Are the cookies personal data? Do we need to avoid cookies altogether?

Cookies are everywhere in virtual space. The question is whether the virtual cookies that collect data from devices and then use that data to create them also collect personal data. This data is protected under the GDPR. We need to understand the actual nature of these cookies in order to understand their function.

What is a cookie?

Cookies are text files that are attached to your device by websites when you visit that site. Each device is assigned an ID number that will allow it to be identified by the website. The website can associate this unique identifier with specific user accounts or shopping cart activity. The site will begin to get to know you and your preferences.

It is easier to understand cookies by comparing them to the bowls that hold the ingredients to make a cake. These bowls can be accessed via your phone, tablet, or computer and collect the ingredients. The data they require according to their purpose. These data will allow websites to prepare exactly what you want, knowing what you’re interested in, what you’ve bought, and what you need.

But, does this data get collected by websites? This question can only be answered if we understand what “personal data” means.

What are personal data?

Any information that can be used to identify or contact a person is considered personal data. If the data can be used to identify a person by themselves, or through gathering them, they are considered personal. If anonymization or encryption is reversed, then data can be considered personal data.

Personal data examples

  • Name and surname
  • Address at home
  • email address such as [email protected]
  • The data on the identity documents
  • location data
  • An Internet Protocol (IP), address
  • Data held by a doctor or hospital that uniquely identifies an individual

Examples of non-personal information

The registration code for a company
Email address: [email protected]
irreversibly anonymized data

Privacy of personal data

The European Union’s General Data Protection Regulation (the famous GDPR) protects personal data. It states that “Natural persons may be associated with online identifications provided by their devices and tools, such as IP addresses, cookie IDs, or other identifiers, such as radio frequency identification tag tags, radio frequency identification tags, or other identifiers, such as cookies. Cookies can leave behind traces that can be combined with unique identifiers or other information received from servers to help identify natural persons. Cookies are therefore recognized as being able to store personal information.

All cookies are the same? Are they all capable of collecting personal data?

Cookie categories

Although cookies do not have the exact same goals, each cookie collects data that is relevant to the site.

Depending on what data they keep, there may be:

  1. Cookies that store login data
  2. Cookies that remember your preferences
  3. Cookies that store other actions on a website/application

They can live up to a year depending on their longevity.

Cookies that last more than one session
Cookies with a longer validity are automatically deleted after a set time

Cookies are classified according to their need:

Operational – i.e. Those who are required to enjoy the normal operation of the website
Preference cookies and functionality cookies are used to retain user preferences.
Analytic – i.e. They collect information about how a user uses a site, even if they are subjects like سكس مترجم, but are usually anonymized

There are cookies that store personal information and those that anonymize it. The data loses any connection to the users from which they were taken. To comply with the GDPR policy, cookies that store personal data usually require consent from users.

Cookies that store personal data

Cookies that collect personal information must be consented to by each individual, as they can all dispose of their data. The GDPR explicitly protects them. These cookies are not compulsory and users should not be unable to access the site if they are not accepted.

The site must record the session where the user consented to cookies if he has given his consent. This serves as proof that the consent was validly granted.

The following characteristics are associated with the consent to cookies:
Consent must always be given in a clear and informed manner

Consent must be given with knowledge. Users must have access to information about themselves to verify that it is valid. According to the CJEU, consent is obtained by clicking the “I agree/I Accept” box. Pre-checking these boxes by the site is forbidden.

CJEU has ruled that consent is not valid if the storage or acquisition of access to data already stored on the terminal equipment of a user of a website is authorized through a previously checked box. If the user refuses to give consent, they must uncheck the box. If the data are not personal, this rule applies.
Consent must always be given in a clear and concise manner

Websites and apps must permit users to reject certain cookies or accept others. The user must be able consent to cookies being used to remember their username, but not for marketing purposes. If the user does not want to accept cookies, he can withdraw his consent at any time. The user doesn’t have to complete a lengthy process to withdraw consent. He can simply tick a box to agree to cookies. If the user ticks the box to accept cookies, they won’t be able to send you a request in writing to stop them.

The website of The New York Times is an example. It allows users who consent to the use of non-essential cookie to withdraw their consent by clicking a button. The site also lists the steps users must take depending on which browser they use to remove third-party cookies.

Consent must be specific

It is necessary to expressly mention cookies by giving explicit consent. Although we don’t recommend including the cookie policy in site terms and conditions platforms, it is possible to do so. However, consent to accept cookies must be given separately to consent to the terms and conditions.

Consent must be clearly affirmative

Users must tick the appropriate box and unambiguously accept cookies to be a valid action.

As stated above, consent is not implied by the site’s pre-checking these boxes. Cookies are also displayed on messages such as “This site uses cookie.” Continue browsing and you consent to their use.
Cookies that don’t retain any personal data

Cookies that don’t retain any personal data are also available. Users do not need to consent to their use. These cookies are an exception and users must express their consent to use them.

Those who aim to transmit communications in an electronic communications network
Those who provide online services to users
Those that retain the user’s consent or refusal to use cookies
One-time authentication
Those that retain products added to the shopping basket and those used during the payment process
Those related to interface customization
Load balancing is a method that links the device ID to a server in a network during a session.
They restrict access to a service or content on a site to a limited number of views or a specific time period
First-party analytics, which collects data and transforms it into anonymous statistics


The short answer is that cookies can collect personal data. However, this only happens if you consent. They are not a problem, even though they can be found everywhere in the virtual world. You have the option to refuse to accept cookies that retain personal information. Some of them make surfing the Internet easier, so it is important to know what they do.