Are Cookies Personal Data? What GDPR (and CCPA) Actually Say

Cookies count as personal data under GDPR and CCPA when they can identify you. See which cookies qualify, why IP addresses count, and what that means for consent.


by Riad Us Salehin • 3 July 2026


Yes, most cookies are personal data. A cookie counts when it can identify you, directly or combined with other data, through a cookie ID or an IP address. GDPR and CCPA both treat these identifiers as regulated. Strictly necessary cookies that do not identify anyone are the main exception.

Below: which cookies qualify, why cookie IDs and IP addresses count as "online identifiers," and what GDPR's Recital 30 actually says. Also covered: the CCPA angle, and why you still need consent even when a cookie is not personal data.

Are Cookies Personal Data? The Short Answer

Most cookies that track or identify a visitor are personal data under GDPR and equivalent US laws. Analytics, advertising, and other cookies carrying a unique ID identify a person, directly or indirectly. Strictly necessary cookies that do not identify anyone usually are not. The deciding factor is identifiability, not the cookie file itself.

Cookie identifiers and IP addresses are the two most common ways a cookie becomes identifying. gdpr.eu confirms it: cookies "insofar as they are used to identify users, qualify as personal data," which covers most tracking and analytics cookies. An IP address is not always personal data on its own. It usually qualifies once linked to a person or device, even indirectly.

In short: a tracking cookie assigning you a unique ID is personal data. A session cookie that only keeps your cart working, and identifies nothing about you specifically, usually is not.

Before going further, it helps to know exactly what a cookie is: a small text file a website stores on your device. The law calls something personal data when it relates to an identified or identifiable person, whether or not that information sits inside a cookie.

When Does a Cookie Count as Personal Data?

A cookie is personal data when the information it stores, or its identifier, can be linked to an identifiable person, directly or indirectly. GDPR Article 4(1) defines personal data as "any information relating to an identified or identifiable natural person," a deliberately broad standard. A genuinely anonymous cookie that cannot identify anyone falls outside that definition. A pseudonymised cookie remains personal data. An identifier stands in for a name, but it can still be traced back.

Whether a specific cookie counts also depends on who is asking. The classification is contextual, not fixed: the ICO notes the same information can be personal data for one controller and not for another. A cookie ID that only your ad network can trace back to a person may not be personal data in your hands. It is in theirs.

Cookies That Are Personal Data (Tracking, Analytics, Advertising)

Tracking, analytics, and advertising cookies carry a unique cookie ID that follows a device or user across visits. That ID builds a profile, so it identifies someone even without a name attached. A Google Analytics-style _ga cookie assigns a persistent identifier to a browser. Ad-tech cookies do the same to target ads across sites. The European Data Protection Board is explicit that cookie contents can qualify.

"The information stored in cookies can include personal data, such as an IP address, a username, a unique identifier, or an email address." (European Data Protection Board)

Cookies That Usually Are Not (Strictly Necessary)

Session, login, and cart cookies that keep a site working usually do not identify a person and do not build a cross-site profile. A cart cookie that just remembers which items you added, without linking to your identity elsewhere, typically falls outside personal data. "Usually," not "never": a session cookie tied to a logged-in account does identify that account holder.

This bucket also answers two related questions, "are session cookies personal data" and "are first-party cookies personal data," in the same way. First-party versus third-party describes who set the cookie, not whether it identifies you. A first-party analytics cookie with a unique ID is still personal data.

Why Cookie IDs and IP Addresses Count as "Online Identifiers"

Data protection law treats cookie IDs and IP addresses as "online identifiers," a category of personal data. Each can single out a device and, combined with other data, a person. GDPR Recital 30 names both explicitly, listing "internet protocol addresses" and "cookie identifiers" among the online identifiers that can be associated with a natural person.

An IP address is personal data when it can be linked to an identifiable person. That link can run through a third party, such as an internet service provider. The Court of Justice of the European Union's Breyer ruling (C-582/14) covers a dynamic IP, one that changes each time a device reconnects. It still counts if the website operator has a legal means to obtain identifying information from the ISP. The court called this "all the means reasonably likely to be used."

