GDPR and Cookies what you should know.

GDPR and Cookies what you should know.

1 mounth ago
João Bruno Soares
9 minutes

In the fast-paced digital world we live in, cookies are more than just a tasty treat; they play a crucial role in how websites function and user data is collected. If you're a tech-savvy developer (or not), a marketing pro, an entrepreneur, a legal eagle, or a marketing agency owner, understanding the General Data Protection Regulation (GDPR) and its impact on cookies is essential. So, let's break it down, step by step.

What Is GDPR?

The GDPR is a set of data protection laws that were introduced by the European Union (EU) to give individuals more control over their personal data. It applies not only to businesses based in the EU but also to those outside the EU that process the data of EU citizens. In a nutshell, it's all about safeguarding user privacy.

Cookies 101

Before diving into the GDPR, let's grasp the basics of cookies. These tiny text files are stored on a user's device when they visit a website. They serve various purposes, from remembering login details to tracking user behavior for analytics. Cookies make the internet a more user-friendly place.

Lean more about: 10 risky processes in your marketing department.

Consent Is Key

Under the GDPR, obtaining user consent for cookies is paramount. Visitors to your website must be informed about what cookies you use, why you use them, and given the option to opt in or out. It's all about transparency and giving users control over their data.

Types of Cookies

There are different types of cookies, and not all are created equal in the eyes of the GDPR:

  • Necessary Cookies: These are essential for a website to function correctly. They don't require user consent.

  • Functional Cookies: These enhance user experience but aren't critical. Users should have the option to accept or reject them.

  • Performance Cookies: These collect data on how users interact with a website. Consent is needed.

  • Targeting Cookies: Used for advertising and tracking. Users should have clear options to accept or reject them.

Learn more about: How does a cookie banner work?

Steps to GDPR Compliance

So, how can you ensure compliance with the GDPR regarding cookies?

  • Audit Your Cookies: Take stock of the cookies your website uses.

  • Update Your Privacy Policy: Make sure it clearly explains your cookie usage.

  • Implement Cookie Consent: Use a consent management platform like AdOpt to handle user consent effectively.

  • Regularly Review and Update: Stay on top of changes in your cookie usage and adjust consent accordingly.

GDPR and International Business

If you're expanding your business internationally, understanding the GDPR is crucial, even if you're not in the EU. Many countries are adopting similar regulations to protect user data, making GDPR compliance a global best practice.

Consent: The Cornerstone of GDPR

Under GDPR, acquiring user consent for cookies is non-negotiable. Visitors to your website must be well-informed about the types of cookies you employ, their purposes, and provided with the option to opt in or out. Transparency and user empowerment are at the heart of this regulation.

Comparing GDPR with Other Privacy Laws

Let's delve deeper into the comparison of GDPR (General Data Protection Regulation) with other prominent privacy regulations around the world, namely the LGPD (Lei Geral de Proteção de Dados) from Brazil, CCPA (California Consumer Privacy Act) in the United States, and PIPEDA (Personal Information Protection and Electronic Documents Act) in Canada. These comparisons will shed light on the global privacy landscape and provide practical insights for businesses with a global footprint.

Learn more about privacy policy: What is a Privacy Policy?

GDPR vs. LGPD: A Global Perspective


  • Scope: The GDPR applies to all EU member states and any organization handling EU citizens' data, regardless of where the organization is based.

  • Data Subject Rights: GDPR grants individuals rights like the right to access, rectify, and erase their data, and the right to data portability.

  • Penalties: Fines for non-compliance with GDPR can be substantial, with a maximum penalty of up to €20 million or 4% of the company's global annual revenue, whichever is higher.


  • Scope: LGPD is Brazil's equivalent of the GDPR and applies to all Brazilian organizations and those processing data of Brazilian citizens.

  • Data Subject Rights: LGPD grants rights similar to GDPR, such as data access and deletion, but with a focus on Brazilian-specific nuances.

  • Penalties: Fines under LGPD are significant but generally lower than GDPR, with penalties of up to 2% of a company's revenue.

GDPR vs. CCPA: U.S. Privacy Laws Clash


  • Scope: GDPR applies globally, while its impact on U.S. businesses is indirect but substantial when handling EU data.

  • Data Subject Rights: GDPR offers comprehensive rights to EU citizens, including opting out of data processing.

  • Penalties: GDPR imposes severe penalties for non-compliance, often resulting in significant fines.


  • Scope: CCPA is a California-specific regulation but impacts many U.S. businesses due to California's economic significance.

  • Data Subject Rights: CCPA grants Californian consumers rights like the right to opt out of selling their data and the right to know what personal information is collected.

