Cookie Consent Requirements Under GDPR and ePrivacy

The Legal Source of Cookie Consent Requirements

Cookie consent requirements in the EU originate from Article 5(3) of the ePrivacy Directive (2002/58/EC), which states that storing or accessing information on a user's terminal equipment requires prior informed consent — with a narrow exception for technically necessary operations. The GDPR then governs what 'valid consent' means, raising the bar significantly above the weak tick-box consent that prevailed before 2018.

In the UK, the equivalent framework is the Privacy and Electronic Communications Regulations 2003 (PECR), which implements the ePrivacy Directive. Post-Brexit, the UK's PECR has not been updated to reflect GDPR-level consent standards in law, but the ICO (Information Commissioner's Office) interprets PECR consent requirements in line with GDPR Article 7 standards in practice. UK websites therefore face substantively the same consent obligations as EU websites.

The ePrivacy Regulation — the intended successor to the ePrivacy Directive — has been in negotiation since 2017 and as of 2026 remains unadopted. The current Directive therefore continues to govern cookie consent across the EU, creating a situation where a 2002 law applies to tracking technologies its authors could not have anticipated. National DPAs have filled this gap with guidance, working party opinions, and enforcement decisions that establish binding interpretations.

Cookie Categories: Which Cookies Need Consent?

The ePrivacy Directive exempts from the consent requirement only cookies that are 'strictly necessary' for the provision of a service explicitly requested by the user. This narrow exemption covers: session cookies that maintain login state, shopping basket cookies, cookies that remember language preferences, and load-balancing cookies. It does not cover any form of analytics, advertising, social media, or personalisation cookies.

Analytics cookies — including Google Analytics, Matomo, Adobe Analytics, and similar — require consent even though their stated purpose is 'performance measurement' rather than advertising. The data they collect (page views, session duration, navigation paths) constitutes personal data when linked to a user identifier or IP address. The WP29 Opinion 04/2012 on cookie consent attempted to create a limited analytics exemption, but this was never adopted into law and most DPAs apply the full consent requirement to analytics.

Marketing and advertising cookies require explicit consent and must be presented to users as a separate, independently controllable category. This includes advertising platform pixels (Meta, Google Ads, LinkedIn, TikTok), retargeting pixels, cross-site tracking identifiers, and affiliate tracking cookies. Bundling advertising cookies with analytics or functional cookies under a single consent toggle is not granular enough to constitute valid consent.

• Strictly necessary: session management, authentication, load balancing — no consent required
• Preferences: language, region, display settings — consent required in most DPA guidance
• Analytics: performance measurement, user journey analysis — consent required
• Marketing: advertising pixels, retargeting, cross-site tracking — explicit consent required
• Social media: share buttons, embedded feeds, login widgets — consent required for tracking functionality

What Makes Consent Legally Valid?

GDPR Article 4(11) defines consent as 'any freely given, specific, informed and unambiguous indication of the data subject's wishes'. Each of these four elements is independently required — failing any one of them invalidates the consent. Freely given means the user has a genuine choice; withholding consent must not result in a degraded service unless the processing is strictly necessary for that service. Specific means consent is obtained for each distinct purpose separately. Informed means the user understands what they are consenting to, in plain language. Unambiguous means there must be a clear affirmative action — silence, pre-ticked boxes, or continued browsing do not constitute consent.

The 'freely given' requirement has been the source of most enforcement actions against consent banners. Any design where accepting is significantly easier than rejecting — a bright, prominent 'Accept All' button paired with a grey, small, hard-to-find 'Manage Preferences' link — fails the freely given test. The EDPB Guidelines 05/2020 state explicitly that 'if the data subject is not able to refuse or withdraw consent without detriment, the consent will not be freely given'.

The 'informed' requirement means the consent banner must accurately describe what data will be collected, by whom, and for what purpose. Generic language such as 'we use cookies to improve your experience' does not satisfy the specificity requirement. The banner or its linked privacy notice must name the specific third parties involved and describe the categories of processing clearly enough for an average user to make an informed choice.

