Cookie consent

What it is

In the EU and UK, the ePrivacy Directive — implemented through national laws such as PECR in the UK — requires consent before storing or reading information on a user’s device. The GDPR then defines what valid consent looks like: a freely given, specific, informed, and unambiguous indication of the user’s wishes, given by a clear affirmative action.

This applies to cookies, but also to localStorage, sessionStorage, IndexedDB, fingerprinting, and pixel trackers. The technology does not matter; the storage and access do.

Why it matters

Cookie consent is the most enforced part of EU privacy law on the public web. National regulators — CNIL, the Garante, the ICO, the Belgian DPA — issue fines regularly, and most of them target the same patterns: pre-ticked boxes, “reject” buttons hidden two clicks away, and banners that count scrolling as consent.

A non-compliant banner is also a poor user experience. Visitors do not want to negotiate with your site before reading it.

How to implement

The principles are simpler than vendors make them sound:

• Strictly necessary cookies do not need consent. Session cookies for login, shopping carts, security tokens, and load balancing are exempt. Analytics, advertising, social embeds, and A/B testing are not.
• Set no non-essential cookies before the user accepts. This includes Google Analytics, Meta Pixel, Hotjar, YouTube embeds, and most “marketing” tags.
• Give “accept” and “reject” equal prominence. Same size, same colour weight, same number of clicks. A bright green “Accept all” next to a grey “Manage preferences” is non-compliant.
• Rejecting must be as easy as accepting. One click. Not a maze of toggles.
• Reject means reject. No tracking cookies, no fingerprinting fallback, no “legitimate interests” toggle that is on by default.
• Be specific about purposes. “Analytics” and “marketing” are categories users can choose between; “improving your experience” is not.
• Let users change their mind. A persistent link in the footer to reopen the banner.
• Re-ask only when the purposes change, not every visit.

The banner is not the consent record. Store the user’s choice — what they consented to, when, and which version of the notice they saw.

Common mistakes

• Pre-ticked boxes for any non-essential purpose. The CJEU ruled this invalid in Planet49 (2019).
• “By using this site you agree” — implied consent is not valid consent under GDPR.
• Loading analytics scripts before the user has chosen.
• A “reject” button that is visually deprioritised, or only appears after clicking “preferences”.
• No way to withdraw consent later.
• Treating the UK as exempt from these rules — UK GDPR and PECR are substantively the same.

Related topics

• Privacy policy
• Third-party scripts and privacy
• Privacy-respecting analytics
• Global Privacy Control (GPC)

Sources & further reading

• EDPB Guidelines 03/2022 on deceptive design patterns in social media — EDPB
• ICO — Cookies and similar technologies — ICO
• CNIL — Cookies and other trackers — CNIL
• ePrivacy Directive 2002/58/EC, Article 5(3) — EUR-Lex