Are Cookies Personal Data?

Scan Your Site For Cookies
Are-Cookies-Personal-Data

Internet cookies can identify or single out individuals and are considered personal data under laws like the General Data Privacy Regulation (GDPR), the ePrivacy Directive (EU Cookie Law), and the California Consumer Privacy Act (CCPA).

If your website falls under the jurisdiction of any privacy laws, you must apply the guidelines to use cookies, or else your business might pay the price.

Below, learn why cookies qualify as personal data under these laws and how compliance solutions like our Cookie Consent Manager can help you use cookies legally.

Table of Contents
  1. Cookies and Personal Data Explained
  2. Legal Classification of Cookies
  3. Examples of Cookies That Don’t Process Personal Data
  4. Examples of Cookies That Do Process Personal Data
  5. Summary

Cookies and Personal Data Explained

Cookies qualify as personal data as defined by data privacy laws like the:

  • General Data Protection Regulation (GDPR)
  • ePrivacy Directive (EU Cookie Law)
  • California Consumer Privacy Act (CCPA)
  • Colorado Privacy Act (CPA)
  • Connecticut Personal Data Privacy Ac (CTDPA)
  • Virginia Consumer Data Privacy Act (VCDPA)
  • Utah Consumer Privacy Act (UCPA)

If you fall under the jurisdiction of any privacy laws, you must follow their guidelines to use cookies legally.

For example, most of these laws give individuals the right to opt out of having their data sold or shared with third parties or used for targeted advertising, including data collected through internet cookies.

To help clarify this matter, let’s briefly define internet cookies and personal data.

What Are Cookies?

Most websites leave small text files capable of storing a wide range of information on users’ browsers called internet cookies.

When a user visits your website, it stores cookies on their browser, most of which contain a unique identifier or a cookie ID.

A cookie ID is a string of characters websites associate with the browser the cookie is stored on — when a user revisits your site, it recognizes their cookie ID from the previous visit and retrieves and auto-fills their preferences.

But cookie IDs contain information about your website users that meet the legal definition of personal data according to laws like the GDPR, the EU Cookie Law, the CCPA, and more.

What Is Personal Data?

While the legal definition varies slightly between different privacy laws, personal data is any information about a user that could directly or indirectly link back to an individual or household.

It includes details like:

  • Names
  • Location information
  • Identification numbers
  • IP addresses
  • Home addresses
  • Other sensitive information

Most cookies legally qualify as personal data because you can use cookie IDs to identify an individual through their devices.

If we’re being very technical, it’s the cookie ID that legally qualifies as personal information.

For example, the GDPR classifies what online identifiers it considers personal data in Recital 30, which states:

Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.

Sources online say that cookies are personal data under data privacy laws because of how we talk about cookies colloquially as a culture versus how specific the phrasing must be when written into law.

Because all non-essential cookies have a unique ID anyway, it makes sense to use the phrase most people are familiar with, which is just plain old ‘cookies’… Is anyone else getting hungry?

Examples of Cookies That Don’t Process Personal Data

While most types of internet cookies collect and process personal data, some cookies don’t.

Essential cookies help websites function properly without processing information — other cookies process anonymous data that can’t directly or indirectly identify an individual.

However, be extra careful when categorizing cookies this way.

The GDPR, for example, defines personal data very broadly, and GDPR-compliant cookie anonymization is a high threshold.

Examples of Cookies That Do Process Personal Data

To simplify your data privacy compliance efforts, assume that any non-essential cookies your site uses fall under the legal definition of personal data.

Common cookies that track personal data include:

  • Statistics cookies
  • Marketing cookies
  • Third-party or tracking cookies
  • Secure cookies
  • HTTP-only cookies
  • Flash cookies
  • Zombie cookies

To determine what cookies your website uses, scan your site below:

Summary

Almost every website uses cookies, and non-essential cookies contain unique identifiers that qualify as personal data under major global privacy laws, including the EU Cookie Law, GDPR, and the CCPA.

If your website falls under the jurisdiction of those laws, you must follow specific guidelines to use cookies legally, and a do-it-yourself approach to cookie compliance is not recommended.

To ensure your website or app complies with all relevant laws and regulations, check out our cookie compliance tools:

Our tools are backed by our legal team and data privacy experts and are configurable to comply with cookie consent regulations in nearly 80 regions worldwide.

Ali Talip Pınarbaşı, CIPP/E, & LLM
More about the author

Written by Ali Talip Pınarbaşı, CIPP/E, & LLM

Ali is a London-based Data Privacy Law Consultant with a Master of Laws Degree in EU Privacy law at King's College London. He has three years of experience in advising businesses on how to comply data protection laws. More about the author

Related Articles

Explore more resources

Enter Your Website URL

In order to help you create a cookie solution that is GDPR and Cookie Law compliant, we must first scan your website for cookies.