Announcing Agent Commander - The First Integrated solution from Veeam + Securiti.ai enabling the scaling of safe AI agents

View
Contact Us See a demo

The Ultimate Guide to Cookie Laws & Regulations

Download: Consent Report Q2 2024
EU COOKIE LAW banner
Published July 12, 2021 / Updated January 8, 2024
Contributors

Anas Baig

Product Marketing Manager at Securiti

Maria Khan

Data Privacy Legal Manager at Securiti

FIP, CIPT, CIPM, CIPP/E

Listen to the content

On every website you ever visit, you probably have had to accept or decline certain cookies via a cookie notice or banner. Some of those cookies are there to track your browsing activities and can be traced back to your browser. They are also storing your data which can be seen as a threat if not secured properly. Global privacy regulations are coming up with rules for organizations to abide by when collecting personal data via cookies and processing these cookies for various purposes.

The GDPR focuses on organizations collecting freely given consent from their customers before they store or process any of their personal data, which includes dropping cookies on their website. Websites and apps that are used by visitors from the EU must implement a consent banner that complies with GDPR, and it has to have several pieces in place.

Under the GDPR, customers need to be fully informed about the types of cookies that are being stored and why they are being stored before the consumer can give them consent. Under the GDPR, consent needs to be:

  1. Freely-given
  2. Specific
  3. Informed
  4. Unambiguous

The GDPR requires organizations to have the following included in their cookie policy:

  • What information is collected
  • What you do with consumer information
  • How you protect consumer information
  • If you disclose any information to third parties
  • How you store consumer information
  • How users may access, migrate, request rectification, restriction or deletion of information

The GDPR and e-Privacy Directive both aim to ensure an appropriate level of confidentiality and security of European Union Residents' data.

The e-Privacy Directive provides a guideline on cookies which is why it was originally known as the “cookie law”. This is not the case with the GDPR as it does not explicitly state any guidelines or requirements based on cookies. The e-Privacy Directive requires organizations to provide comprehensive and easily understandable information with regards to the processing of cookies. These organizations must acquire the informed consent of users before tracking them with cookies. Although the GDPR does not mention cookies specifically, it classifies cookies as an “online identifier,” meaning that it may be considered personal data under certain circumstances.

Read more about EU Cookie Laws

Impact of the EU Guidelines on the U.S.

The E-Privacy Directive does not have a clear extraterritorial scope, which means that if a company does not have any physical presence or operation in the EU, they do not need to comply with the cookie guidelines.

On the other hand, the GDPR has clear extraterritorial scope. It covers the processing of personal data within the EU as well as outside the EU if the organization is offering goods and services to EU data subjects. If an organization's website targets EU consumers in accepting e-commerce payments in Euros as an alternative to U.S. dollars, or if the site's use of cookies amounts to intentionally "monitoring" the behavior of visitors who are in the EU, the GDPR likely applies to the organization.

PII and Cookies

PII (Personally Identifiable Information):

Under Article 9 of the GDPR, sensitive data is defined as the following:

  • personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs;
  • trade-union membership;
  • genetic data, biometric data processed solely to identify a human being;
  • health-related data;
  • data concerning a person’s sex life or sensitive data.

Cookie/online identifiers:

Although the GDPR does not talk about cookies specifically, it does mention “online identifiers under Article 4, recital 30 of the GDPR. The article states:

“Natural persons may be associated with online identifiers provided by their devices, applications, tools, and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.” 

Penalties Due to Non-Compliance

The EU cookie legislation depends on the government to set specific penalties for noncompliance. Here are some of the penalties an organization can face due to non-compliance:

  1. Regulators can request organizations for information that is stored in the website. This may include:
    1. Types of cookies your site uses
    2. Links to the cookie information section
    3. Identifiers of compliance
  2. Regulators can ask organizations to make changes to help them be more compliant with the EU guidelines. This can be requested or even enforced to be done in a set amount of time.
  3. Depending on the country, the organization can face a monetary fine based on the severity of non-compliance.

Schedule Your
Personal Demo

Learn how you can leverage Securiti’s Data Command Center to address data security, privacy, governance, and compliance.

See a demo
Schedule your demo today

Compliance Checklist

There are several ways in which an organization can simplify their compliance practices. Here are a few steps that can be taken in order to make this process easier.

Improve Privacy Policy

The first step towards staying compliant with cookie laws is to understand your privacy policy and revamp it based on guidelines and regulations. The GDPR contains stringent regulations regarding an organization’s privacy policy, how it must be written, what it must contain, and how it must be accessed.

Audit Databases

Organizations will need to audit their databases for opt-in consent. The GDPR is an Opt-In consent regime and it is paramount to obtain explicit consent from an individual before processing their data.

Create an Opt-In Process

For any new contact details, organizations need to ensure a process to gather the required level of opt-in for each new entry. GDPR stipulates that consent from consumers must now be gathered by them actively opting-in, rather than them having to opt-out.

Review Third Party Access

Third-party access can be one of the major threats to compliance because your organization may get penalized for someone else’s negligence. It is important to review what third parties you share data with, how they use it, and what their GDPR policies are.

