GDPR Consent Requirements & Cookie Compliance

Consent Under GDPR

Consent is one of six lawful bases for processing personal data under GDPR. When you rely on consent, the standard is high: it must be freely given, specific, informed, and unambiguous. For cookies and tracking technologies, the ePrivacy Directive adds additional requirements that work alongside GDPR.

What Valid Consent Looks Like

GDPR Article 4(11) and Article 7 establish strict requirements for valid consent:

The Four Pillars of Valid Consent

1. Freely Given

• No imbalance of power that pressures consent
• Service access not conditional on unnecessary consent (no "cookie walls" blocking access)
• Genuine choice with no detriment for refusing
• Separate consent for different processing purposes

2. Specific

• Granular: consent for each distinct purpose
• Clear separation between different processing activities
• Cannot bundle consent for multiple unrelated purposes
• Named third parties who will receive data

3. Informed

• Identity of the controller clearly stated
• Purpose of each processing activity explained
• What data will be processed
• Right to withdraw consent at any time
• Information about automated decision-making if applicable
• Risks of data transfers outside EU/EEA

4. Unambiguous

• Clear affirmative action required (click, tick, verbal statement)
• No pre-ticked boxes
• No consent by default or inactivity
• Cannot be buried in terms and conditions

Cookie Compliance Rules

Cookie compliance involves both the ePrivacy Directive (cookie consent) and GDPR (personal data protection). Most cookies that track users involve personal data processing.

When Consent is Required

Cookie Categories Explained

Strictly Necessary Cookies

These are essential for website functionality and do not require consent. Examples include:

• Session cookies for logged-in users
• Shopping cart functionality
• Security cookies (CSRF protection)
• Load balancing cookies
• Cookie consent preferences themselves

Warning: Do not misclassify cookies as "strictly necessary" to avoid consent requirements. Regulators scrutinise these classifications closely.

Performance/Analytics Cookies

Used to understand how visitors interact with your website. Even first-party analytics require consent because they process personal data (IP addresses, device identifiers).

Marketing/Advertising Cookies

These track users across websites to build profiles for targeted advertising. They typically require the most explicit consent and disclosure due to their invasive nature.

Cookie Banner Design

Your cookie banner is often the first interaction users have with your consent mechanism. Design matters for both compliance and user experience.

Compliant Banner Requirements

• Equal prominence: Accept and Reject buttons must be equally visible (same size, colour weight, position)
• No dark patterns: Avoid making rejection harder than acceptance
• Clear language: Plain language explaining what cookies do
• Granular options: Allow users to accept some categories and reject others
• No cookie walls: Do not block content access entirely until consent given
• Easy withdrawal: Method to change preferences must be as easy as giving consent

Banner Structure Best Practice

A compliant cookie banner typically includes:

• Brief explanation of cookie use
• "Accept All" button
• "Reject All" button (equally prominent)
• "Manage Preferences" or "Customise" option
• Link to full cookie policy

Common Consent Failures

Regulators have issued significant fines for these consent failures:

Pre-ticked Boxes

The Planet49 case (CJEU 2019) confirmed that pre-ticked boxes do not constitute valid consent. Users must actively tick the box themselves.

Asymmetric Choices

Making "Accept" a prominent green button while "Reject" is a small grey text link violates the requirement for freely given consent.

Continued Scrolling as Consent

Banners stating "by continuing to browse you accept cookies" are not compliant. Scrolling is not an unambiguous affirmative action.

Cookie Walls

Blocking all content until users accept all cookies is generally not permitted, as it does not allow genuine free choice.

Bundled Consent

Requiring users to accept all cookies or none, without granular choice, fails the "specific" requirement.

Difficult Withdrawal

If users can accept cookies with one click but must navigate through multiple screens to withdraw consent, this is non-compliant.

Consent Management Platforms

A Consent Management Platform (CMP) helps automate cookie compliance. When selecting a CMP, consider:

Key Features to Look For

• IAB TCF 2.2 compliance (if using programmatic advertising)
• Granular consent options by cookie category
• Easy preference centre access
• Consent logging and audit trail
• Integration with your tag management system
• Geographic detection for different regulations
• Regular vendor list updates

Implementation Considerations

• Block non-essential cookies until consent received
• Ensure the CMP fires before other scripts
• Test that rejected categories actually stop tracking
• Maintain consent records for audit purposes
• Review and update cookie classifications regularly

Compliance Checklist

Use this checklist to assess your consent and cookie compliance:

Consent Mechanism

• No pre-ticked boxes or default consent
• Accept and Reject equally prominent
• Granular options for different cookie categories
• Easy method to withdraw consent
• No cookie walls blocking content
• Consent recorded with timestamp

Information Provided

• Clear explanation of each cookie category
• Named third parties receiving data
• Cookie retention periods stated
• Link to detailed cookie policy
• Information about data transfers

Technical Implementation

• Non-essential cookies blocked until consent
• Consent preferences actually honoured
• Cookie audit conducted regularly
• Third-party scripts controlled by consent
• Testing confirms rejection stops tracking