Privacy (GDPR)

Cookie Policy: How to Track Website Users Lawfully

The recent study of the Nederlandse Omroep Stichting (the ‘NOS’), a Dutch news media, showed that more than 1,300 Dutch websites violate the privacy of their users. The violation found by the NOS is simple - the users cannot use the websites without accepting cookies.

On 7 March 2019, the Dutch Data Protection Authority confirmed that such way of cookies collection is unlawful.

Let's identify the exact mistakes in cookies collection and what to do to comply with relevant privacy laws.

To place and process cookies within the EU, owners of websites must comply with the rules of the General Data Protection Regulation (GDPR) and e-Privacy Directive. In 2019, the e-Privacy Regulation is expected to strengthen the rules and replace the Directive. To date, we only have the draft version of it.

Privacy laws may seem complicated. However, we believe that just four simple steps in cookies collection can ensure compliance with effective regulations.

Cookie Policy example

1. Create and Post Cookie Policy

Website owners must publicly inform their users that they collect cookies. According to the best practices, it can be done in two ways.

The first one is Cookie Policy. This is a one-, two-page document at maximum, which explains to users why the website put small text files (cookies) on their devices. The Cookie Policy must be written in a simple and transparent language.

Cookie Policy must include at least the following information:

- Details of the website controller;

- Explanation of what the cookie is and how it appears on the user's device;

- Types of cookies and why the website uses them. Usually, the purposes include technical necessity, personalization of the website for the user, the collection of traffic analytics, and advertisement tracking, but they vary from case to case. Anyway, always make sure all use cases are mentioned in the policy; and

- List of third parties (e.g., analytics or marketing service providers) that deploy cookies or other tracking technologies on the website. Purposes of third-party tracking activities must also be mentioned.

The Cookie Policy can be posted on the bottom of the website landing or in the 'Privacy’ Section. The core requirement is that the Policy must be acceptable to users. Otherwise, this document will not have legal force.

Create and Post Cookie Policy

2. Create Cookie 'Pop-Up' Window

The second element of the information obligation involves user`s immediate informing. When the user visits the website for the first time, it must show him/her a short notification about cookies.

The notification must be limited to one or two sentences. Without going into details, the website informs that it uses cookies and gives a Cookie Policy link with more information.

Another purpose of using the 'pop-up' notification is in receiving the user's consent for cookies, which is explained in the next step.

Create Cookie 'Pop-Up' Window

3. Obtain Consent

The consent from the user is a core condition to process certain types of cookies, such as advertisement or personalization cookies.

The website owners usually misunderstand the concept of consent. The study mentioned afore proves that: among the 3,237 websites, almost half of them, 1,347 websites were collecting invalid consent. An invalid consent has no legal force and thus cannot be a satisfactory ground.

To collect the consent in the right way, the website owner must follow a few tips:

- Not all cookies need consent. For example, a website can deploy cookies, which ensure its appropriate work without consent - they are necessary for the provision of services. However, the owner of the website needs user's consent for cookies that serve personalization of website or advertisement purposes.

- No 'one consent for all cookies'. As we see, there can be more than one type of 'consent-based' cookies. In such a case, the user must give separate and specific consent for each type of cookies.

- The user must be able to continue without the consent. Here is where thousands of websites fail: the website cannot bind the user to accept cookies. The consent must be 'freely given'. No cookies wall - this forces the user to accept cookies and continue. Therefore, a 'pop-up' window must have two buttons: accept and reject (use necessary only) cookies;

- Possibility to revoke the consent. Eventually, the website user must be able to cancel the consent in case he/she decides to do so. This can either be done with the UI 'on/off' feature or an option to contact the owner.

Obtain Consent

Cookies v. Paid Subscriptions: a freely given choice? Some websites, like Washington Post, give the users two options: consent to cookies and use it for free or pay for a subscription.


Does it violate 'freely-given consent' principle? While the British data protection authority reportedly believes so, the Austrian one thinks this choice complies with the data protection laws.

Conclusion? Understanding of the GDPR rules varies even within the European Union, so take it in mind when choosing the targeted audience.

