Legal guidance for Cookies

We have collected legal information about cookies and consents that are important to understand when using CookieTractor


You who use CookieTractor are the data controller for the cookies you place on your website. Cookies refer to all cookies, trackers, pixels, and similar technologies. CookieTractor does not process any personal data to handle your consents.

There are requirements for you as a personal data controller according to GDPR to:

  1. Obtain consent when needed
  2. Manage obtained consents
  3. Ensure that there is a legal basis by GDPR for the processing done without the support of consents
  4. Inform about the processing of visitors' personal data in accordance with pre-determined rules

1. Obtaining consent

CookieTractor helps you to obtain the necessary consent directly in the tool.

When do you need consent?

Necessary cookies

According to E-privacy directive 2002/58/EC, consent is not required for cookies necessary to provide a service explicitly requested by the user. It may be to:

  • Enable an app, game, or other services to work
  • Store a shopping cart until the purchase of e-commerce
  • Remember that the visitor consented (to certain cookies)
  • Save other information that the visitor has chosen to save

Visitor statistics and marketing

Consent is required by the E-Privacy Rules for activities such as:

  • Tracking
  • Analysis
  • Other monitoring of user behavior
  • Marketing

Consent as a legal basis for personal data processing under the Data Protection Regulation 2016/679/EU (GDPR) is almost always required for:

  • Saved shopping carts
  • Reminders
  • Marketing to Custom Audiences and Lookalike Audiences
  • Lead forms, lead ads
  • Remarketing, retargeting
  • Other collection of personal data for marketing purposes

This type of activity/cookie should always be defined as visitor statistics or marketing in the tool. If it does not end up there automatically, you need to enter and change the category of the cookie, which will move it to another category. You also need to customize your script integrations so that they respect the choices made in the consent box. Learn how to do this in the setup instructions.

2. Manage consent

For those cookies that require consent, certain rights are attached. This means that the visitor should be able to:

  • Choose not to consent
  • Withdraw their consent
  • Block cookies
  • Review which cookies may be placed
  • Delete the placed cookies

CookieTractor helps with the processing of your consents in the following way:

Choose not to consent

The visitor can choose directly in the consent modal to actively consent to visitor statistics and marketing cookies, or only one of these categories, or opt-out.

Withdraw their consent

You place a link to change the cookie settings on your website that enables the visitor to withdraw their consent through renewed settings directly in the consent box. Learn how to do this in the setup instructions.

Block cookies

By not actively selecting Visitor Statistics and/or Marketing, these cookies will be blocked for the visitor.

Review which cookies may be placed

By following the link Read more about our cookies in the consent modal, the visitor can review which cookies may be placed.

Please note that the information provided about each cookie is based on CookieTractor's standard texts of known cookies. You need to verify this information for each cookie. You may need to supplement with information if it is missing.

Delete the placed cookies

By following the website's link to the consent modal, visitors can renew their choices. By not actively selecting Visitor Statistics and/or Marketing, all cookies except third-party cookies will be deleted. It is not technically possible for CookieTractor to delete third-party cookies, the visitor must delete these in their browser. Please inform about this in your privacy policy or equivalent.

3. Legal basis according to GDPR

Cookies are a technology that can entail personal data processing, such as storing an IP address or information about user behavior that can be linked to an individual. For all personal data processing, explicit legal support is needed according to Article 6 GDPR, a so-called legal basis.

Consent as a legal basis

Consents that comply with the requirements set out in Article 7 GDPR constitute a legal basis for processing personal data. This means that the consent:

  • Must be proven
  • Must be voluntary
  • Shall be specific, explicit and distinct, and separate from other consents or approvals
  • Must be informed
  • Can be revoked

Consent must be proven

You prove that consent has been given by storing the consents obtained in CookieTractor. Each consent receives a specific key that the visitor can see when they open the consent modal again. If the visitor has questions about what consent has been given, they can provide this key to you, after which you can verify the consent by searching for it in the tool.