  • Penalties: CCPA penalties can be hefty, with up to $7,500 per intentional violation.

GDPR vs. PIPEDA: Privacy Rules in the Great White North


  • Scope: GDPR applies globally and extends its reach to Canadian businesses dealing with EU data.

  • Data Subject Rights: GDPR offers robust rights to individuals, including the right to be forgotten and data portability.

  • Penalties: GDPR enforces significant fines for non-compliance.


  • Scope: PIPEDA is Canada's federal privacy law and applies to the private sector, while provinces have their privacy laws as well.

  • Data Subject Rights: PIPEDA grants Canadians rights like the right to access their data and request its correction.

  • Penalties: PIPEDA penalties are relatively modest, with a maximum fine of CAD $100,000.

Key Takeaways for Global Businesses

  • Scope Matters: Understanding the geographical scope of each regulation is crucial to determine if it applies to your business.

  • Data Subject Rights: Recognize the rights granted to individuals under each regulation and ensure compliance.

  • Penalties: Be aware of potential fines and their severity, as non-compliance can be costly.

  • Data Handling: Implement data management practices that align with the strictest regulations applicable to your business, even if indirectly.

  • Legal Expertise: Seek legal counsel with expertise in international privacy laws to navigate the complexities effectively.

By comparing GDPR with LGPD, CCPA, and PIPEDA, businesses can create a comprehensive strategy for global data protection compliance while respecting the unique nuances of each regulation.

GDPR's Influence on Global Privacy Laws

Now, let's go deeper into the influence of the GDPR (General Data Protection Regulation) on global privacy laws by providing practical examples of how it has inspired or influenced similar regulations worldwide, including the LGPD (Lei Geral de Proteção de Dados) in Brazil, CCPA (California Consumer Privacy Act) in the United States, and PIPEDA (Personal Information Protection and Electronic Documents Act) in Canada.

GDPR and the LGPD in Brazil

  • Influence: The GDPR played a pivotal role in inspiring Brazil's LGPD, which came into effect in September 2020. While LGPD has unique aspects tailored to Brazil's legal framework, it draws several parallels from GDPR:

  • Data Subject Rights: Both GDPR and LGPD (Lei Geral de Proteção de Dados) grant individuals rights over their personal data, such as the right to access, rectify, and delete their information.

  • Data Protection Officers (DPOs): GDPR's requirement for DPOs has influenced LGPD's mandate for Data Processing Officers (DPOs), responsible for overseeing data protection compliance within organizations.

  • Consent: Both regulations emphasize informed and explicit user consent for data processing activities.

GDPR and CCPA in the United States

  • Influence: While CCPA is a California-specific regulation, the GDPR's influence can be observed in several areas:

  • Data Subject Rights: CCPA grants Californian consumers rights similar to those under GDPR, including the right to know what personal information is collected and the right to opt out of selling their data.

  • Consumer Privacy Concerns: GDPR's emphasis on consumer privacy set a precedent that contributed to the increasing awareness and demand for data privacy rights in the United States, leading to the enactment of CCPA.

GDPR and PIPEDA in Canada

  • Influence: The GDPR's influence on Canada's PIPEDA can be seen in various ways:

  • Data Subject Rights: PIPEDA was amended to include data subject rights such as the right to access personal information, similar to GDPR.

  • Breach Notification: GDPR's stringent breach notification requirements influenced PIPEDA's updates, making it mandatory for organizations to report data breaches promptly.

  • Consent and Accountability: PIPEDA has incorporated GDPR's emphasis on obtaining explicit consent and data protection accountability.

Global Adoption of GDPR Principles

Countries outside the EU have recognized the value of GDPR's principles, including data protection, transparency, and user consent. Nations like Japan, South Korea, and India have introduced or are considering data protection laws aligned with GDPR standards.

Key Takeaways International Alignment: The GDPR's principles have set an international benchmark for data protection laws, encouraging countries to align their regulations with similar standards.

Global Awareness: GDPR's high-profile introduction and subsequent enforcement have raised awareness about data privacy, leading to greater demand for similar regulations worldwide.

Data Protection Best Practices: Many businesses, even those not directly subject to GDPR, have adopted its best practices for data protection to ensure compliance with various international standards.

The GDPR's global influence underscores the importance of data protection in today's interconnected world and highlights its role in shaping privacy laws beyond European borders. Businesses operating internationally should consider these influences when developing their data protection strategies.

A Peek into GDPR Cookie-Related Fines

Examining GDPR's historical fines reveals a pattern related to improper cookie usage.

1. Google's €50 Million Fine in France

Example: In 2019, France's data protection authority, CNIL, imposed a €50 million fine on Google for a lack of transparency and inadequate consent regarding ad personalization cookies.

