ePrivacy Directive | GDPR Compliance | Cookie Management | Multi-Jurisdictional
This Cookie Policy applies to website [Website/App Name] at [Domain URL]. We use cookies, pixels, and similar tracking technologies to enhance user experience, measure analytics, and deliver personalized content. Legal Framework: ePrivacy Directive 2002/58 Article 5(3) (Cookie Consent), GDPR 2016/679 Articles 5-7 (Lawful basis), German TMG Β§15 (Cookie Disclosure - Telemediengesetz), US Gramm-Leach-Bliley Act (GLBA) Β§501.
1.1 Definition & Scope: Per ePrivacy Directive Article 5(3):
β’ Cookies: Small text files (or similar storage mechanisms like Local Storage, SessionStorage, IndexedDB) stored on user's device (browser/mobile) that identify the user or store preferences per Art. 5(3)
β’ Scope: This policy covers ALL tracking technologies including:
- HTTP cookies per RFC 6265 (HTTP State Management)
- Web beacons/pixels (1x1 images) per Art. 5(3)
- JavaScript tracking per TMG Β§15
- Cross-domain cookies (3rd party) per Art. 5(3)
1.2 Consent REQUIREMENT (MANDATORY): Per ePrivacy Directive Article 5(3):
β PRIOR AFFIRMATIVE CONSENT required before placing cookies (except essential) per Art. 5(3)
β Consent must be ACTIVE & OPT-IN (not pre-checked) per GDPR Article 7(4)
β NO cookie deployment before consent (failure = fines up to β¬20M / 4% revenue) per GDPR Art. 83(5)
2.1 Cookie Categories (PER ePrivacy DIRECTIVE): Per ePrivacy Directive Article 5(3):
| Category | Purpose | Consent? | Examples | Retention |
|---|---|---|---|---|
| Essential/Strictly Necessary | Authentication, security, session management | β NO | Session ID, CSRF tokens, login tokens | [24 hours] post-logout |
| Functional | User preferences (language, theme, accessibility) | β YES | Language preference, font size, UI settings | [1 year] |
| Analytics | Behavior tracking, usage statistics, performance | β YES | Google Analytics 4 (_ga), Matomo, Heap | [14 months] |
| Marketing/Advertising | Ad targeting, retargeting, audience segmentation | β YES | Facebook Pixel, Google Ads, LinkedIn Insight | [90 days] |
| Personalisation | Content customization, product recommendations | β YES | Personalization engine cookies, A/B testing | [6 months] |
3.1 Consent Banner (MANDATORY - GDPR ARTICLE 7): Per GDPR Article 7 (Consent):
β Display on FIRST visit per Art. 7(4)
β SEPARATE opt-in buttons per cookie category (not bundled) per Art. 7(4)
β "Accept All" button SAME size as "Reject All" (no dark patterns per EDPB guidelines) per Art. 7(4)
β Clear language: plain description of each category's purpose per Art. 7(2)
3.2 Withdrawal of Consent (RIGHT TO WITHDRAW): Per GDPR Article 7(3):
β Users may withdraw consent anytime per Art. 7(3) via:
- Cookie banner footer link (always visible) per Art. 7(3)
- Email to [privacy@company.com]
- Account privacy settings (if logged in)
β Withdrawal effective immediately (stop new cookies, delete previous if requested) per Art. 17 (Right to Erasure)
4.1 Data Processors (OUR 3RD PARTIES): Per GDPR Article 28 (Data Processor Agreement):
β’ Analytics Services: [Google Analytics 4 / Matomo / Heap] per Art. 28(3)
β’ Ad Platforms: [Facebook Business / Google Ads / LinkedIn Campaign Manager] per Art. 28(3)
β’ CDN/Hosting: [Cloudflare / AWS / Fastly] per Art. 28(3)
β’ Data Processing Agreements: Signed with all processors per Art. 28(3)
4.2 International Data Transfers (SCHREMS II): Per GDPR Articles 45-49 (International Transfers):
β’ Data subject to EUβUS transfer under EU-US Data Privacy Framework (2023) OR Standard Contractual Clauses (SCC) per Art. 49(1)
β’ Supplementary safeguards: Encryption, anonymization where possible per Art. 32
5.1 Retention Periods (STORAGE LIMITATION): Per GDPR Article 5(1)(e):
β’ Essential Cookies: [24 hours] maximum after logout per Art. 5(1)(e)
β’ Functional: [1 year] per Art. 5(1)(e)
β’ Analytics: [14 months] (Google Analytics standard) per Art. 5(1)(e)
β’ Marketing: [90 days] per Art. 5(1)(e)
5.2 Right to Deletion (GDPR ARTICLE 17 - "RIGHT TO BE FORGOTTEN"): Per GDPR Article 17:
β Users may request deletion anytime via [privacy@company.com] per Art. 17(1)
β Delete cookies within [30 days] of request per Art. 12(3)
β Confirm deletion (provide receipt) per Art. 17(3)
6.1 DNT Header Respect (W3C STANDARD): Per W3C Tracking Preference Expression (Do Not Track):
β’ If user's browser sends DNT:1 header per W3C Standard, we RESPECT it:
β DO NOT deploy Google Analytics per W3C
β DO NOT use marketing/retargeting pixels per W3C
β DO NOT track user browsing per W3C
β ALLOW functional cookies only per W3C
6.2 HTTP Response Headers (Tracking Status):
β’ If DNT respected: Tracking-Status: T (Tracking not enabled)
β’ If tracking permitted: Tracking-Status: N (Tracking enabled per user consent)
7.1 Changes to Cookie Use (RE-CONSENT REQUIRED): Per GDPR Article 13 (Transparency):
β’ If we ADD new tracking technologies: (a) Update policy, (b) Re-display consent banner, (c) Request new consent per Art. 13
β’ If we CHANGE cookie purposes: Email users (if material change) per Art. 13
7.2 Version & Change Log:
β’ Version: 1.0
β’ Last Updated: [Date]
β’ Changes: [Version history / dates of updates]
8.1 Data Subject Rights (MANDATORY ACCESS & CONTROL): Per GDPR Articles 15-22:
β Right to Access (Article 15): Request all data we collect via cookies per Art. 15
β Right to Erasure (Article 17): Delete your cookies/data per Art. 17
β Right to Object (Article 21): Opt-out of processing for marketing per Art. 21
β Right to Portability (Article 20): Receive your data in machine-readable format per Art. 20
β Right to Rectification (Article 16): Correct inaccurate data per Art. 16
β’ Exercise Rights: Email [privacy@company.com] | Response within 30 days per Art. 12(3)
9.1 Regulatory Penalties (VIOLATION CONSEQUENCES): Per GDPR Articles 83-84 (Fines):
β Non-compliance with ePrivacy Directive (no consent before cookies): Fines up to β¬6,000,000 or 10% revenue per Art. 83(5)
β GDPR violations: Up to EUR 20,000,000 or 4% annual revenue (whichever higher) per Art. 83(5)
β Inadequate consent (pre-checked boxes, bundled consent): Fines up to EUR 10,000,000 or 2% revenue per Art. 83(4)
9.2 Data Protection Authority (DPA) Complaints:
β’ Users may file complaints with local DPA per Art. 77
β’ Jurisdiction: DPA in country where user resides/works/has business per Art. 56
Last Updated: [Date] | Version: 1.0 | Effective: [Date]