Streamline DSR Fulfilment

GDPR regulations require organizations to respond to a consumer’s "request for information" within one month at the latest.

How Securiti Can Help?

Organizations are required under law to protect a consumer's data and obtain consent before collecting or storing any of this data. Securiti's PrivacyOps approach enables organizations to fulfill cookie requirements with the help of robotic automation and artificial intelligence. Here is how it can help:

  1. Automatic Scanning:
    In order to manage cookies in an effective manner, the first step is to keep track of all your cookies. Securiti helps track and classify cookies on your digital properties (i.e desktop, mobile websites) through automatic scanning.
  2. Customizable Cookie Banners:
    Securiti offers a cookie banner to capture freely given consent from the consumer. These banners can then be customized to your company’s branding guidelines.
  3. Consent Revocations:
    Under European law, consumers have the right to revoke their consent at any time. Securiti offers a preference center that simplifies the process of revoking consent and honoring the revocation.
  4. Demonstrate Compliance:
    Securiti maintains comprehensive records of consent for compliance reporting and audit trail.

Conclusion

Consumers' data being tracked by third-party entities via cookies can be deemed a privacy threat. Privacy regulations are in place to ensure that this data is handled in a safe and ethical manner, meaning nothing can be processed without the consumer's freely given consent. This will, in turn, protect the consumer's privacy and give organizations a reason to adopt a first-party approach when trying to obtain consumers' data.

Data is growing at an exponential rate, and keeping track of all this data is becoming a virtually impossible task with each passing day.  Automation is necessary, now more than ever, for any organization that is hoping to comply with privacy regulations in a scalable way.

To learn more about how Securiti can help, request a demo.

Frequently Asked Questions

Cookie compliance rules are primarily outlined in the ePrivacy Directive and the GDPR. They require websites to obtain informed consent for placing non-essential cookies and provide users with clear information about the types of cookies used.

The cookie law in the EU primarily refers to the ePrivacy Directive, which governs the use of cookies and similar technologies. It requires websites to obtain users' informed consent for non-essential cookies and protect users' privacy.

GDPR stipulates that cookies, especially non-essential ones, should only be placed on a user's device with their informed and unambiguous consent. Website operators must provide clear information about the types of cookies used, their purpose, and any data collected. Users have the right to withdraw their consent at any time, which should be as easy as giving consent. It's essential to maintain compliance with these rules to ensure user data privacy and avoid potential penalties.

The regulation surrounding cookie consent is primarily defined by GDPR and the ePrivacy Directive. Under these rules, obtaining user consent for the use of cookies is crucial. Consent should be freely given, specific, informed, and an unambiguous indication of the user's wishes. Websites must provide clear and comprehensive information about their cookie usage and allow users to make choices easily. This regulation aims to put users in control of their online privacy and ensure they have a say in how their data is used.

Analyze this article with AI

ChatGPT Claude Perplexity Grok
Prompts open in third-party AI tools.
Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox

Share
More Stories that May Interest You
CPRA Cookie Consent banner View More
January 1, 2024
CPRA Cookie Consent – All You Need To Know [2026 Guide]
The California Privacy Rights Act (CPRA) of 2020 which goes into effect on January 1, 2023, is expected to replace the California Consumer Privacy...
LGPD Cookie Brazil banner View More
November 10, 2023
LGPD & Cookies: What Do You Need To Know?
When a person logs on to a website, the server assigns them a distinctive, user-specific identity. This identity is stored on the mobile or...
Opt In vs Opt Out banner View More
August 13, 2023
Opt In vs Opt Out Consent: What’s the Difference?
The global hunger for data collection is increasing exponentially. With businesses starting to collect more and more personal data, a rapid emergence in data...
Please enter a minimum of 3 characters to begin your search.

Type

Videos
View More
March 9, 2026
Rehan Jalil, Veeam on Agent Commander : theCUBE + NYSE Wired: Cyber Security Leaders
Following Veeam’s acquisition of Securiti, the launch of Agent Commander marks an important step toward helping enterprises adopt AI agents with greater confidence. In...
View More
January 20, 2025
Mitigating OWASP Top 10 for LLM Applications 2025
Generative AI (GenAI) has transformed how enterprises operate, scale, and grow. There’s an AI application for every purpose, from increasing employee productivity to streamlining...
View More
January 15, 2025
Top 6 DSPM Use Cases
With the advent of Generative AI (GenAI), data has become more dynamic. New data is generated faster than ever, transmitted to various systems, applications,...
View More
January 2, 2025
Colorado Privacy Act (CPA)
What is the Colorado Privacy Act? The CPA is a comprehensive privacy law signed on July 7, 2021. It established new standards for personal...
View More
December 24, 2024
Securiti for Copilot in SaaS
Accelerate Copilot Adoption Securely & Confidently Organizations are eager to adopt Microsoft 365 Copilot for increased productivity and efficiency. However, security concerns like data...
View More
November 1, 2024
Top 10 Considerations for Safely Using Unstructured Data with GenAI
A staggering 90% of an organization's data is unstructured. This data is rapidly being used to fuel GenAI applications like chatbots and AI search....
View More
October 29, 2024
Gencore AI: Building Safe, Enterprise-grade AI Systems in Minutes
As enterprises adopt generative AI, data and AI teams face numerous hurdles: securely connecting unstructured and structured data sources, maintaining proper controls and governance,...
View More
August 12, 2024
Navigating CPRA: Key Insights for Businesses
What is CPRA? The California Privacy Rights Act (CPRA) is California's state legislation aimed at protecting residents' digital privacy. It became effective on January...
View More
June 3, 2024
Navigating the Shift: Transitioning to PCI DSS v4.0
What is PCI DSS? PCI DSS (Payment Card Industry Data Security Standard) is a set of security standards to ensure safe processing, storage, and...
View More
January 29, 2024
Securing Data+AI : Playbook for Trust, Risk, and Security Management (TRiSM)
AI's growing security risks have 48% of global CISOs alarmed. Join this keynote to learn about a practical playbook for enabling AI Trust, Risk,...

