cem>needs\u003C/em> to display its content in a language that you can understand. So, the website does not need your consent in order to place that.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"2424\">But if the same website wants to use Google Analytics cookies, it needs your consent. This is because web analytics and retargeting are extra things that the website wants but does not \u003Cem>need\u003C/em> to do.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"2424\">(On a side note, the ePrivacy Directive includes a second carve-out for data which are strictly necessary to make communication possible. This carve-out doesn’t typically apply to cookies but is still worth mentioning)\u003C/ContentEditable>\n\u003CContentEditable  id=\"extra-rules-from-the-gdpr-may-apply\" parent=\"\" tag=\"h3\" :articleId=\"2424\">Extra rules from the GDPR may apply\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"2424\">The GDPR and the ePrivacy Directive do not have the same scope: the GDPR applies to personal data, while the ePrivacy Directive (and Article 5 specifically) applies to all communication data whether they are personal data or not. This makes things a little complicated because some cookies fall under both the ePrivacy Directive \u003Cem>and\u003C/em> the GDPR, while others only fall under the ePrivacy Directive.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"2424\">Explaining it all in detail would make this blog too long, but in a nutshell:\u003C/ContentEditable>\n\u003Cul>\n\u003Cli>The cookies that fall under the GDPR are, again, the ones that contain a \u003Cstrong>unique identifier\u003C/strong>.\u003C/li>\n\u003Cli>If the GDPR applies, \u003Cstrong>some general rules also apply\u003C/strong> (for instance, \u003CNuxtLink to=\"/blog/gdpr-101-legal-bases\"  >legal bases\u003C/NuxtLink>, duties of information, the right to access data, and so on).\n. \u003Cstrong>Just because the GDPR applies, does not mean that you need consent!\u003C/strong> Cookies with unique IDs can still be used without consent \u003Cem>if they are essential\u003C/em>. In the example above, the unique cookies used by e-commerce websites to track the items in your cart, are essential cookies and are exempt from the consent requirement.\u003C/li>\n\u003C/ul>\n\u003CContentEditable  id=\"what-if-i-use-cookies-for-multiple-purposes\" parent=\"\" tag=\"h3\" :articleId=\"2424\">What if I use cookies for multiple purposes?\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"2424\">Sometimes cookies are used for multiple purposes. For instance, you may use the same cookie for both anti-fraud \u003Cem>and\u003C/em> web analytics.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"2424\">You can see why multiple-purpose cookies are problematic. Non- essential cookies require consent while essential cookies don&#39;t. What about cookies that fulfill both essential \u003Cem>and\u003C/em> non-essential purposes?\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"2424\">Thankfully, the European Data Protection Board chimed in on this a while ago: as long as \u003Cem>any individual purpose\u003C/em> is not essential, the cookie requires consent. This important clarification closes dangerous loopholes that would otherwise allow for non-consensual tracking.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"2424\">The practical takeaway is to \u003Cstrong>avoid using the same cookies for essential and non-essential purposes\u003C/strong>. This allows you to respect user choice and still be able to write all the essential cookies that make your website work.\u003C/ContentEditable>\n\u003CContentEditable  id=\"consent-is-opt-in\" parent=\"\" tag=\"h3\" :articleId=\"2424\">Consent is opt-in\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"2424\">Consent is a complex subject. We can only scratch the surface here, but it is worth pointing out that only \u003Cstrong>active, opt-in consent\u003C/strong> is valid. There is no such thing as an implicit or opt-out consent under the GDPR!\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"2424\">The rule of opt-in consent has important consequences for web analytics:\u003C/ContentEditable>\n\u003Cul>\n\u003Cli>Your cookie banner must use affirmative wording such as \u003Cem>“I accept cookies”\u003C/em> or \u003Cem>“I consent to the use of cookies”\u003C/em>. Avoid ambiguous language like \u003Cem>acknowledging\u003C/em> cookie use.\u003C/li>\n\u003Cli>Your website should not write non-essential cookies until the user makes a choice. Ignoring the cookie banner and scrolling on is not a choice, and the same goes for clicking a “close/X/dismiss” button.\u003C/li>\n\u003C/ul>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"2424\">There is \u003Cem>a lot\u003C/em> more to say about consent and cookies, especially with regards to web analytics, and we may soon come back to the topic.\u003C/ContentEditable>\n\u003CContentEditable  id=\"what-about-apps\" parent=\"\" tag=\"h2\" :articleId=\"2424\">What about apps?