Skip to main content

When compliance is needed and what to include

Updated over a week ago


GDPR regulations apply to any EU company. GDPR requires that all personal data that is collected and/or processed is made transparent, including the disclosure of the purpose for data collection.


1. Main legislation:

  • E-privacy directive: how to use cookies (this directive will change soon).

  • GDPR applies in the circumstances where cookies work as online identifiers (e.g. a user authentication cookie would involve the processing of personal data, as it is used to enable the user to log in to their account at an online service).

2. Requirements

  • Information on the use of cookies (which cookies, for what purposes, and for what duration).

  • Consent for all types of cookies (but not for strictly necessary cookies*)

    • Consent can be asked only once, but it is recommended to refresh after a certain period of time.

    • Consent can be withdrawn at any time and in an easy way.

    • Consent needs to be a positive action (e.g. pre-ticked boxes or ‘on’ slides cannot be used). This also includes consent banners that might be difficult to read on mobile devices.

  • Duration of cookies needs to be determined (period of time and/or number of visits to the website) - it can also be determined by national legislation

    Note: The above requirements also apply for Statistics Cookies (performance cookies). These cookies collect information about user behavior on a website, such as which pages they visited and which links they clicked on.

*Strictly Necessary Cookies: Cookies that are needed in order for a website to carry out online communication.

  • User-input cookies (session-id) such as first-party cookies to keep track of user input when they fill out online forms, place items in digital shopping carts, etc.

  • Authentication cookies are used to identify the users once they are logged in.

  • User-centric security cookies are used to detect authentication misuse.

  • Multimedia content cookies include player cookies that are used to store technical data that is needed in order for the user to play video or audio content.

  • Load-balancing cookies Load balancers use a specific load balancing cookie to track the instance of each request to each listener.

  • User interface customization cookies include, for example, language or font preferences (these can be first or third-party cookies).

Responsibilities under the GDPR



Define (and explain) which cookies are used (applicable also for 3rd party cookies), their purpose, and their duration.

Provide/display information on the use of cookies to website’s visitors

Document and store consent

Obtain consent for all types of cookies and document it

Control how long the cookies are stored for

Information about the possibility of revoking consent

Allow users to access the website even if they reject all cookies

Allow users to access website even if they reject all non-necessary cookies

If cookies imply the collection of personal data, then the customer needs to be in compliance with the GDPR as a data controller

We will be classified as data processors

The California Consumer Privacy Act is basically a set of regulations that apply to any organization that collects personal data on any California resident.

CCPA regulations apply to any organization that meets two criteria:

  1. The organization collects personal information from consumers.


  2. The organization meets any of the following:

  • Has an annual gross revenue of more than 25 million USD

  • Buys, receives, or sells the personal information of 50,000 or more consumers or households.

  • More than 50% of annual revenue comes from selling the personal information of their consumers.

Data collected by cookies is considered to be personal information. CCPA does not require businesses to gain opt-in consent for cookies, but it does require that companies disclose what data is being collected by cookies and what is done with the data. Additionally, businesses need to take steps to comply with the option for their website users to opt-out of the sale of personal information collected by cookies.

It is therefore recommended to include information on first-party session cookies in the Privacy Policy. A statement such as this is normally sufficient:

"Personal information is sold and this might include information obtained by cookies."

Additional Resources

  • APA: Australia's Privacy Act includes thirteen codes of conduct with regards to the disclosure of personal information. Websites, companies, and organizations that operate in Australia must follow these codes of conduct in order to be compliant.

  • SHIELD: The Privacy Shield Program Overview is a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.

  • PIPEDA: The Personal Information Protection and Electronic Documents Act of Canada applies to transfers of personal information to a third party operating outside of Canada.

For definitions and explanations of acronyms and abbreviations used in the Monsido User Guide, see:

For further assistance, contact the Monsido support team at or use the Monsido chat and help features inside the application.

Image of the toolbar with the Help Center buttons highlighted.

Did this answer your question?