Consent must be voluntary

The website must be functional without consent for visitor statistics and marketing cookies. These cookies may never be placed until consent has been obtained. CookieTractor will help you with that, but remember that you need to customize your script integrations to respect the choices made in the consent box. Learn how to do this in the setup instructions.

Specific, explicit and distinct, and separated from other consents or approvals

CookieTractor separates consents for cookies from other approvals that can be made on your website. The visitor chooses which cookies consent is given to at a category level for it to be easy to understand what one agrees to. We strive to use as simple language as possible in CookieTractor's standard texts; if you think something is unclear, you should correct it. The same requirements apply to the formulations you add regarding the cookies that do not have standard text.

Consent must be informed

See more under section 4 Information about personal data processing below.

Consent can be revoked

A consent must at any time be able to be revoked as simple as it was to give the consent. This can be done by the visitor following the website's link to the consent box and renewing their choices. By not actively selecting Visitor Statistics and/or Marketing, these cookies will be deleted. Third-party cookies are deleted in the browser settings.

Balancing of interests as a legal basis

If you do not obtain consent for cookies that involve personal data processing, you will need a different legal basis under Article 6 GDPR. An example of this is a legitimate interest, also known as the balancing of interests. A balance of interests shall be documented and may, for example, be applied to provide certain services, such as functionality on a website.

4. Information about cookies and personal data processing

Information about cookies

According to Chapter 6, Section 18 of the Electronic Information Act, a visitor receives information about which cookies are placed and the purposes of each cookie's processing. This information is provided directly in CookieTractor. If it is missing from our standard texts, you need to fill in what purposes you have with a cookie.

Information about personal data processing under Articles 12-14 GDPR

According to GDPR, there are pre-determined rules about what you as a data controller must inform about when processing personal data. You can easily do this in a personal data policy or similar available on your website.

Please note that the GDPR's information requirements apply in addition to the requirements of the Electronic Communications Act regarding the cookies that involve personal data processing (e.g., IP addresses or information about user behavior that can be linked to an individual). An example, according to Articles 13 GDPR and 14 GDPR, is in addition to the purposes of the processing, what legal basis you have for the personal data processing, who besides you can access the data, and what rights exist for the individual according to the data protection regulations.

Some of these points are already met with CookieTractor, such as for purposes and retention periods. Still, the information requirements set out in said articles of the GDPR are much more far-reaching than can fit in a consent modal, the primary purpose of obtaining and managing consents legally. Therefore, our best tip is that you provide the information in different layers and links between the information in CookieTractor and the one contained in your privacy policy.

Good to know

To inform, you need to know which cookies you use on the website. It is important to have an initial inventory and a routine to pay attention to when you start using new tracking. CookieTractor will automatically conduct a monthly search of cookies and add/remove changes to your cookies. You will receive an email after each search informing you of what changes have occurred. It is also good to review whether you use your cookies or if some can be discontinued because they are not actively in use.

Third-party services

When you use third-party services, such as various plug-ins, like-buttons, and similar, there is a high risk that you are jointly responsible for the personal data controllers with the third party whose service you use. The requirements for joint data controllers can be found in Article 26 GDPR and mean that you need to develop a joint arrangement with the third party to determine your respective responsibilities according to the data protection regulations.

You also need to review your agreements with the third party to determine whether they comply with applicable laws and regulations concerning third-country transfers. You also need to keep track of how the agreements are updated and monitor the changes that are being made, which may impact your personal data responsibility and, for example, the information you should provide.

Third country transfers

With the Schrems II judgment (C-311/18), the legal situation for third-country transfers to the United States became unclear. Third-country transfer means that you (the cookie you are responsible for placing) distribute personal data (such as IP addresses or information about user behavior) to a party (a company or organization) that has its registered office in a country outside the EU/EEA. It does not matter if the party has its servers within the EU/EEA if someone in the company or organization has access to the personal data.

If you wish to use services that involve third-country transfers of personal data, you must ensure that you have special legal support for it under Chapter 5 of the GDPR.