Ever since the GDPR came into effect in 2018, GDPR cookie consent has become a buzzword. While cookie popups have become an unavoidable presence on the internet, there’s a long way to go in terms of compliance. Regulations, guidelines and legalese can be quite confusing, especially for small business owners and website publishers that lack dedicated legal teams. 

The first section of this blog will show you the simplest way to set up a GDPR-compliant cookie consent banner for your website. The rest of the blog will detail the important concepts that you need to know about GDPR cookie consent. 

How to comply with GDPR cookie consent?

The simplest way to implement GDPR cookie consent on your website is with the help of a cookie consent solution like CookieYes. You don’t need knowledge of coding or any time-consuming integrations. Add a cookie consent banner on your website in minutes!

Step 1. Sign up on CookieYes for FREE. (No credit card required)

Step 2. Customize your cookie banner design or choose the default GDPR-compliant layout

Step 3. Copy the banner code and paste it onto your website. You are done!

Here’s a quick video tutorial to set up a cookie consent banner on your website.

After you have added a cookie banner to your website, you can enable the consent log in ‘Site Settings’  of CookieYes dashboard, so that all the user consents on your website are recorded. You are all done! Your website is now GDPR compliant with respect to cookies. 

You can also customize your cookie banner at any time. CookieYes features multiple customization options including language, content, layout, design, custom branding and advanced CSS. You can also control the banner behaviour by geo-targeting it for EU users only. 

For global websites, the GDPR cookie consent banner will also help you comply with laws like LGPD (Brazil) and POPIA (South Africa). If you cater to users from the US or California, you can comply with both GDPR and CCPA on CookieYes. 

GDPR cookie consent checklist for websites

Using CookieYes CMP, you can tick off the GDPR cookie consent checklist below!

  • Collect consent for using cookies on your website with a cookie banner or popup
  • Give users full control to accept, decline or change cookie settings on the banner
  • Customize the banner for desktop and mobile devices for accessibility
  • Show cookie table (with name, type, purpose and duration) on the second layer for full disclosure of cookies 
  • Show auto-translated banner to users as per their browser language
  • Auto-block third-party cookies from loading till the user gives consent
  • Record all user consents for proof of compliance
  • Add a callback widget for the banner so users can revoke consent at any time
  • Generate a cookie policy with detailed disclosure of cookie use and link it to your cookie banner
  • Scan your website for cookies to auto-update your cookie list and cookie policy 

Obtain cookie consent and
minimize your legal risk

Sign up for free

14-day free trialNo credit card required

GDPR cookie consent examples

From universities to large-scale businesses and startups, over 1 Million websites use the CookieYes cookie consent solution for GDPR compliance. Here are some hand-picked cookie consent examples that are powered by CookieYes.

What is cookie consent in the EU?

There are two laws that govern the use of cookies in the EU – the ePrivacy Directive (ePD) and the General Data Protection Regulation (GDPR). The ePrivacy Directive also called the EU cookie law, requires that websites get users’ prior consent before storing cookies on their devices except for strictly necessary cookies that are essential for the functioning of a website. 

The GDPR categorizes cookies as ‘online identifiers’, a part of personal data. Therefore to collect information stored in cookies, businesses have to get the user’s consent. Meaning, to store cookies on a user’s browser, websites must ask for their consent. The GDPR and the ePrivacy Directive work together to establish the cookie consent requirements in the EU. 

What is GDPR cookie consent? 

GDPR establishes certain standards for what constitutes valid consent when collecting personal data from consumers. With regard to cookies, it is often referred to as GDPR cookie consent requirements. 

Two main consent requirements of GDPR are:

  • Article 4 GDPR defines consent as a clear affirmative action that should be freely given, specific, informed and unambiguous. 
  • Article 7 states additional requirements for consent – proof of consent, ability to withdraw consent and that consent requests have to be easily accessible, use clear and plain language. 

Consent should involve an affirmative act 

Consent should be given through affirmative or positive action. This can involve an action like clicking on the ‘Accept’ button on a cookie popup. But it will only constitute valid consent if the user is presented with clear information about the use of cookies and also has an option to reject cookies via a ‘Reject’ button.

Consent should be freely given 

As stated above, users must have a free, genuine choice to accept or reject cookies. Pre-ticked boxes in a cookie banner do not represent a free choice. Similarly notice-only cookie banners without ‘Accept and ‘Reject’ buttons offer no real choice to the user.

Cookie walls that are not compliant with GDPR cookie consent.
Cookie walls obstruct the user from accessing the website and are not compliant with GDPR cookie consent.