Not everyone reads it the same way. Regulators and courts generally treat even dynamic IPs as personal data because an ISP can trace them to a subscriber. Some in the cybersecurity field argue a standalone IP identifies a router or device, not a specific human. They note it often needs correlation with other logs to identify a user. Both readings agree on the practical takeaway: treat IP addresses with the same care as names or emails.

Common online identifiers that count under Recital 30:

  • Cookie IDs and other unique identifiers
  • IP addresses, static and (per Breyer) most dynamic ones
  • Device and advertising IDs
  • Radio frequency identification (RFID) tags

Canada's Supreme Court reached a similar conclusion outside the GDPR context: in R. v. Bykovets, it held that IP addresses carry a reasonable expectation of privacy. The direction is consistent across jurisdictions, even where the legal test differs.

What GDPR Says: Recital 30 and the Definition of Personal Data

The GDPR does not mention "cookies" anywhere in its articles. It names them once, in Recital 30, and brings them into scope through the Article 4(1) definition of personal data. That single recital is the entire textual basis for treating cookies as a data-protection issue at all.

"Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags." (GDPR Recital 30)
"[Personal data are] any information relating to an identified or identifiable natural person." (GDPR Article 4(1))

Recital 30 supplies the identifier list; Article 4(1) supplies the test. Together they mean a cookie identifier is personal data once it can single out a person, directly or indirectly. The day-to-day rules for cookie consent live somewhere else entirely: the ePrivacy Directive, not the GDPR articles.

Are Cookies "Personal Information" Under CCPA?

In the US there is no single federal cookie law. The CCPA and CPRA define "personal information" to include online identifiers such as IP addresses and cookie IDs. That makes most tracking cookies personal information under California law. It triggers a "Do Not Sell or Share My Personal Information" opt-out requirement, rather than the GDPR's opt-in consent model.

The qualifier matters. IAPP narrows the test: the CCPA only covers an identifier reasonably capable of being linked to a specific consumer or household. That link can be direct or indirect. An IP address a business cannot reasonably tie to a person or household falls outside that definition. California's own guidance on exactly where that line sits has shifted over time.

This resolves "are cookies PII in the US": yes, for practical purposes. CCPA and CPRA-style state laws define "personal information" broadly. A cookie ID or IP address counts once it is associated with a household or device. The US term "personal information" differs from the GDPR term, but the practical result is the same.

Personal Data or Not, You Still Need Consent: The ePrivacy Catch

Even when a cookie is not personal data, you usually still need consent to set it. The ePrivacy Directive, called PECR in the UK, governs storing or accessing information on a user's device. That rule applies regardless of whether the information is personal data. The ICO confirms this directly: cookies that process personal data carry greater privacy risk than anonymous ones, but "PECR apply to all cookies" regardless.

So the practical question, "do I need a cookie banner," does not turn on the personal-data question alone. GDPR supplies the consent standard once consent is required: "freely given, specific and informed," given through a clear positive action. Strictly necessary cookies, ones essential to a service the visitor requested such as a shopping basket or a security session, are exempt from consent. Most non-essential cookies, personal data or not, need it.

This split shows up constantly in practitioner discussion. One Reddit thread on r/gdpr summarized it well: cookie consent rules apply to information stored on or read from a device. Whether that information is personal data is a separate question. That is the ePrivacy test, not the GDPR one. Conflating the two is the single most common mistake in this area.

Consent is collected through a cookie banner on the visitor's first visit, which is the artifact that actually implements this rule.

Are Cookies Personal Data vs Is a Cookie Itself Personal Data?

Two confusions come up repeatedly. First, a cookie file is not automatically personal data; what matters is the identifier or data it carries, not the file itself. A cookie that stores only a session flag with no identifying value carries no personal data even though it is, technically, a cookie. Second, "are cookies personal data" (a GDPR classification question) is not the same question as "do cookies need consent" (an ePrivacy question).

QuestionWhat it actually asksWhich law answers it
Are cookies personal data?Does this cookie's identifier relate to an identified or identifiable person?GDPR (Article 4(1), Recital 30)
Do cookies need consent?Does storing or reading this cookie on a device require permission first?ePrivacy Directive / PECR

A cookie can need consent without being personal data, since the ePrivacy test is broader. A cookie can also be personal data and still be exempt from consent if it is strictly necessary. The two questions run on separate tracks.

