Skip to main content
C
CookieBeam
Back to Guides
Basics11 min read

What Is GDPR?

Understand the EU General Data Protection Regulation (GDPR): scope, principles, and what it means for websites that use cookies and trackers.

The General Data Protection Regulation (GDPR) is the EU data protection law that sets rules for how personal data is collected, used, and protected. It applies to organizations that process personal data of individuals in the EU, regardless of where the organization is established.

Core Principles

  • Lawfulness, fairness, and transparency

  • Purpose limitation

  • Data minimization

  • Accuracy

  • Storage limitation

  • Integrity and confidentiality (security)

  • Accountability

For websites, GDPR often works alongside ePrivacy rules, which require consent for non-essential cookies. A Consent Management Platform like CookieBeam helps you present clear choices and record consent to support compliance.

Who Does GDPR Apply To?

GDPR's territorial scope is defined in Article 3 and is deliberately broad. It applies in two main scenarios. First, it covers any organisation established in the EU or EEA, regardless of where the actual data processing takes place — so an Irish company that processes data on servers in the United States is still fully subject to GDPR.

Second, and more significantly for global businesses, GDPR applies to organisations outside the EU that either (a) offer goods or services to people in the EU — even free services — or (b) monitor the behaviour of people in the EU. This extraterritorial reach means that a US-based SaaS company with European subscribers, an Australian e-commerce store shipping products to Germany, or a Canadian mobile app with French users all fall within GDPR's scope.

The monitoring angle is particularly important for website operators: placing analytics or advertising cookies on EU visitors' devices constitutes monitoring their behaviour under Article 3(2)(b). This means that almost any commercially operated website with EU traffic must comply with GDPR, even if the organisation has no physical presence in Europe and has never directly marketed to EU consumers. If your analytics dashboard shows visitors from EU member states, GDPR applies to you.

The Six Lawful Bases for Processing Personal Data

GDPR requires that every act of personal data processing has a documented lawful basis under Article 6. There are six options:

  1. Consent — The individual has given clear, affirmative consent for a specific purpose.
  2. Contract — Processing is necessary to perform a contract with the individual, or to take pre-contractual steps at their request.
  3. Legal Obligation — Processing is required to comply with a legal duty under EU or member-state law.
  4. Vital Interests — Processing is necessary to protect someone's life.
  5. Public Task — Processing is necessary to carry out an official function or task in the public interest.
  6. Legitimate Interests — Processing is necessary for the genuine legitimate interests of the controller or a third party, provided those interests are not overridden by the individual's rights and freedoms.

For cookies specifically, non-essential cookies almost always require Consent as the lawful basis. The EDPB has confirmed that Legitimate Interests cannot be used for advertising cookies or cross-site tracking because the processing is not necessary and the intrusion on privacy is too high. Contract and Legal Obligation are inapplicable in most cookie scenarios.

The important exception is strictly necessary cookies — session identifiers, authentication tokens, shopping cart cookies — which are exempt from the consent requirement entirely under the ePrivacy Directive's necessity exemption. These cookies are technically essential for the service to function and do not require a banner or user action.

GDPR Lawful Bases at a Glance

BasisWhen It AppliesApplies to Non-Essential Cookies?
ConsentUser gives clear, affirmative agreement to specific processing purposeYes — primary and most common basis for analytics, marketing, and personalisation cookies
ContractProcessing is necessary to deliver a service the user has contracted forRarely — limited to strictly necessary session or authentication cookies
Legal ObligationProcessing is required to comply with a legal dutyNo — no cookie use case requires processing under a legal obligation
Vital InterestsProcessing necessary to protect life (emergency situations)No — not applicable to any standard cookie or tracking scenario
Public TaskProcessing necessary for an official public authority functionNo — applies only to government and public bodies in specific contexts
Legitimate InterestsGenuine business need, balanced against user rights via a Legitimate Interests Assessment (LIA)Only in narrow, contested cases — not for advertising or cross-site tracking (EDPB guidance)

Consent Under GDPR: What Makes It Valid

Not all consent is equal under GDPR. Article 7, Recital 32, and extensive EDPB guidance establish five criteria that consent must satisfy to be legally valid:

  • Freely given — The user must have a genuine choice. Consent is not free if there is a penalty for refusing, if access to the service is conditioned on accepting all cookies, or if consent is bundled with acceptance of terms and conditions.
  • Specific — Consent must be obtained purpose by purpose. A single blanket 'I agree to cookies' checkbox is insufficient; users must be able to consent separately to analytics, marketing, and personalisation categories.
  • Informed — Users must receive a clear explanation of what each cookie category does, who receives the data, and how long it is retained, before they make a choice.
  • Unambiguous — Consent requires a clear affirmative action. Pre-ticked boxes, silence, inactivity, or continued browsing do not constitute valid consent. The CJEU ruled definitively on this in the Planet49 judgment (October 2019), confirming that pre-ticked consent checkboxes violate GDPR.
  • Revocable — Users must be able to withdraw consent at any time, and withdrawing must be as easy as giving consent in the first place. A preference centre, floating icon, or footer link accessible on every page satisfies this requirement.

Failure on any single criterion renders the consent invalid — meaning any cookies set under that consent are processed without a lawful basis, exposing the organisation to enforcement action.

Cookie Walls Are Non-Compliant Under GDPR

A cookie wall is a mechanism that blocks access to a website or service unless the user accepts all non-essential cookies. Under GDPR Article 7(1), consent must be freely given — and the EDPB's Guidelines 05/2020 on Consent explicitly state that access to a service cannot be made conditional on consent to non-essential data processing. When users have no real alternative but to accept cookies, their consent is coerced, not free.