Real-World Case: Planet49 and Pre-Ticked Boxes

The ECJ judgment in Planet49 GmbH v Bundesverband der Verbraucherzentralen (Case C-673/17, October 2019) is the leading European court ruling on cookie consent. Planet49 operated an online lottery that required users to tick consent checkboxes to participate. One checkbox — for advertising tracking cookies — was pre-ticked by default. Users who did not notice it or unchecked it were treated as having consented.

The ECJ ruled unequivocally that a pre-ticked checkbox does not constitute valid consent under the ePrivacy Directive or GDPR. For consent to be given by a 'clear affirmative action', the act must be actively performed by the user. Inaction — not unticking a pre-selected box — is the opposite of an affirmative action. The ruling also confirmed that the duration of cookie operation and whether third parties access the cookies are information that must be provided before consent is requested.

Planet49 remains the most-cited consent case in national enforcement decisions and has directly influenced DPA guidance in Germany, France, the Netherlands, and Italy. Its practical consequence is that any implementation using pre-ticked boxes, opt-out-by-default checkboxes, or continuation-as-consent is invalid throughout the EU and UK.

Consent Banner Design Requirements

Regulators have published increasingly detailed guidance on the visual and interaction design of consent banners. The French CNIL, German DSK, and Dutch AP have all ruled that the reject option must be offered at the first interaction layer — not hidden in a sub-menu that requires additional clicks. A banner that shows 'Accept All' and 'Manage Preferences' but requires three additional interactions to reach an 'I reject all' option fails the freely-given test.

Cookie walls — where accepting tracking cookies is a prerequisite for accessing content — are generally invalid. The EDPB Guidelines 05/2020 state that access to services cannot be made conditional on consent to non-essential processing unless a genuine, equivalent alternative without consent is offered. Some national DPAs allow 'pay or consent' models where a paid subscription provides an ad-free, tracker-free experience — but this model is contested and remains under active EDPB review as of 2026.

Consent must be re-requested periodically and cannot be assumed to persist indefinitely. Most DPAs recommend requesting fresh consent at least annually for persistent tracking cookies. Consent signals should also be re-requested when the purposes of processing change significantly, when new data processors are added, or when the privacy notice is materially updated.

Consent for UK Websites Under PECR

UK websites must comply with PECR, which imposes the same core requirement: consent before setting or accessing cookies that are not strictly necessary. The ICO enforces PECR and has increasingly aligned its interpretation with GDPR-level consent standards following the UK's departure from the EU. The ICO's 2023 cookie and similar technologies guidance states that consent must meet the same standard as GDPR Article 7 — freely given, specific, informed, unambiguous, and capable of easy withdrawal.

The ICO has conducted voluntary audits of the top UK websites and found widespread non-compliance including pre-ticked consent boxes, missing reject options, and legitimate interests applied to advertising tracking. The ICO's enforcement approach has historically been more advisory than punitive for cookie violations, but formal enforcement actions have increased since 2023 with PECR fines of up to £500,000 for serious breaches.

Post-Brexit divergence between UK and EU cookie requirements remains limited in practice. A website with EU and UK visitors should design its consent mechanism to satisfy the stricter of the two frameworks — which in most areas means GDPR-level consent — to maintain a single coherent implementation rather than territory-specific variations.

How ConsentLens Evaluates Cookie Consent

ConsentLens assesses cookie consent across four dimensions. First: does a consent mechanism exist? The scanner detects the presence of known CMPs (OneTrust, Cookiebot, Didomi, TrustArc, and 20+ others) as well as custom banner implementations using HTML pattern matching. A site with no detected consent mechanism that also has non-essential cookies or trackers receives a High-severity 'no consent mechanism' issue.

Second: does the banner offer a genuine reject option? The scanner checks for the presence of a reject, decline, or 'refuse all' button at the first interaction layer of the consent banner. A banner with only an 'Accept' button and a 'Settings' link — with no equivalent-prominence reject — is flagged as missing a reject option. Third: does the banner load before trackers fire? The 500ms pre-consent window check identifies whether any trackers fire before the banner could have been interacted with.

Fourth: are cookies classified and disclosed? The scanner cross-references detected cookies against known third-party cookie databases to identify undisclosed third-party cookies — cookies set by domains not disclosed in the site's privacy notice or CMP configuration. Each of these four checks maps to a specific GDPR or ePrivacy obligation and is reflected in the compliance score.

Frequently Asked Questions

Related guides