The new EU General Data Protection Regulation (GDPR) is already in place and affects all businesses serving users in the EU. The regulation cover many articles related to data protection, the right to privacy and information about how personal data is handled.
The regulation requires clear consent to any tracking that is used to profile user behavior which includes the use of tracking cookies. If you haven’t already implemented a cookie consent widget on your website you should not wait any longer.
Recital 30 of the GDPR is the only place where cookies are mentioned:
Natural persons may be associated with online identifiers […] such as internet protocol addresses, cookie identifiers or other identifiers […]. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.
This means that when cookies are used to identify the users device it’s considered personal data. This can affect cookies used for analytics, marketing and more.
According to recital 32 a clear consent should be given to allow collecting any personal data. “[…]Silence, pre-ticked boxes or inactivity should not therefore constitute consent[…]” which means that you cannot use cookie banners that automatically allow cookies if ignored or show a message like “By using this web site you accept to allow cookies…”.
Additionally users should also be able to revoke consent for certain processing activities.