\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"2424\">App tracking is different from cookie-based tracking in that trackers are typically built into the app directly. But, Article 5 of the ePrivacy Directive is very broadly worded and the trackers commonly found in apps fall within its scope.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"2424\">Long story short, the rule is the same: \u003Cstrong>if the tracking is not strictly necessary, then it requires consent\u003C/strong>.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"2424\">But this requirement is \u003Cstrong>largely ignored\u003C/strong>. Most of the app industry uses third-party software development kits (SDKs) which arepacked with trackers. These kits collect data to the benefit of the kit’s developer and frequently ignore or circumvent consent rules. The end result is \u003Cstrong>illegal tracking on a planetary scale\u003C/strong>.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"2424\">To make things worse, you have less control over your apps than you do over the websites you visit, because you can’t install an ad blocker or check and delete trackers the way you would manage cookies from your browser. This is why every company under the sun is trying to force a crappy app on you.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"2424\">\u003Cem>Tl;dr: apps follow the same rules as cookies but companies play dumb.\u003C/em>\u003C/ContentEditable>\n\u003CContentEditable  id=\"are-cookies-good-for-web-analytics\" parent=\"\" tag=\"h2\" :articleId=\"2424\">Are cookies good for web analytics?\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"2424\">It depends. Cookie-based analytics services such as Google Analytics and Adobe Analytics can collect fine-grained data, but that data comes at the cost of user privacy. This is an ethical issue and it can become a practical issue in jurisdictions with \u003Cstrong>strict consent requirements\u003C/strong> such as the EU, because cookie banners lead to \u003Cstrong>high opt-out rates\u003C/strong> and inaccurate analytics.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"2424\">Simple Analytics can solve the problem. We build our service to provide you with all the insight you need without using cookies and without collecting personal data. Simple Analytics is a great, privacy-focused alternative to Google Analytics as well as a perfect complement to it- as a means to mitigate the \u003Cstrong>loss of data\u003C/strong> from cookie banners.\u003C/ContentEditable>\n\u003CContentEditable  parent=\"\" tag=\"p\" :articleId=\"2424\">If you are curious, feel free to give us a try!\u003C/ContentEditable>\n","When people discuss online privacy, cookies always come up. But how do cookies work, and what rules apply?\n\nYou might think that cookies need consent. After all, so many websites annoy you with cookie banners! But the rules are more complex than that and not all cookies are treated equally by the law. So, let’s shed some light on cookies and their legal requirements in the EU.\n\n## What are cookies, and what are they for?\nCookies are small files stored inside your browser that exchange information with the server whenever you browse a website.\n\nWhile cookies are often associated for web analytics, they are used for all sorts of different purposes. Plenty of websites use cookies for anti-fraud, web security, and automated log-ins. The purpose of cookies matters because not all cookies are treated the same under EU law- more on that later.\n\n## How are cookies regulated in Europe?\nCookie rules are somewhat complex in the EU, so here is a short tl;dr to make it less confusing:\n\n- If your cookies are essential for your website to function, then **you do not need consent**.\n- If your cookies are not essential, then you need **opt-in consent** for using them. This typically means displaying a **cookie banner**.\n- If your cookie has a **unique identifier**, then you have some duties under the GDPR. You may still be able to place those cookies without consent, if they are essential.\n\nAgain, this blog **will refer to EU law only**. Different legislations regulate cookies differently: for instance, the UK and Brazil are closely aligned with European laws, while US regulations are typically more permissive.\n\n## What types of cookies are there?\n\nWhile all cookies function in a similar way, there are some distinctions between them, some of which matter for the law.\n\n### First-party vs. third-party\nFirst-party cookies can be read only by the domain that wrote them in your browser, while third-party cookies can be read by different domains as well.\n\nFor instance, if you visit Facebook and accept Meta’s **third party cookies**, other websites will be able to read those cookies as well. This allows Meta to “personalize your experience” (read: serve targeted advertising based on invasive profiling, both on Facebook _and_ on browsing other websites that rely on Meta for placing ads).