ePrivacy: Cookie Consent Requirements
Cookie Consent Requirements [Art 5(3)]
Rule: Storing or accessing information on a user’s device requires prior informed consent, unless strictly necessary for the service requested.
The Cookie Consent Rule
Article 5(3) states:
Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information.
Requirements for Valid Consent
- Prior — Consent must be obtained BEFORE cookies are set
- Informed — User must understand what they’re consenting to
- Freely given — No “cookie walls” blocking access without consent (per EDPB guidance)
- Specific — Separate consent for different purposes
- Unambiguous — Clear affirmative action required (no pre-ticked boxes)
Strictly Necessary Exception
Consent is NOT required for cookies that are:
| Exempt Category | Examples |
|---|---|
| Technical transmission | Load balancing, network routing |
| Strictly necessary for service explicitly requested | Shopping cart, login session, security tokens |
| User preference cookies | Language, accessibility settings |
What Requires Consent
| Cookie Type | Consent Required? |
|---|---|
| Analytics (Google Analytics, etc.) | Yes |
| Advertising / targeting | Yes |
| Social media widgets | Yes |
| A/B testing | Yes |
| Session cookies for login | No (strictly necessary) |
| Shopping cart | No (strictly necessary) |
| CSRF tokens | No (security) |
| Cookie consent preferences | No (strictly necessary) |
Consent Mechanisms
Valid:
- Cookie banner with Accept/Reject buttons
- Granular controls for different cookie categories
- Settings page with clear choices
Invalid:
- Pre-ticked boxes
- “By continuing to browse you consent”
- Cookie walls (blocking access without consent)
- Only “Accept” button with no easy reject option
Practical Guidance
- First-party analytics may qualify for legitimate interest under GDPR, but ePrivacy still requires consent for storage
- Consent must be as easy to withdraw as to give
- Record consent — keep evidence of when and how consent was obtained
- Refresh consent periodically (every 6-12 months recommended)
Citation
Article 5(3), ePrivacy Directive