Consent should be specific

Users must be able to give specific consent. This means cookie consent cannot be bundled with other terms and conditions. For instance, if you want to drop cookies on a user’s browser, you should ask consent for that purpose only. 

Consent should be informed 

Users must have clear information regarding what they are consenting to. The cookie banner should inform that a site uses cookies, the categories of cookies they use and their purposes. This way, the user can make an informed choice to either give or revoke consent.

A GDPR compliant cookie consent banner powered by CookieYes.

Consent should be unambiguous 

Consent has to be unambiguous i.e. there should be no room for doubt regarding the user’s intention in giving their consent. For instance, actions like browsing a website, closing the cookie consent popup and continuing to use the site cannot be inferred as consent given by the user. 

Consent banner should use plain language

Cookie consent banners should have easy to understand language and provide transparent information about cookie usage. It is also important that the banner is made available in a language that the user understands. An auto-translated banner that picks up the user’s browser language preferences can help in this regard.

Consent banner should be accessible

Consent notices should be easily accessible. They should include necessary information in the first layer and should not require a user to navigate the site to give or deny consent.

GDPR cookie consent banner on website homepage.
A GDPR cookie consent banner from CookieYes in desktop view.
GDPR cookie consent banner on website homepage in mobile view.
A GDPR cookie consent banner from CookieYes in mobile view.

Consent should be recorded

Websites that collect consent should record it and demonstrate that users have given consent, in case of scrutiny by data protection authorities. Proof of consent should include how and when consent was obtained, and the information provided to the user at the time of collecting consent. 

Consent should be revocable 

Users should be able to revoke or withdraw their consent at any time after they have given consent. It has to be as easy for the user to withdraw consent as it was to give consent. This means, it should be easily accessible on the site and the user must know how to access it. Check out more GDPR cookie consent examples on websites in the EU.

GDPR cookie consent: Things to remember

  • Display your banner where it does not obstruct the content or design elements on your homepage. Optimize the cookie consent banner for mobile and tablet devices to improve accessibility. 
  • The ‘Accept’ and ‘Reject’ buttons on your cookie banner should have equal emphasis. Don’t display the ‘Reject’ button on the second layer of the banner in which case it takes extra clicks for the user to reject cookies.
  • Add a close button on the banner so that users have the choice to dismiss the banner and continue browsing without cookies being set on their devices (as per Italy’s cookie guidelines).
  • Keep the toggles for all cookies (except necessary cookies) switched off by default. Pre-ticked boxes or ‘on’ toggles/sliders are not compliant with GDPR.
  • Do not use cookie popups that obstruct users (cookie walls) from accessing your website. Cookie walls are not GDPR compliant. The user should be able to use your website even if they don’t consent to the use of cookies.
  • If you use Google Analytics on your website, implement IP anonymization to ensure that Google Analytics doesn’t capture data in URLs, forms or fields on your website that could help identify an individual user.

Not sure about the cookies used on your website? Scan your website for cookies and check why your website needs a GDPR cookie consent banner.

