Skip to content
Misconceptions calendar_today Updated: 6 April 2026 schedule 4 min read

Misconception: GDPR Is About Cookies

Many business owners think GDPR is mainly about cookies. But cookies are just a small part. GDPR covers all personal data you process, in any form.

summarize Key Takeaways
  • check_circle GDPR covers all personal data you process, not just cookies on your website
  • check_circle Cookies partly fall under the ePrivacy Directive, not directly under the GDPR
  • check_circle Your customer database, personnel files, and supplier lists all fall under the GDPR
  • check_circle A cookie banner alone does not make you GDPR compliant

The misconception

“We’ve sorted our cookie banner, so we’re GDPR compliant now.”

This is one of the most common misconceptions we encounter. And it’s easy to see why: when GDPR came into effect in 2018, the most visible change for most people was the flood of cookie pop-ups on every website. So in many people’s minds, GDPR became synonymous with cookies.

But GDPR is not about cookies. Cookies are just one tiny piece of a much bigger puzzle.

What GDPR actually covers

The GDPR - General Data Protection Regulation - regulates how organisations process personal data. All personal data. In any form. Through any channel.

That includes:

Your customer data

  • Names, addresses, phone numbers in your CRM
  • Order history and purchase behaviour
  • Customer service tickets and correspondence
  • Newsletter subscription lists

Your employee data

  • Employment contracts and salary information
  • Sick leave records
  • Performance reviews
  • Application materials from rejected candidates

Your supplier data

  • Contact persons at your suppliers
  • Contract details with personal information
  • Payment records with individual names

Your website data

  • Contact form submissions
  • Analytics data (IP addresses, browsing behaviour)
  • And yes, cookies - but as one item among many

The consent requirement for cookies actually comes from the ePrivacy Directive (also known as the “cookie law”), not from the GDPR itself. The GDPR comes into play when cookies process personal data, but the cookie consent mechanism is a separate legal requirement.

So when people say “GDPR = cookies”, they’re conflating two different laws. And in the process, they forget about 95% of what the GDPR actually requires.

A properly configured cookie banner does:

  • Ask for consent before placing non-essential cookies
  • Offer a real choice (accept, refuse, or customise)
  • Block tracking scripts until consent is given

A cookie banner does NOT:

  • Create a processing register
  • Generate processing agreements with your data processors
  • Set up a procedure for handling data subject requests
  • Document how you handle employee data
  • Establish a data breach notification procedure

What you actually need for GDPR compliance

  1. Processing register - a complete overview of all data processing activities
  2. Privacy policy - a clear explanation of what you do with personal data
  3. Processing agreements - contracts with every party that processes data on your behalf
  4. Data subject rights procedure - how you handle access, deletion, and correction requests
  5. Data breach procedure - what you do when something goes wrong
  6. Legal basis - a valid reason for each type of data processing
  7. Data retention policy - how long you keep data and when you delete it

A cookie banner is important, but it’s item 8 on a list of 8. Don’t confuse the appetiser for the main course.

auto_awesome Go beyond the cookie banner

GDPRWise helps you build complete GDPR compliance - from processing register to data breach procedures. Not just cookies.

GW
GDPRWise Editorial

This article was written by the GDPRWise team and reviewed by our privacy experts. We regularly review our content for accuracy and legal correctness.