Yes — when cookies can be used to identify or single out individuals — they are considered personal data under the laws such as the General Data Privacy Regulation (GDPR), the ePrivacy Directive (EU Cookie Law), and the California Consumer Privacy Act (CCPA).
Cookies and Personal Data Explained
To help you understand why this is the case, let’s briefly define internet cookies and the legal definition of personal data in the following sections.
What Are Cookies?
Your website leaves small text files capable of storing a wide range of information on your users browsers called internet cookies.
When a user visits your website, it stores cookies on their browser, most of which contain a unique identifier or a cookie ID.
A cookie ID is a string of characters websites like yours associate with the browser the cookie is stored on. That way, when your user revisits your website, it recognizes their cookie ID from the previous visit and retrieves and auto-fills their preferences.
For example, your website might place a cookie on your user’s browser containing the username they last used to log into your website, so it can conveniently auto-fill it for them the next time they visit your site.
But cookie IDs contain information about your website users that meet the legal definition of personal data according to laws like the GDPR, the EU Cookie Law, and the CCPA.
Keep this in mind because it becomes pretty important later on in this article.
What Is Personal Data?
Personal data, or personal information, is any information about a website user that could directly or indirectly be linked back to an individual. But there are some variations in the definition of personal data between the GDPR, the EU Cookie Law, and the CCPA.
The EU Cookie Law and the GDPR work in tandem with one another and define personal data as information relating to an identifiable person, either directly or indirectly, including details like
- Location information
- Identification numbers
- IP addresses
- Home addresses
- Other sensitive information
The EU GDPR defines “personal data” broadly and if a piece of information can be combined with other information to directly or indirectly identify or even single out an individual, it is considered personal data.
Furthermore, even when an individual is not specifically named, the ability to single them out is enough to make it “personal data”.
The CCPA defines personal data as information that identifies, relates to, or could reasonably be linked to a person or their household, excluding publicly available information, like government records, professional licenses, or social media posts.
Because you can use cookie IDs to identify an individual through their devices, most cookies likely qualify as personal data under the EU Cookie Law, the GDPR, and the CCPA.
Legal Classification of Cookies
Stay with us on this one: cookies themselves aren’t legally classified as personal data under the GDPR; it’s actually the cookie ID that qualifies as personal information.
The GDPR classifies what type of cookies qualify as personal data in Recital 30, which states:
Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. 2This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
You’ll still find sources online saying that cookies are personal data under the GDPR and CCPA — we’ve even done it ourselves on this very page. But what we are really referring to is the identifiers within the cookies.
It all boils down to how we talk about cookies colloquially as a culture versus how specific the phrasing must be when written into law.
But because all non-essential cookies have a unique ID anyway, it makes sense to use the phrase most people are familiar with, which is just plain old ‘cookies’.
Is anyone else getting hungry?
Examples of Cookies That Don’t Process Personal Data
While most types of internet cookies collect and process personal data and are subject to the GDPR, there are some cookies that don’t process personal data.
If a cookie doesn’t process data that can be directly or indirectly used to identify or single out an individual, it may escape the GDPR rules.
For instance, if a cookie only collects and processes anonymous information, it will not fall under the GDPR rules. Take, for example, load balancing cookies that do not process personal data, which may be outside of the scope of the GDPR.
In any case, you need to be extra careful when it comes to categorizing cookies this way — the GDPR defines personal data very broadly and GDPR-compliant cookie anonymization is a high threshold.
Examples of Cookies That DO Process Personal Data
To make your data privacy law compliance efforts easier, you should assume that any non-essential cookies that your website or app uses fall under the legal definition of personal data.
Common cookies tracking personal data include:
- Statistics cookies
- Marketing cookies
- Third-party or tracking cookies
- Secure cookies
- HTTP-only cookies
- Flash cookies
- Zombie cookies
To determine what cookies your website uses, scan your site below:
To ensure your website or app complies with all relevant laws and regulations, check out our cookie compliance tools:
Our tools were built by our team of legal and data privacy experts and abide by laws like the EU Cookie Law, the GDPR, the CCPA, and more.