Cookie Policy: Legal Requirements and Compliance

Cookies Policy: Legal Requirements and Compliance

The Cookies Policy is mandatory for most websites under current EU personal data protection laws. However, what is a Cookies Policy and who needs it? What should it contain so that your website is seen as trustworthy and it complies with all legal requirements?

Answers to these important questions are provided here. For more information, feel free to contact our legal experts.

What is a Cookies Policy?

A Cookies Policy is a declaration to the users of a website about what cookies are and how they are used. It also contains details on sharing personal information with other parties.

What are cookies?

Cookies are a small text file a website stores on your computer or mobile device when you visit a site. Some websites have tens or hundreds of them.

Cookies are used for different purposes, depending on the website. They can:

  • enable the website to remember a user’s preferences (username, language, etc.) for a certain period of time so as to improve a user’s experience
  • collect anonymous statistical data about the user’s browsing experience on the site (not all cookies do this)

Types of cookies

1st party cookies are set by the visited website and can be read only by them. Websites sometimes use external services (analytics, remarketing, tracking) that collect their own cookies - these are the so-called 3-rd party cookies.

Session cookies are deleted when the visitor quits the browser, whereas persistent cookies are not.

EU cookie laws

As cookies can be used to track, store and share data about a user’s behaviour, they are seen as a potential risk to privacy. 

Under GDPR and Directive 2009/136/EC, if a website uses cookies, they must prompt the user to either accept or refuse them. They must also provide information about how they use and share cookies in a clear and easily accessible manner.

For more information about the implications of EU cookie laws for your business, contact us.

Who needs a Cookies Policy?

The US does not have a law requiring consent for cookies. However, the Children’s Online Privacy Protection Act imposes restrictions on the use of cookies.

GDPR and cookies

Meanwhile, the EU law on personal information is the General Data Protection Regulation (GDPR). What GDPR stipulates is that website visitors have the right to receive specific and up-to date information on:

  • what data is collected about them
  • how it is used
  • where it is sent
  • how the user can manage or prevent this from happening

As cookies use personal information, they are covered by GDPR. Therefore, users need to know about them, how they are used and be able to manage them.

It is important to note that the EU legislation applies to all websites and mobile apps that:

  • offer goods and/ or services to people in the EU
  • profile people in the EU, i.e. monitor their behaviour

This monitoring involves the collection of information about the user’s activities (say pages viewed). The data is used to predict the user’s behaviour in targeting ads.

This means that EU laws apply even to websites and apps located and headquartered outside the EU, if they have EU users.

So, even US-based websites need a Cookies Policy if they sell goods or offer services to customers in Italy, Germany or any other EU country.

EU laws affect all businesses based in or directed towards citizens in Bulgaria. If you have questions or need further assistance in the matter, contact our legal experts.

Privacy Policy vs Cookies Policy

EU law is very strict about Privacy Policy - it is mandatory for all websites. Information about cookies may be included in the Privacy Policy. This can be a suitable option with very basic session cookies that help the website work properly.

However, many companies choose to create a separate Cookies Policy. This is especially useful when a number of different cookies are used for various purposes.

In this case, please refer to the Cookies Policy in your Privacy Policy.

Do you need legal advice and assistance? Contact our experienced lawyers.


Cookies policy


When creating a Cookies Policy, a website needs to make sure it:

  1. complies with both GDPR and the ePrivacy Directive (EU cookie laws)
  2. is tailored to the specific website (some use basic session cookies, others sophisticated marketing cookies for targeting ads)
  3. informs users exactly how cookies are used

Under GDPR all websites are required to disclose:

  • what information is collected
  • how it is collected
  • how users can control this

In addition, websites based in the EU or directed towards EU citizens need to comply also with the ePrivacy Directive and:

  • let users know that cookies are used
  • let users know how they are used
  • obtain consent before they use cookies.

Business owners who need additional information about all legal aspects, may contact us here.

Sections of a Cookies Policy

To comply with both EU laws, a Cookies Policy must contain sections explaining:

  • what cookies are 
  • how cookies are used
  • 3rd party cookies (analytics/ remarketing)
  • how cookies can be managed

It is important that the Cookies Policy explains what cookies are in simple and easy to understand language.

How cookies are used should also provide information about the type of cookies used. Websites organize this differently - as a table, in paragraphs or as a list.

3rd party cookies should include a list with specific information, clearly presented.

If the website uses Analytics  services (say Google Analytics), users should be informed about it.

In case remarketing services are used (say Google Ads), this must also be clearly stated. Especially as these may track IP addresses. 

If the website uses web beacons or a similar tracking technology to identify and track  its users, these should be discussed in the Cookies Policy.

Often 3rd parties require that websites have a Cookies Policy, which is usually stated in their Terms of use, so check these carefully.

The Cookies Policy must provide clear directions for the users on how they can manage and/ or delete cookies.

If you need help in creating a Cookies Policy compliant with all legal requirements, contact us.

Consent form

The EU laws strictly require websites to offer users the option to give consent or refuse cookies. This is  why web pages and apps create a special Consent management platform or a Consent form which:

  • lets users know cookies are used
  • provides a link to the Cookies Policy or Privacy Policy
  • gets consent from the user to place cookies.

The consent form is usually displayed as a banner or a pop-up inviting first-time users to press an Agree button.


The global scale of online businesses means websites need to comply with various legal requirements. Creating a Cookies Policy is an important step that would protect your business legally and make it trustworthy.

If you need to consult a good lawyer, contact us. We will be happy to assist you on these and all other kinds of legal matters.


far fa-map


g.k. Gotse Delchev, ul. "Slavovitsa" , block 24Е, office 2, 1404 Sofia, Bulgaria

Western Industrial Zone, 2 Neptun Str.,
9000 Varna, Bulgaria

fas fa-mail-bulk
fas fa-phone-volume