\n\nOn the other hand, if you accept **first-party cookies** from _www.coolwebsite.com_, the site will be able to read them- _but a different domain such as _www.awesomewebsite.com_ won’t.\n\nThird-party cookies are **highly invasive**. This is why so many Internet users go out of their way to install **ad blockers**, and why many browsers block third party cookies or limit the snooping in other ways (such as the cookie jars in Mozilla Firefox). This general backlash against cookies has been dubbed [the biggest boycott in human history](https://www.eff.org/deeplinks/2019/07/adblocking-how-about-nah) and is making third-party cookies increasingly ineffective as a retargeting tool.\n\n### Essential vs. non-essential\n\nEssential cookies are cookies that an app and website needs in order to work properly. For instance, cookies that are used to prevent DoS attacks against websites are essential, while web analytic cookies are non-essential.\n\nThis is the main distinction from a legal point of view because non-essential cookies **always require consent** under EU law (more on that later). In fact, non-essential cookies are sometimes referred to as _optional_ because of their generally stricter regulation under the law.\n\n### Unique vs. non-unique\n\nFinally, let’s take a look at a third and often overlooked distinction. Some cookies include a **unique identifier**- that is, a string of numbers that identifies an individual user (or more exactly, their browser). This identifier allows a website to monitor an individual user because no two cookies are the same.\n\nCommon web analytics tools like Google Analytics and Adobe Analytics use identifying cookies to track people around the Internet and profile them based on their browsing habits. So, these are the kind of cookies privacy advocates (rightly) complain about. But identifying cookies have different, less invasive uses as well: for instance, many websites use them for anti-fraud, and e-commerce platforms often use them to track the products in your cart.\n\nUnique identifiers are relevant from a legal viewpoint because they count as personal data. So, **cookies with unique identifiers are always personal data** and fall under the GDPR while cookies without unique identifiers do not.\n\n## How are cookies regulated?\nCookies rules are mainly found in two legal sources: the **GDPR** and the **ePrivacy Directive**. The regulation of cookies is somewhat complicated because the two laws differ in terms of criteria, terminology, and scope.\n\nAs we anticipated in our _td;dr_:\n- Non-essential cookies always require opt-in consent.\n- Non-essential cookies do not require consent at all.\n- Some cookies come with other requirements under the GDPR- whether they are essential or not.\n\nLet’s break these rules down bit by bit.\n\n### Non-essential cookies require consent…\nThe ePrivacy Directive (more exactly, Article 5(3)) requires consent to access data stored on a user’s terminal equipment. This means that cookies can only be used with consent- but there are carve-outs, as we will see-\n\nThe Article also applies to **technologies other than cookies** because it is worded very broadly. For instance, built-in trackers in mobile apps also require consent, as do advertising identifiers for mobile devices such as Google’s AAID or Apple’s IDFA.\n\nThis mandatory consent rule is stricter than those found in the GDPR. The notion that the GDPR is all about consent, is misleading, as there are absolutely legitimate ways to collect data without consent ([as we explained here](https://www.simpleanalytics.com/blog)).\n\n### … but essential cookies do not\nThe Directive includes a carve-out for data which are _“strictly necessary to provide an information society service”_ at the user’s request.\n\nThis carve-out is interpreted quite broadly by regulators and covers all the data which websites and apps need in order to function. This is why **essential cookies do not require consent**, as we anticipated.\n\nFor instance, let’s say you visit an ecommerce website and change the language to Spanish. Your language preference is probably stored through a cookie. This is an essential cookie: if you are to browse the website, then the website _needs_ to display its content in a language that you can understand. So, the website does not need your consent in order to place that.\n\nBut if the same website wants to use Google Analytics cookies, it needs your consent. This is because web analytics and retargeting are extra things that the website wants but does not _need_ to do.\n\n(On a side note, the ePrivacy Directive includes a second carve-out for data which are strictly necessary to make communication possible. This carve-out doesn’t typically apply to cookies but is still worth mentioning)\n\n### Extra rules from the GDPR may apply\nThe GDPR and the ePrivacy Directive do not have the same scope: the GDPR applies to personal data, while the ePrivacy Directive (and Article 5 specifically) applies to all communication data whether they are personal data or not. This makes things a little complicated because some cookies fall under both the ePrivacy Directive _and_ the GDPR, while others only fall under the ePrivacy Directive.