Cookie consent
In the EU and UK, non-essential cookies and similar storage require freely given, informed, specific, and unambiguous opt-in consent before they are set.
What it is
In the EU and UK, the ePrivacy Directive — implemented through national laws such as PECR in the UK — requires consent before storing or reading information on a user's device. The GDPR then defines what valid consent looks like: a freely given, specific, informed, and unambiguous indication of the user's wishes, given by a clear affirmative action.
This applies to cookies, but also to localStorage, sessionStorage, IndexedDB, fingerprinting, and pixel trackers. The technology does not matter; the storage and access do.
Why it matters
Cookie consent is the most enforced part of EU privacy law on the public web. National regulators — CNIL, the Garante, the ICO, the Belgian DPA — issue fines regularly, and most of them target the same patterns: pre-ticked boxes, "reject" buttons hidden two clicks away, and banners that count scrolling as consent.
A non-compliant banner is also a poor user experience. Visitors do not want to negotiate with your site before reading it.
How to implement
The principles are simpler than vendors make them sound:
- Strictly necessary cookies do not need consent. Session cookies for login, shopping carts, security tokens, and load balancing are exempt. Analytics, advertising, social embeds, and A/B testing are not.
- Set no non-essential cookies before the user accepts. This includes Google Analytics, Meta Pixel, Hotjar, YouTube embeds, and most "marketing" tags.
- Give "accept" and "reject" equal prominence. Same size, same colour weight, same number of clicks. A bright green "Accept all" next to a grey "Manage preferences" is non-compliant.
- Rejecting must be as easy as accepting. One click. Not a maze of toggles.
- Reject means reject. No tracking cookies, no fingerprinting fallback, no "legitimate interests" toggle that is on by default.
- Be specific about purposes. "Analytics" and "marketing" are categories users can choose between; "improving your experience" is not.
- Let users change their mind. A persistent link in the footer to reopen the banner.
- Re-ask only when the purposes change, not every visit.
The banner is not the consent record. Store the user's choice — what they consented to, when, and which version of the notice they saw.
Common mistakes
- Pre-ticked boxes for any non-essential purpose. The CJEU ruled this invalid in Planet49 (2019).
- "By using this site you agree" — implied consent is not valid consent under GDPR.
- Loading analytics scripts before the user has chosen.
- A "reject" button that is visually deprioritised, or only appears after clicking "preferences".
- No way to withdraw consent later.
- Treating the UK as exempt from these rules — UK GDPR and PECR are substantively the same.