Multiple Data Protection Authorities have taken enforcement action against cookie walls. The Dutch DPA (Autoriteit Persoonsgegevens), the French CNIL, and the Belgian DPA have all fined or warned operators for conditioning site access on cookie acceptance. If you are currently using a cookie wall, it should be replaced with a compliant banner that allows users to access content regardless of their cookie choices.

GDPR and Cookies: Practical Website Requirements

Understanding GDPR in theory is one thing; translating it into concrete website obligations is another. Here is what GDPR compliance means in practice for a typical website operator:

  • Consent before cookies fire — No non-essential script or cookie may be set until the user has provided affirmative consent. This includes analytics tags, advertising pixels, and third-party chat widgets.
  • Equally prominent Reject option — The 'Reject' or 'Decline' button must receive the same visual prominence as the 'Accept' button. Hiding the reject path in a sub-menu while displaying a large 'Accept All' button is a dark pattern that regulators have fined.
  • Consent audit log — You must record what the user consented to, when, under which version of your Privacy Policy, and from which device. This log must be retrievable if a DPA or user challenges your compliance.
  • Preference centre — Users must be able to revisit and change their consent choices at any time through an accessible interface — not just at the moment they first land on your site.
  • Data Processing Agreements (DPAs) — Every third-party vendor that receives personal data collected on your site (Google Analytics, Meta Pixel, HubSpot, etc.) acts as a data processor. GDPR Article 28 requires you to have a signed DPA in place with each of them.

It is also important to understand the relationship between GDPR and the ePrivacy Directive (commonly called the Cookie Law). The ePrivacy Directive specifies when consent is required for cookies; GDPR sets the standard that consent must meet. The two laws work in tandem — ePrivacy consent obligations are only satisfied if the consent collected meets the GDPR quality bar.

GDPR Cookie Compliance Checklist

  • Cookie banner displayed before non-essential scripts fire

    No non-essential cookie or tracking script is executed until affirmative consent has been received from the user.

  • Equal-prominence Reject/Decline option

    The reject path is not buried in fine print or a secondary menu — it carries the same visual weight as the Accept All button.

  • No pre-ticked category boxes

    All non-essential cookie categories (analytics, marketing, personalisation) must default to off; users opt in, not out.

  • Consent recorded with timestamp and policy version

    An audit log captures what was consented to, when, and under which version of the Privacy Policy, retrievable on demand.

  • Preference centre accessible at any time

    Users can revisit and change their choices via a floating icon, footer link, or account settings — not only on first visit.

  • Data Processing Agreements with all vendors

    Signed DPAs are in place with Google, Meta, HubSpot, and any other third party that receives personal data collected on your site.

  • Privacy Policy updated with cookie disclosures

    The policy lists all cookie categories, their purposes, retention periods, and the third-party recipients of the data.

Related Guides

GDPR Requirements for Websites

A detailed breakdown of every GDPR obligation that affects website operators, from lawful bases to data subject rights.

What Is a CMP?

How a Consent Management Platform helps you meet GDPR consent requirements and maintain a compliant audit trail.

Google Consent Mode v2

How Consent Mode signals help you stay GDPR-compliant while using Google Ads and Analytics.

What Is TCF?

The IAB Transparency & Consent Framework — how it works and whether your website needs it.

Frequently Asked Questions

Does GDPR apply if my company is based outside the EU?

Yes. GDPR's extraterritorial reach under Article 3(2) applies to any organisation that offers goods or services to EU/EEA residents — including free services — or that monitors their behaviour. Placing analytics cookies on EU visitors' devices qualifies as monitoring. Your company's location is irrelevant: US, Australian, Canadian, and other non-EU businesses with EU customers or EU website visitors must comply. Ignoring GDPR because your servers are outside Europe is not a valid defence and has not protected organisations from DPA enforcement action.

What are the GDPR fines?

GDPR provides for two tiers of fines. Tier 1 violations (less severe breaches, such as inadequate record-keeping) carry fines of up to €10 million or 2% of global annual turnover, whichever is higher. Tier 2 violations — which include consent failures, unlawful processing, and breaches of core principles — carry fines of up to €20 million or 4% of global annual turnover, whichever is higher. In practice, fines range from €1,000 for small operators to over €1 billion for large technology companies. The amount depends on the severity and duration of the violation, cooperation with the DPA, steps taken to mitigate harm, and any prior violations.

Is implied consent (e.g. continuing to browse) valid under GDPR?

No. The Court of Justice of the EU definitively resolved this question in the Planet49 judgment (October 2019): continued browsing does not constitute valid consent under GDPR. Consent requires a clear affirmative action — for example, clicking an 'Accept' button or explicitly ticking an unchecked box. Pre-ticked boxes are also invalid. The user must take a deliberate positive step to indicate agreement, and that step must be specific to the processing purpose in question. 'Browsewrap' consent — where terms are embedded in the page with a note that continued use implies agreement — does not satisfy the unambiguous standard.

How long must I keep consent records?

GDPR does not specify a fixed statutory retention period for consent logs. However, the accountability principle in Article 5(2) requires you to be able to demonstrate compliance 'at any time' — meaning you must retain records for as long as they may be challenged. Best practice is to retain consent logs for at least the duration of the user relationship plus three years, which covers the typical DPA complaint investigation and limitation timeline. CookieBeam's consent audit logs are retained for 24 months by default and are configurable in your dashboard settings, with exportable records in CSV or JSON format for DPA submissions.

Back to all guides
What Is GDPR? | CookieBeam | CookieBeam