The minimum to know about cookie notices and user privacy

Ever since Cookie Law directive was introduced in the EU there have been questions.

People complained that the directive is lax and open for interpretations. But the fact that each EU country could implement it differently added to the confusion even more.

But hey, it’s gotten worse.

With the introduction of GDPR, CCPA and other country or region-specific cookie and privacy policies the confusion reached new heights.

Now, it’s time to start making things clear.

For the sake of keeping things simple and understandable I will make some simplifications throughout this text.

What are cookies?

“Cookies” are pieces of information stored on user’s device, e.g. a laptop or a smartphone.

What are privacy regulations all about?

Privacy regulations like GDPR, CCPA etc. want to make sure that people have control over what personal data they share, who gets it and what they can do with it.

What do cookies have to do with privacy?

Cookies are often used by tracking tools. They use it to gather more accurate information about the site visitors. Most tracking tools cannot work without cookies, so disabling cookies will effectively stop them from working.

What are cookie notices for?

Cookie notices have 2 purposes:

1. they inform visitors about the information that the site collects about them and what it does with this information
2. they let the website use the cookies for specific purposes

What elements should a cookie notice have to comply with privacy regulations?

1. It should describe what cookies the website uses and what for
2. It should also have 2 identically styled buttons that allow users to accept or decline all cookies.

What optional elements should a cookie notice have?

A cookie notice may optionally have checkboxes (unchecked) allowing visitors to agree to the use of specific types of cookies.

How should cookie notice work

According to the regulations in most countries a cookie notice should prevent all non-required cookies from loading until visitors agree to their use. Alternatively the notice can prevent scripts that use cookies from loading. Full Picure’s cookie notice works this way. The effect is the same.

Do all cookie notices comply with privacy regulations?

No. Only those that stop cookies from loading do.

What is the difference between opt-in and opt-out cookie loading.

Opt-in loading means that site visitors need to agree to cookies before they are loaded. Opt-out means that cookies are loaded when the page is loaded but the visitors can turn them off by declining them in the notice.

Are opt-out cookie notices GDPR compliant?

No. According to GDPR no data can be collected until visitors agree to it. Only opt-in cookie notices are GDPR compliant.

Do I have to use a cookie notice if my site is in a country where cookie notice is not required?

If your site visitors may come from other countries than you should have a notice. Some cookie notices, like the one built in WP Full Picture WordPress plugin for example, can be hidden in specific countries (with geolocation).

Can I require users to accept cookies before they can view the site?


Can I track my visitors before they agree to cookies?

Yes, but only with tracking tools that don’t gather personally-identifiable information and don’t use cookies or any other methods of storing information on site visitor’s devices. WP Full Picture lets you install on your site 2 such tools – Plausible Analytics and Splitbee.

Are Google services allowed in the EU?

Yes but not in all of them. The situation is evolving. You can’t use Google Analytics and Google Fonts in Austria and France. In the future this may also expand to other EU countries and other US-based services that collect visitors data and hold them on servers in the US.