Yes — the General Data Protection Regulation (GDPR) is a legitimate legal requirement in certain jurisdictions. Here are the key points:
What the GDPR is
- It is an EU regulation: formally “Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.” (European Commission)
- Because it is a regulation (not a directive), it is directly legally binding in EU member states without requiring separate national legislation for most of its provisions. (UW–Madison Information Technology)
- It entered into force on 25 May 2018. (European Commission)
Where it applies and to whom
- The GDPR applies within the European Union (and the European Economic Area) to member states and their data protection authorities. (European Commission)
- It also applies outside the EU under certain circumstances — for example, to organizations not based in the EU if they offer goods or services to EU residents, or monitor the behaviour of individuals in the EU. (IT Governance USA)
- For example: even a U.S. company may be subject to GDPR obligations if it processes EU residents’ personal data in the context of offering goods/services or monitoring their behaviour. (IT Governance USA)
What this means in practice
- Organizations subject to the GDPR must comply with its requirements (e.g., lawful basis for processing, data subject rights, data breach notification, etc.). (GDPR.eu)
- Enforcement: EU/EEA national data protection authorities have the power to investigate and issue sanctions for non-compliance. (European Commission)
- For organizations outside the EU, the practical enforceability depends on many factors (presence in the EU, assets, cross-border cooperation). But the legal requirement exists for those who fall into scope.
Key takeaway
If your organisation processes personal data of individuals in the EU (or offers goods/services to them, or monitors their behaviour) then yes — the GDPR is legally binding and you must consider compliance.
If your organisation is entirely outside the EU and does not touch EU residents’ data or target them in any way, then GDPR may not apply — but you’d still want to check carefully.
A cookie is a small text file that a website stores on your device (computer, phone, etc.) through your browser. Cookies allow the website to remember information about your visit — for example, your login status, language, cart items, or user preferences — so that the site can function smoothly and recognize you between page loads or visits.
1. What a Cookie Is Technically
- Stored by the browser: When a server sends a
Set-CookieHTTP header, your browser stores that data under the site’s domain. - Sent automatically: On subsequent requests to that domain, the browser includes the cookie in the
Cookie:header. - Content: Each cookie typically includes a name, a value, an expiration date, and flags like
Secure,HttpOnly, andSameSite.
Example:
Set-Cookie: sessionid=abc123; Secure; HttpOnly; SameSite=Lax; Path=/; Expires=Wed, 10 Dec 2025 23:59:59 GMT2. “Required” or “Strictly Necessary” Cookies
These are the cookies essential for a website to operate properly — without them, the site or key functions wouldn’t work.
Under GDPR and other privacy laws, these do not require user consent, because they are necessary to deliver the service explicitly requested by the user.
Common examples:
| Purpose | Example |
|---|---|
| Session management | Keeping you logged in or maintaining your shopping cart between pages |
| Security | Preventing cross-site request forgery (CSRF) or load-balancing server traffic |
| Preference storage | Remembering cookie consent itself or the user’s chosen language |
| Infrastructure | Ensuring correct routing between web servers or caching layers |
3. How It Differs from Other Cookies
- Functional cookies: Enhance experience (e.g., remember dark mode), but not strictly required.
- Analytics cookies: Track usage for metrics (e.g., Google Analytics); need user consent under GDPR.
- Marketing cookies: Track users across sites to profile or show ads; always require consent.
4. Example of Disclosure Text
A GDPR-compliant website might display:
“We use necessary cookies to make our site work correctly, such as session cookies that maintain your login and cart. These cannot be switched off. Your use of our website implies your consent to our automatically doing what is necessary to facilitate serving you fully. We also use optional cookies for analytics and personalization, which you can enable or disable.”
In summary:
Required cookies (also called strictly necessary cookies) are the ones essential for the core operation of the site — things like login sessions, cart contents, or security validation. They are permitted without consent because they are part of the service the user actively requested.