Reference: CNIL's Official Statement

Quote: "The amount of the fine takes into account the seriousness of the breaches observed, the fact that Google had essential character services on which the economic model of the company is based, and that the company cooperated with the CNIL."

2. Fine Imposed on H&M in Germany

Example: In Germany, the fashion retailer H&M faced a €35 million fine in 2020 for extensive employee surveillance and the illegal collection of employee data, including through cookies.

Reference: Reuters - Germany fines H&M 35 million euros for data protection breaches

Quote: "This case demonstrates that privacy violations can lead to significant fines, and it highlights the importance of respecting data subjects' rights and obtaining proper consent."

3. Spanish Football League's €250,000 Fine

Example: Spain's La Liga was fined €250,000 in 2019 for utilizing its mobile app to listen for audio signals from users' devices to identify unauthorized broadcasts of football matches.

Reference: TechCrunch: LaLiga fined $280K for soccer app’s privacy-violating spy mode

Quote: "The use of cookies or other tracking technologies must be clearly disclosed to users, and their consent must be obtained. This case underscores the importance of proper user consent."

Lean more about LGPD fines

Keeping Pace with GDPR Updates and Industry Frameworks

The GDPR landscape is in a constant state of evolution, which can have a profound impact on businesses in various sectors. To stay compliant and adapt effectively, especially in the context of the technical personas we address, it's crucial to understand how industry organizations like the Interactive Advertising Bureau (IAB) and the Transparency and Consent Framework (TCF) play a vital role in shaping and interpreting GDPR-related rules.

After all, Developers and IT professionals, Marketing analysts and E-commerce owners are often responsible for the technical implementation of compliance measures.

1. The Role of IAB in GDPR Compliance

The IAB plays a significant role in facilitating GDPR compliance within the digital advertising ecosystem. It offers guidelines and technical specifications that help developers and IT teams ensure that their ad tech solutions align with GDPR requirements. For example, IAB Europe provides the Transparency and Consent Framework (TCF), a standardized approach to obtaining user consent for online advertising activities. Developers can refer to IAB's technical documentation to implement TCF-compliant solutions, including consent management platforms and advertising technology.

2. Understanding TCF for GDPR Compliance

The Transparency and Consent Framework (TCF) is a key component of GDPR compliance in the digital advertising sphere. TCF provides a standardized way to collect and manage user consent for online advertising and tracking activities. Marketing professionals and website administrators should be aware of TCF's technical specifications, which include the integration of consent strings into websites and mobile apps, to ensure proper compliance. TCF also facilitates transparency by allowing users to make granular choices regarding their data.

3. Staying Informed on GDPR Updates

GDPR is not static; it evolves over time to address emerging privacy concerns. CTOs and IT professionals should proactively monitor GDPR updates and regulatory guidance issued by authorities like the European Data Protection Board (EDPB). They should also keep an eye on changes to industry standards and frameworks like TCF. Staying informed about updates is vital for making necessary adjustments to data processing practices and maintaining compliance.

In conclusion, for all the professionals involved in GDPR compliance, understanding the role of industry organizations like IAB and the technical intricacies of frameworks like TCF is essential. This knowledge empowers them to implement compliant solutions, keep up with evolving regulations, and ensure their organizations' adherence to the GDPR's ever-changing landscape.

In Conclusion

The GDPR and cookies may seem complex, but they don't have to be a headache. By focusing on transparency, user consent, and staying informed about evolving regulations, you can navigate this digital landscape confidently. Whether you're a developer, marketer, entrepreneur, lawyer, or agency owner, respecting user privacy is a win-win. So, go ahead, embrace GDPR and make cookies (the digital ones) a little sweeter for everyone.

Remember, GDPR compliance and cookie management can be made easier with the right tools. Explore AdOpt and simplify your journey toward a safer, more user-friendly online experience.


Cookie Banner
Legal basis

Related posts

Adopt post

Why are cookie banners everywhere?

Want to understand why there are cookie banners on every website you visit today? This article is for you!

Adopt post

How to choose a Cookie Banner for your website

What are the criteria for this choice, and what are the strengths and weaknesses of each option? Well, we're here to help you because this decision needs to be well thought out!

Adopt post

How long can we ignore LGPD?

LGPD is in effect. Despite that, there are still many companies ignoring it, but is that possible? How long can we ignore LGPD?

Adopt post

The Impact of Cookie Banners on Your E-commerce - LGPD

Having a cookie banner on your brand's website has become indispensable for many. However, for e-commerce websites, it has practically become an obligation to have one. This is because this type of website has a technological composition in which cookies are a structural part. Login flow, items in the shopping cart, recommendation showcases, remarketing... Most of them rely on cookies.