\n\nExplaining it all in detail would make this blog too long, but in a nutshell:\n- The cookies that fall under the GDPR are, again, the ones that contain a **unique identifier**.\n- If the GDPR applies, **some general rules also apply** (for instance, [legal bases](https://www.simpleanalytics.com/blog/gdpr-101-legal-bases), duties of information, the right to access data, and so on).\n. **Just because the GDPR applies, does not mean that you need consent!** Cookies with unique IDs can still be used without consent _if they are essential_. In the example above, the unique cookies used by e-commerce websites to track the items in your cart, are essential cookies and are exempt from the consent requirement.\n\n### What if I use cookies for multiple purposes?\nSometimes cookies are used for multiple purposes. For instance, you may use the same cookie for both anti-fraud _and_ web analytics.\n\nYou can see why multiple-purpose cookies are problematic. Non- essential cookies require consent while essential cookies don't. What about cookies that fulfill both essential _and_ non-essential purposes?\n\nThankfully, the European Data Protection Board chimed in on this a while ago: as long as _any individual purpose_ is not essential, the cookie requires consent. This important clarification closes dangerous loopholes that would otherwise allow for non-consensual tracking.\n\nThe practical takeaway is to **avoid using the same cookies for essential and non-essential purposes**. This allows you to respect user choice and still be able to write all the essential cookies that make your website work.\n\n### Consent is opt-in\nConsent is a complex subject. We can only scratch the surface here, but it is worth pointing out that only **active, opt-in consent** is valid. There is no such thing as an implicit or opt-out consent under the GDPR!\n\nThe rule of opt-in consent has important consequences for web analytics:\n- Your cookie banner must use affirmative wording such as _“I accept cookies”_ or _“I consent to the use of cookies”_. Avoid ambiguous language like _acknowledging_ cookie use.\n- Your website should not write non-essential cookies until the user makes a choice. Ignoring the cookie banner and scrolling on is not a choice, and the same goes for clicking a “close/X/dismiss” button.\n\nThere is _a lot_ more to say about consent and cookies, especially with regards to web analytics, and we may soon come back to the topic.\n\n## What about apps?\nApp tracking is different from cookie-based tracking in that trackers are typically built into the app directly. But, Article 5 of the ePrivacy Directive is very broadly worded and the trackers commonly found in apps fall within its scope.\n\nLong story short, the rule is the same: **if the tracking is not strictly necessary, then it requires consent**.\n\nBut this requirement is **largely ignored**. Most of the app industry uses third-party software development kits (SDKs) which arepacked with trackers. These kits collect data to the benefit of the kit’s developer and frequently ignore or circumvent consent rules. The end result is **illegal tracking on a planetary scale**.\n\nTo make things worse, you have less control over your apps than you do over the websites you visit, because you can’t install an ad blocker or check and delete trackers the way you would manage cookies from your browser. This is why every company under the sun is trying to force a crappy app on you.\n\n_Tl;dr: apps follow the same rules as cookies but companies play dumb._\n\n## Are cookies good for web analytics?\nIt depends. Cookie-based analytics services such as Google Analytics and Adobe Analytics can collect fine-grained data, but that data comes at the cost of user privacy. This is an ethical issue and it can become a practical issue in jurisdictions with **strict consent requirements** such as the EU, because cookie banners lead to **high opt-out rates** and inaccurate analytics.\n\nSimple Analytics can solve the problem. We build our service to provide you with all the insight you need without using cookies and without collecting personal data. Simple Analytics is a great, privacy-focused alternative to Google Analytics as well as a perfect complement to it- as a means to mitigate the **loss of data** from cookie banners.\n\nIf you are curious, feel free to give us a try!\n",{"data":45},null,2424,"Cookies 101","How do cookies work, and when do they need consent?","cookies-101","carlo-cilento","2024-04-09T10:24:22.765Z","2025-04-02T13:35:42.525Z",{"en":54,"de":55,"fr":57,"it":59,"es":61,"nl":63},{"slug":49},{"slug":56},"kekse-101",{"slug":58},"cookies-101-fr",{"slug":60},"biscotti-101",{"slug":62},"galletas-101",{"slug":64},"cookies-101-nl"]