Cookies: how to use them lawfully?

16.01.2026

Cookies are an integral part of most modern websites. Almost every user has encountered, or at least heard of, a pop-up window (a cookie banner) offering to accept or configure the use of such files in order to optimise and improve the operation of a website, or has at least heard of their existence.

This article examines the definition of cookies, their functions, as well as the key requirements for ensuring their lawful use.

What are cookies and what are they used for?

Cookies are small fragments of textual information (data) that are stored in a user’s browser in connection with visiting and using a website. The primary purpose of their use is to ensure the efficient functioning of a website, which includes, for example:

• implementation of the basic functionality of the website;
• improvement of the website’s performance;
• keeping the user logged into the system (authentication);
• remembering the user’s selected settings (language, region);
• personalisation of content;
• tracking user actions on the website (analytics);
• displaying relevant (contextual) advertising.

Thus, the use of cookies is primarily aimed not at providing the core services of a website, but at maintaining ease of use and improving user interaction with the website. In addition, cookies track user behaviour in order to provide relevant analytics and contextual advertising.

Are cookies personal data?

Information about cookies used on a website is often presented in the form of a cookie banner. Many such cookie banners constitute merely a notification about the use of cookies, rather than a request for consent, which does not always comply with national personal data legislation.

This raises the question: how do cookies correlate with personal data regulation?

Personal data is any information that makes it possible to identify an individual. Cookies may collect IP addresses, user identifiers and browsing history, which makes it possible to identify a user via their device. Therefore, most cookies are considered personal data and are regulated by the relevant legislation.

Key requirement: the use of cookies requires the website owner or developer to obtain the user’s consent as a lawful basis for the processing of personal data.

An exception applies to “strictly necessary” cookies, as they ensure the direct functioning of the website, i.e. without them the website will not operate correctly and the user will not be able to use it.

Since cookies collect certain categories of personal data that may subsequently be used for advertising purposes, the legislation of a number of countries establishes an obligation to obtain the user’s consent in order to protect their personal data.

What is required when using cookies?

For the lawful use of cookies, as a rule, it is important to ensure not only the obtaining of consent as a lawful basis for the processing of personal data, but also proper user information, which may be provided through the following means in combination:

• a cookie banner;
• a Cookie Policy.

1. Cookie banner

It is recommended that the cookie banner contains brief information about the cookies used. The banner also serves as a mechanism for obtaining user consent and, where necessary, provides the ability to configure preferences in relation to specific categories of cookies.

In a number of jurisdictions, specific requirements apply to the design of cookie banners. In particular, it is not permissible to:

• pre-tick checkboxes;
• automatically apply all cookies before obtaining the user’s consent.

Consent must be revocable: the user should be given the opportunity at any time to review their decision and change their settings.

2. Cookie Policy

A Cookie Policy may be a standalone document or form part of the general Personal Data Processing Policy (Privacy Policy).

As a rule, a Cookie Policy includes:

• a full description of all cookies used (name, source);
• categories of cookies (for example, necessary, analytical, marketing);
• purposes of data processing for each category;
• cookie retention periods;
• methods for changing parameters and settings by the user.

Requirements for the content and form of such a document depend on the specific jurisdiction; however, the general rule remains unchanged — transparent and clear user information.

Given the differences in national regulation, the use of cookies requires an individual approach. The team of lawyers at REVERA is ready to provide consultations on building correct and transparent models for working with cookies.

---

Authors: Liudmila Yepikhava, Aliaksandra Mahlysh.