Adopt post

How does a cookie banner operate?

Here is a step-by-step explanation of how consent registration works in AdOpt.

Adopt post

We've created a cookie banner plugin.

The WordPress platform powers nearly 450 million websites globally, and it's estimated that 50% of Brazilian websites are on this platform. We are ready to help you, WP lovers!

Adopt post

How to Choose a CMP (Consent Management Platform)?

Using a CMP (Consent Management Platform) is a great way to make efforts to adapt to new privacy regulations like GDPR, LGPD (Lei Geral de Proteção de Dados), and CCPA.

Adopt post

5 Signs Your Website Needs an Cookie Consent Strategy

How does your website handle LGPD? What strategies does it use to comply with the General Data Protection Law? Have you thought about using a cookie notice but don't know if your site has cookies or if it's enough? If you can't answer these questions, be cautious! Your page may be exposed to fines and other sanctions.

Adopt post

Why Give Consent on Every Website I Visit?

Have you ever noticed that every time you sign up for a service to access information or register on a website for purchases, you need to give consent? If you're wondering why you have to give consent on every website you visit, you'll find the answer here.

Adopt post

How to delete cookies and cache in Chrome and other browsers?

Tired of the ads from that site you visited following you around? Is your computer running slow when accessing a particular site? Want to delete all cookies from a specific service or site?

Adopt post

Fines in LGPD - What are they, amounts, and compliance deadlines

In this article, we will answer all your questions regarding fines under the LGPD (Brazil's General Data Protection Law).

Adopt post

Key Differences between LGPD and GDPR and the Impact on Internet Cookies

While both regulations share the goal of safeguarding individuals' rights regarding the processing of their personal data, there are some important differences between them. It is crucial to understand these distinctions and their implications, particularly in the context of internet cookies.

Adopt post

GDPR, LGPD, and CCPA: What Are These Laws, Similarities, and Differences

LGPD, GDPR, and CCPA are data privacy regulations. In this article, we discuss their similarities and differences for practical application.

Adopt post

LGPD: An Opportunity for Digital Marketing Agencies!

Have you ever thought that your marketing agency could find a great business opportunity in LGPD? Well, unlike what many think, it brings changes that can accelerate the demand for the services of these companies.

Adopt post

GDPR Legal Basis: An Introduction

In this article, we'll explore the GDPR foundations and provide practical insights from the basics to more advanced concepts of its legal basis.

Adopt post

Best practices in tag categorization

It's time to talk about one of the most impactful tasks, both for the company and for the visitors of your websites: tag categorization. But why is it so impactful? What is the relevance of this configuration and how can it affect us? It is precisely because of these common questions we receive from our clients that we have written this article on best practices in tag categorization.

Adopt post

What is the difference between cookies, local storage, and session storage?

Despite cookies being more well-known, what is the main difference between cookies and session storage and local storage? Why choose one over the other? This article will help you with these doubts!

Adopt post

Tips on how to notify users after a change on the Terms of Use.

Terms of Use are quite literally the contract established between you and the company offering that product or service in a digital manner. Therefore, not only their development but also any eventual changes require careful consideration.

Adopt post

ROPA in LGPD? Get to Know the Records of Processing Activities.

Brazilian LGPD - General Data Protection Law brought with it several acronyms and specific terms. Many of them imported from other countries and legislations. One of them is ROPA (Record Of Processing Activities), adapted in Brazil to Registros das Atividades de Tratamento. An essential document for any DPO, Data Processor.

Adopt post

LGPD and Cookies all do you need to know?

In this article, you will have a great introduction to the topic, as well as various other variations that revolve around the subject: Cookies and LGPD.

Adopt post

What is a CMP (Consent Management Platform)?

A CMP is a tool/platform used to manage the consent of up to millions of users so that a company can use the data of these users for its previously stated purposes.

Adopt post

Understand the meaning of the LGPD for your company

Surely you've already seen the predictions of fines and sanctions, processes. But, what does it mean to your company?

Adopt post

10 Marketing Processes You Should Rethink under the LGPD!

In the end, our goal has never been to predict doom for companies or to be part of the LGPD's Apocalypse Cavalry. But, since we've been in the market for some time, these kinds of issues always catch our attention when we start data mapping and having conversations with colleagues.

Adopt post

LGPD for marketing | A practical guideline.

Every day, millions of users generate data on the web, which is used by companies around the globe to improve their offerings. Therefore, in 2018, a law was created to regulate the use of personal data by companies, and this directly impacts digital marketing. We're talking about LGPD.




Legal Terms

© AdOpt since 2020 • Made by people who love