Spotlight Talks

Spotlight 50:52
From Data to Deployment: Safeguarding Enterprise AI with Security and Governance
Watch Now View
Spotlight 11:29
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Not Hype — Dye & Durham’s Analytics Head Shows What AI at Work Really Looks Like
Watch Now View
Spotlight 11:18
Rewiring Real Estate Finance — How Walker & Dunlop Is Giving Its $135B Portfolio a Data-First Refresh
Watch Now View
Spotlight 13:38
Accelerating Miracles — How Sanofi is Embedding AI to Significantly Reduce Drug Development Timelines
Sanofi Thumbnail
Watch Now View
Spotlight 10:35
There’s Been a Material Shift in the Data Center of Gravity
Watch Now View
Spotlight 14:21
AI Governance Is Much More than Technology Risk Mitigation
AI Governance Is Much More than Technology Risk Mitigation
Watch Now View
Spotlight 12:!3
You Can’t Build Pipelines, Warehouses, or AI Platforms Without Business Knowledge
Watch Now View
Spotlight 47:42
Cybersecurity – Where Leaders are Buying, Building, and Partnering
Rehan Jalil
Watch Now View
Spotlight 27:29
Building Safe AI with Databricks and Gencore
Rehan Jalil
Watch Now View
Spotlight 46:02
Building Safe Enterprise AI: A Practical Roadmap
Watch Now View
Latest
View More
February 24, 2026
Introducing Agent Commander
The promise of AI Agents is staggering— intelligent systems that make decisions, use tools, automate complex workflows act as force multipliers for every knowledge...
Risk Silos: The Biggest AI Problem Boards Aren’t Talking About View More
February 18, 2026
Risk Silos: The Biggest AI Problem Boards Aren’t Talking About
Boards are tuned in to the AI conversation, but there’s a blind spot many organizations still haven’t named: risk silos. Everyone agrees AI governance...
Largest Fine In CCPA History_ What The Latest CCPA Enforcement Action Teaches Businesses View More
February 23, 2026
Largest Fine In CCPA History: What The Latest CCPA Enforcement Action Teaches Businesses
Businesses can take some vital lessons from the recent biggest enforcement action in CCPA history. Securiti’s blog covers all the important details to know.
View More
February 19, 2026
AI & HIPAA: What It Means and How to Automate Compliance
Explore how the Health Insurance Portability and Accountability Act (HIPAA) applies to Artificial Intelligence (AI) in securing Protected Health Information (PHI). Learn how to...
View More
March 17, 2026
The Convergence Blueprint for Enterprise-Scale AI Governance
A blueprint for enterprise-scale AI governance - unifying data, security, privacy, and risk controls to manage AI systems, ensure compliance, and enable safe innovation.
Navigating Australia’s Evolving Cyber, Data & AI Regulatory Landscape View More
March 17, 2026
Navigating Australia’s Evolving Cyber, Data & AI Regulatory Landscape
Access the whitepaper and explore Australia’s evolving cyber, data, and AI risk landscape, including SOCI Act obligations, sector cyber standards, Privacy Act reforms, and...
DataAI Security for Retail View More
March 15, 2026
DataAI Security for Retail
Download the brief and explore how retailers can securely scale Data & AI with Securiti DataAI Command Center and protect sensitive data, manage risk,...
Emerging AI Security Trends For 2026 View More
March 11, 2026
Emerging AI Security Trends For 2026
Securiti’s latest infographic provides security leaders with a walkthrough of all the emerging AI security trends for 2026 to help them assess and plan...
View More
February 18, 2026
Take the Data Risk Out of AI
Learn how to prepare enterprise data for safe Gemini Enterprise adoption with upstream governance, sensitive data discovery, and pre-index policy controls.
View More
December 22, 2025
Navigating HITRUST: A Guide to Certification
Securiti's eBook is a practical guide to HITRUST certification, covering everything from choosing i1 vs r2 and scope systems to managing CAPs & planning...
What's
New