Scan your website for cookies
and check your compliance

Scan for free

Country-wise GDPR cookie consent guidelines

Territory      Cookie Guidelines
European Union
  • Give equal prominence to ‘accept’ and ‘reject’ buttons.
  • Inform users of cookies and its purposes in plain language.
  • Include a link to the cookie settings so users have granular control over cookies.
  • Include a link to the cookie policy.
  • Keep cookie consent separate from other terms and conditions.
  • Cookie walls are not acceptable as consent cannot be conditional.
  • Keep cookie consent separate from processing for other purposes.
     Source: EDPB
United Kingdom
  • Give equal prominences to “accept” and “reject” options.
  • Inform users of cookies and its purposes in plain language.
  • Provide access to cookie settings so users have granular control over cookies.
  • Include a link to the cookie policy.
  • Keep cookie consent separate from other terms and conditions.
  • The opt-in consent for cookies must not be pre-enabled. (eg pre-checked boxes)
  • Don’t use cookie walls that block access to the website if the user doesn’t give cookie consent.
  • Consent choices should have a shelf life, after which websites should ask for consent again.
  • Implied consent is not acceptable (e.g. consent implied from the continued use of the website.)
     Source: ICO
Germany
  • Provide both ‘accept’ and ‘reject’ buttons at the same level.
  • Inform users of cookies, including third-party cookies and its purposes in plain language.
  • Information in the banner should be aligned with the information in the privacy/cookie policy.
  • If using cookie popups that block access to content, provide an explicit ‘reject’ button.
  • Scrolling the website, clicking or similar actions cannot be taken as consent and hence cookies cannot be set.
  • Nudging is not valid consent, for eg. when rejecting cookies requires more clicks than accepting them.
  • Link your privacy policy on the banner so that users have easy access to it.
  • The opt-in consent for cookies must not be pre-enabled. (eg pre-checked boxes)
  • Provide a callback widget to review or change consent in an easy manner.
  • Store users’ consent choices so that the banner does not reappear at every visit.
     Source: DSK (in German)
France
  • Give equal prominences to ‘accept’ and ‘reject’ buttons.
  • Inform users of cookies and its purposes in plain language.
  • Provide access to cookie settings so users have granular control over cookies.
  • Include a link to the cookie policy.
  • Keep cookie consent separate from other terms and conditions.
  • The opt-in consent for cookies must not be pre-enabled. (eg pre-checked boxes)
  • Don’t use cookie walls that block access to the website if the user doesn’t give cookie consent.
  • Consent choices, whether accepted or rejected, must be stored for at least 6 months.
  • Obtain users’ consent individually for different site, if cookies are used for cross-site tracking.
  • Flexible consent exemptions for using analytics cookies.
     Source: CNIL (in French)
Italy
  • Give equal prominence to ‘accept’ and ‘reject’ buttons in same colour, font and size.
  • Inform users of cookies and its purposes in plain language.
  • Provide a close (X) button on the top-right corner so users can dismiss the banner.
  • Inform users of what closing the banner would mean.
  • Include a link to the cookie settings so users have granular control over cookies.
  • Include a link to the privacy policy/cookie policy or a second layer with detailed information.
  • Ask for cookie consent only if at least after 6 months have elapsed since the banner was last shown.
  • Scrolling the website cannot be taken as consent and hence cookies cannot be set.
  • A callback widget to review or change consent in an easy manner.
     Source: GPDP (in Italian)
Spain
  • Use layered banners to avoid information overload.
  • Identify the website publisher’s name in the cookie banner.
  • Inform users of cookies, including third-party cookies and its purposes in plain language.
  • Include a clear, visible link to the cookie settings that is directed to the second layer so users have granular control over cookies.
  • When third-party cookies are used, their information (name or trademark) should be displayed in the cookie policy or in the second layer.
  • Re-ask for cookie consent after no longer than 24 months have elapsed since consent was last taken.
  • Scrolling the website cannot be taken as consent and hence cookies cannot be set.
  • Provide easy access to remove/withdraw consent.
     Source: AEPD

Further reading: 10 GDPR Cookie Consent myths busted

What is a GDPR compliant cookie policy?

GDPR cookie consent requirements also include a cookie policy for your website because as per the GDPR and the ePrivacy Directive, users should be informed about how their data is processed. Therefore, a complaint cookie policy should include a detailed declaration about the cookies used on a website, their purposes, and how users can control the usage of cookies by a website. 

The cookie policy can be included within the privacy policy or as a separate cookie policy page. It should be linked in your cookie consent banner so users have easy access to detailed information about cookies. A cookie policy should include the following information:

  • A disclosure that cookies, other tracking technologies 
  • What cookies are
  • What is the purpose of each of the cookies
  • Is the data collected shared with any third-parties
  • How users can change cookie settings or revoke consent

On CookieYes, you can create a cookie policy with our cookie policy generator. Go to your CookieYes dashboard and click on Cookie Policy and generate a custom cookie policy for your website. 

FAQ on GDPR cookie consent

Do you need consent for cookies?

Yes, you need cookie consent on your website. Consent is a key requirement for using cookies in the EU and the UK, under the provisions of the GDPR. The ePrivacy Directive (or EU cookie law) also mandates that websites should obtain user consent before setting cookies on their device.

As cookies are part of online identifiers, they are categorized as personal data in multiple privacy laws around the world. Hence, cookie consent is also a requirement under laws such as LGPD (Brazil), POPIA (South Africa), and CCPA (California)

Does GDPR require consent for cookies?

Yes. GDPR requires websites to take consent before setting cookies on a user’s device. The consent should meet certain conditions set forth by the GDPR in Article 4(11) and Article 7. Consent is defined in Article 4(11) as:

“any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

Article 7 sets out further conditions for consent:

  • Data controllers (website owners in this case) should be able to demonstrate proof of consent.
  • Consent requests should be available in an intelligible and easily accessible form, using clear and plain language.
  • Individuals (website’s users) should have the right to withdraw consent easily and at any time.