Common Myths About Cookies and Personal Data

Five misconceptions cause most compliance mistakes in this area, each corrected below against what the law actually says.

  • Myth: All cookies are personal data. Reality: only cookies that can identify a person, directly or indirectly, qualify. Strictly anonymous cookies may not.
  • Myth: If a cookie is not personal data, you do not need consent. Reality: the ePrivacy Directive requires consent for most non-essential cookies. This holds regardless of whether they hold personal data.
  • Myth: GDPR is the cookie-consent law. Reality: the ePrivacy Directive is the consent law. GDPR sets the consent standard and supplies the personal-data definition, but it never mentions "cookies" outside Recital 30.
  • Myth: US sites are exempt from this entire question. Reality: CCPA and CPRA treat cookie IDs and IP addresses as personal information. That holds whenever they can be linked to a consumer or household.
  • Myth: An IP address is never personal data. Reality: it usually is. Once it can be linked to an identifiable person, even through a third party like an ISP, it qualifies.

How Consently Helps You Handle Cookies as Personal Data

Consently finds and classifies the cookies on your site, so you know which ones process personal data. It blocks the non-essential ones until a visitor consents, and records that consent as proof.

Consently's automatic scanner crawls your site on install and detects every cookie running on it. It then sorts each one into essential, analytics, or advertising categories automatically. You see at a glance which cookies carry an identifier and which do not, instead of guessing or auditing scripts by hand.

Operationally, that classification feeds directly into consent. Consently's cookie consent banner collects GDPR opt-in or CCPA opt-out consent depending on the visitor's region. It auto-blocks non-essential cookies before that consent is given, so identifying cookies do not fire until a visitor allows them. Every consent decision is stored in a consent log as audit-ready proof. Consently signals those choices to Google through Google Consent Mode v2 and supports IAB TCF v2.3 for programmatic advertising partners.

Consently also generates the cookie policy and privacy policy that disclose this processing to visitors. The classification work above doubles as the paperwork regulators expect to see.

Start free with a 14-day trial. No credit card required.

FAQs

Are cookies personal data?

Yes. Cookies that identify a person, through a cookie ID, an IP address, or a tracking profile, are personal data under GDPR and US state laws. Strictly anonymous cookies that identify no one may not be.

Are all cookies personal data?

No. Only cookies that identify a person, directly or indirectly, qualify. Strictly necessary cookies that cannot identify anyone usually do not, though they still process some data.

Is an IP address personal data under GDPR?

Generally yes. An IP address is an "online identifier" under Recital 30. It is personal data when linked to an identifiable person, even via a third party such as an ISP, per the CJEU's Breyer ruling.

Are session cookies personal data?

Usually not, if they only keep a site functioning and carry no identifier that singles out a specific person. A session cookie tied to a logged-in account can still be personal data.

Are first-party cookies personal data?

They can be. First-party versus third-party describes who sets the cookie, not whether it identifies someone. A first-party analytics cookie with a unique ID is personal data.

Do I need consent for cookies that are not personal data?

Usually yes. The ePrivacy Directive, PECR in the UK, requires consent to store or access non-essential cookies on a device. That holds regardless of whether they hold personal data.

Are cookies considered PII in the US?

Yes, for practical purposes. CCPA, CPRA, and similar state laws define "personal information" to include online identifiers like IP addresses and cookie IDs. Those identifiers count when they can be associated with a person or household.

AUTHOR

Riad Us Salehin is the content lead at Dorik. He is a passionate content creator who lets the work speak for itself. Focused on taking brands and causes to the next level.

Read More

Subscribe to Consently
Newsletter

Subscribe to our newsletter to stay updated with latest articles from our blog.

Built with ❤️ by the team @ Dorik.com 

GET IN TOUCH

Any questions? Feel free to chat with us or reach out to us at

For any queries:
support@consently.net

Follow us:


©2026 Dorik, Inc. All rights reserved.