The security of data: The GDPR, cookies & the user

By Taima Brown 

Why is it a struggle for us to give out personal information? 
The root of our behaviour is our belief in privacy and anonymity. Strangely, this awareness changes in the digital sphere. The average internet user shares his personal data from the opening of the browser until the closing of it, and during every website visit. Still, many users willingly ignore the given options for deciding on what type of data is shared. 

In 2018, the European Union published a guideline [1], the General Data Protection Regulation (GDPR), which not only explains how European citizens’ data needs to be handled in cyberspace but also how data is collected and (possibly) shared with third parties. The regulation is complemented by the ePrivacy Directive (EPD) [2] which further explains “cookies”. The notable pop-up window, which appears while opening a website, describes these shared information and cookies. Many Europeans though, are unaware of how the window relates to the government guidelines. Only by looking further into the guidelines, it becomes clear that both the GDPR and EPD build a web in which the user’s data rights are described. But what exactly does this entail? 


The GDPR is a EU-wide guideline that outlines how Europeans’ personal data and their movement must be handled [3]. It includes the user’s right to give consent to data processing and also gives the option of withdrawal at any time [1]. The option of consent needs to be explained in simple words [1]. The GDPR states though, that the simplicity of information is only expected to be found in a “context” of a written statement, leaving questions open about what types of context are meant. This ambiguity demonstrates that possibilities to process personal data “(il)legally” while “respecting” the GDPR remain. Also, the document codifies that EU-related data must be secured according to the GDPR, otherwise organisations face heavy fines. Still, exceptions exist which enable data processing, for instance in case of “protecting” the interests of the user [3]. These loopholes undermine the full transparency of data processing.

The EPD and its 2009 extension are complementary documents to the GDPR – addressing issues in data processing, privacy rights and consent-related rights. In contrast to the GDPR, the EPD states that giving consent should be possible by only ticking a box [4]. The user gives or dismisses consent by clicking once, a function that is (or should be) thoroughly described in the pop-up window which, additionally, includes the cookie specifics. The 2009 directive adds that consent should be expressed through set browser settings or other applications, and that unauthorised data storage, processing or disclosure of user’s data is prohibited [5]. Any occurring data breaches must be made public to the user [6]. 

Where do cookies come into play?

The so-called cookies are text blocks that send information regarding the user’s internet activity back to the website. Multiple types of cookies exist: session cookies vanish after the user finishes his browser actions [2], while persistent cookies remain (often longer than 12 months) on the hard drive [7] and track users (for targeted advertising) [8]. Another distinction exists between: first-party cookies which are set on the personal device by the website, and third-party cookies that are placed by advertisers [2] to personalise content or for demographic tracking purposes [9]. These cookies are often used to nudge user’s internet behaviour towards services as specific products. It is unclear though, what companies do with the data besides marketing-, and business-related matters. Some cookies are also necessary for websites as: strictly necessary cookies that are needed to access secure areas of a website, for instance by accessing the shopping basket [2] and preference and statistic cookies that are used to simplify and improve the website experience. Marketing cookies are, again, a type of persistent cookies (and third-party cookies), often set for business-related purposes [2]. 

The relations between the GDPR, EPD and cookies

Together, the GDPR and EPD build a web, a symbiosis construct, in which internet cookies place a pivotal role in taking the user’s consent to process their personal data. By both referring to one another and picking up the other document’s content, the GDPR and EDP benefit from each others’ perspective on data processing. The documents showcase the complexity of data exchange in cyberspace by highlighting the standpoints of both the user and the (website) providers. Cookies are therefore tools for the documents’ implementation and allow users to share data as they desire.

In comparison to the EPD, the GDPR thoroughly describes the terms of the personal data transaction (by giving consent). It defines the legal framework, but does not specifically define how this framework is implemented and what it should look like in cyberspace. The EPD gives additional assistance in cyberspace, dives deeper into the GDPR content and describes how consent-giving, by accepting or dismissing cookies, should be realised. For users that search for information on cookies, the EPD is therefore the appropriate document.   


Users do, and will have to, act on their personal rights. The GDPR and the EDP describe how every user can use the law for regulating their own online data. Still, many internet users do not read the cookie-statements thoroughly. As a result, user behaviour should be pushed towards a more responsible, more aware handling of data. It should not be a struggle to apply one’s rights in cyberspace. Appropriate advertisement on personal data rights should be encouraged to raise awareness and push users to adjust their cookies to keep control on what kind of data they share with websites. It is questionable though, if businesses (and governments) are actually interested in this scenario as the value of data, and utilising this knowledge, is well-known. In the end, every single one of us should know what the presented cookies are made of – before we accept and eat them.   


[1] GDPR.EU. (n. d.). General Data Protection Regulation (GDPR). Retrieved from 
[2] Koch, R. (n. d.). Cookies, the GDPR, and the ePrivacy Directive. Retrieved from
[3] Intersoft Consulting. (n. d.). General Data Protections Regulation: GDPR. Retrieved from
[4] European Parliament, Council of the European Union. (2002). Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications). Retrieved from
[5] European Parliament, Council of the European Union. (2009). Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC on universal service and users’ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws. Retrieved from
[6] Green, A. (2020). Understanding the Relationship Between the GDPR and ePrivacy Directive. Retrieved from
[7] Lin, D., & Loui, M. C. (1998). Taking the Byte Out of Cookies: Privacy, Consent, and the Web. Computers and Society, 28(2), 39-51. doi:
[8] Dabrowski, A., Merzdovnik, G., Ullrich, J., Sendera, G., & Weippl, E. (2019). Measuring Cookies and Web Privacy in a Post-GDPR World. Passive and Active Measurement, 258-270. doi:
[9] Palmer, D. E. (2005). Pop-Ups, Cookies, and Spam: Toward a Deeper Analysis of the Ethical Significance of Internet Marketing Practices. Journal of Business Ethics, 58, 271-280. doi: 10.1007/s10551-005-1421-8 

Share this article


Join over 150,000 marketing managers who get our best social media insights, strategies and tips delivered straight to their inbox.