4. Be Careful with Sensitive Data

A less covered, but nonetheless important issue is the collection of political opinions, religious or philosophical beliefs, racial, ethnic origin, other discriminative characteristics, biometric data or children data, also known as ‘sensitive data’. Sensitive data has a restricted collection regime, which can cause difficulties with cookies collection.

If the website has 'consent-based' cookies that are connected with sensitive data (for example, advertisement-tracking cookies), the controller must obtain 'explicit' consent.

This can turn out to be a not easy task. The term 'explicit' implies the written statement, e-mail, or e-signature from the user as proof of consent. There is no general solution for cookies and sensitive data. Each way must be weighed in terms of efficiency, costs and benefits, and compliance with legal obligations.

Be Careful with Sensitive Data


Cookies are a very powerful tool in the era of the digital economy. European lawmakers, for their part, make businesses use this tool responsibly.

If you would like to receive support or advise with cookies and privacy — Legal Nodes will be happy to provide assistance. You can book a free consultation here as a good starting point. 

Hope you found this article useful! Let us know at


Disclaimer: the information in this article is provided for informational purposes only. You should not construe any such information as legal, tax, investment, trading, financial, or other advice.

Vlad Nekrutenko

Privacy Lawyer at Legal Nodes

Leave your email address to receive a free Cookie Policy template:

By submitting your email address, you agree to receive personalized emails and promotional materials from us.

You can revoke your consent at any time by contacting us via our email.

Legal Nodes Blog

For Startups
Ultimate guide to connecting Virtual Data Protection Officer

Connecting Virtual DPO can greatly reduce start-up’s data protection costs. This article explains who the Data Protection Officer is, why you should consider outsourcing DPO services, and how to pick one that matches the needs of your business....

Legal Nodes Team
Privacy (GDPR)
Cookie Policy: How to Track Website Users Lawfully

The recent study of the Nederlandse Omroep Stichting (the ‘NOS’), a Dutch news media, showed that more than 1,300 Dutch websites violate the privacy of their users. The violation found by the NOS is simple - the users cannot use the websites wit...

Legal Nodes Team
For Startups
Why Your Startup Needs a Founders' Agreement + Template 2021

Founders Agreement – the key step to set clear intentions for you and your partners and to avoid misunderstandings in the future. In a new post on the Legal Nodes blog, we explain what a Founders Agreement is, reasons for your startup to prepare...

Legal Nodes Team
For Startups
Terms of Use that your users will actually read

In this article Legal Nodes Team talks about Terms of Use, how to write them effectively and why you need them in the first place. You could find a FREE template at the end of this article....

Legal Nodes Team
Privacy (GDPR)
How Can You Leverage a Privacy Kit More Effectively?

In this article, Punit Bhatia, a leading privacy expert, shares how small businesses can become privacy compliant by using Privacy Kits in an effective and why just branding the documents and templates in name of your company is not a good idea....

Punit Bhatia
Legal Nodes Updates
Legal Nodes in 2020: A Year in Review

Despite the fact that for many 2020 will be strongly associated with the coronavirus pandemic and lockdown measures, it would be a mistake to forget all the good things that happened this year. Especially when the festive season approaches, and ...

Legal Nodes Team
Privacy (GDPR)
Internet data mining. Is it legal in the EU?

Data mining is the process of collecting and analyzing human-readable data for own purposes. More and more businesses are built on that concept, scientists and medics also use automatically combined data from different sources to spawn predictio...

Ewa Wojnarska-Krajewska
Privacy (GDPR)
11 simple (but complete) steps towards the GDPR compliance in 2020

The GDPR can be a wake-up call to sort out your processes, procedures and technology and thereby run a more successful organisation. Data is now more essential than ever, regardless of your activities or market sector. Not only will efficiencies...

Thomas Hayes
Contract Work
Force Majeure Clauses and the Effect of Coronavirus on Businesses

The coronavirus pandemic has made force majeure clauses one of the hottest legal topics worldwide. To help businesses navigate this issue, we asked Tom Bohills, an English qualified lawyer and the Founder of Chronos Law, to explain the backgrou...

Tom Bohills