Is cookie consent required in the UK?

Yes, cookie consent is required in the UK. As per UK’s Information Commissioner’s Office (ICO), “you must tell people if you set cookies, and clearly explain what the cookies do and why. You must also get the user’s consent”. 

Post-Brexit (on 31 January 2021), businesses in the UK have to adhere to the UK GDPR, which has the same provisions on cookie consent as the EU GDPR. This means, if your website uses cookies, trackers and collect user data, you should inform users via a cookie banner and obtain their consent. If your website has visitors from the EU, your website will have to comply with EU GDPR as well. 

Do performance cookies require consent?

Yes, performance cookies require consent. While these cookies don’t collect any identifiable information on visitors, they require explicit consent from users because they are not strictly necessary to provide a service to the user.

Performance cookies collect anonymous data on how visitors use a website, which pages users visit the most etc., which is then used to improve how a website works. For example, cookies set by Google Analytics are performance cookies. 

Why does GDPR require cookie consent?

GDPR mandates that any organization processing personal data need to have a valid legal basis for it. In GDPR, processing involves any operation which is performed on personal data such as collection, recording, storage, adaptation or alteration, restriction, erasure etc. Consent is one of the lawful bases for data processing where the individual gives explicit consent for processing their personal data.

Cookies are considered personal data, as Recital 26 of the GDPR states that any data that can be used to identify an individual directly or indirectly can be considered personal data. Online identifiers like cookies associated with an individual’s tools, applications, or devices like computers, smartphones can be used to identify them. Hence, cookies require consent. 

How do you set GDPR cookie consent?

You need to implement a cookie banner and obtain consent for cookie use to set GDPR cookie consent on your website. This involves collecting valid consent (freely given, specific, informed and unambiguous), recording proof of consent and providing the ability to withdraw consent. You can achieve all this with the CookieYes consent solution.

Do all cookies require consent in the EU?

Cookies other than strictly necessary ones fall under the scope of GDPR i.e. they require consent. These include first-party cookies set by the domain you are visiting. They are usually functional cookies that remember login details, your shopping cart, browser preferences etc. 

Third-party cookies are set by a different domain, i.e. a third party, (Google Analytics, Facebook, LinkedIn, etc.) and require explicit user consent. They usually include advertising or tracking cookies that track your browsing history, online behaviour, spending habits to display targeted ads. 

Broadly speaking, all cookies except strictly necessary cookies are required to obtain GDPR cookie consent. The ePrivacy Directive details two cases for exemption from consent requirements. They are:

  • Cookies whose sole purpose is to carry out the transmission of a communication over a network such as a load balancing cookie.
  • Cookies intended for a legitimate purpose such as facilitating information society services (services that are delivered electronically through the internet via websites, apps, etc.). For example, authentication or session cookies.

What is the ePrivacy Directive or EU cookie law?

GDPR is not the only law that governs the use of cookies in the European Union. The ePrivacy Directive commonly referred to as the EU cookie law also regulates the use of cookies.

The ePrivacy Directive or the EU cookie law is a set of rules that regulate new digital technologies and the use of electronic communications such as emails and cookies. Passed in 2002 and amended in 2009, it requires websites to get user’s consent before storing cookies on their devices. The Directive makes an exception for cookies that are strictly necessary for the functioning of a website. 

While the ePrivacy Directive is not a law, it currently supplements the GDPR and together comprises the EU cookie consent rules. A proposed ePrivacy Regulation is set to replace the Directive and become a law that will apply directly in all EU member states. The upcoming Regulation will enhance the provisions of the Directive and the GDPR.

Read about the key differences between GDPR and ePrivacy Regulation.

Will GDPR cookie consent affect SEO?

Ever since GDPR came into effect, there have been concerns that cookie consent notices will hurt SEO and your website’s search engine ranks. If implemented correctly, and if they are not intrusive, cookie banners will not affect your SEO and GoogleBot will be able to crawl your website. While Google stresses avoiding intrusive interstitials, they clarified that important requests like cookie consent notices will not negatively impact a site’s search performance.

Is GDPR cookie consent applicable to US websites?

GDPR cookie consent applies to any website that has users from the EU. If a US-based website has visitors from the EU, then it should implement a GDPR compliant cookie consent banner. The extra-territorial scope of the GDPR requires that the personal data of EU users are protected as per GDPR rules. This means any website from around the world, that is accessed by users in the EU need to be GDPR compliant.