Iubenda logo

Documentation

Table of Contents

GDPR Cookie Consent Cheatsheet

Disclaimer: Please note that these tables summarise the most recent guidelines from EU national authorities. They may evolve over time, depending on future legislative texts, case-law, or guidelines published on the subject.

NOTE: page or paragraph numbers for each country always refer to the respective document specified underneath the table.

Methods for collecting cookie consent – Per-country Comparison

Questions
🇬🇧 UK – Post GDPR
🇫🇷 France – Post GDPR
🇩🇪 Germany – Post GDPR
🇪🇸 Spain – Post GDPR
🇩🇰 Denmark – Post GDPR*
🇬🇷 Greece – Post GDPR
🇧🇪 Belgium – Post GDPR
🇮🇪 Ireland – Post GDPR
🇮🇹 Italy – Pre GDPR
🇪🇺 European Data Protection Board (EDPB)
Is consent the only possible legal basis that can be applied to cookies – including analytics cookies?

NO

According to the Information Commissioner’s Office (ICO), certain technical cookies – specifically “strictly necessary” and “load-balancing” cookies – are unlikely to ever require consent.

Read more

However, analytics cookies will always require consent, according to the ICO guidance: “Are analytics cookies exempt? No. … Analytics cookies do not fall within the ‘strictly necessary’ exemption. This means you need to tell people about analytics cookies and gain consent for their use.“
The ICO further states: “If you use device fingerprinting for analytics instead of or alongside cookies, you should note that doing so is not exempt from the consent requirements either.“
You can find more information on the ICO’s website.

NO

Consent is not the only possible legal basis, however, analytics will require consent, unless they correspond to one of the following exemptions:

Read more
  • being set by the website owner or by their subcontractor (i.e. first-party cookies),
  • the user must be informed beforehand,
  • the user must be able to object to the cookie via an mechanism that can be easily accessed from all terminals, operating systems applications and web browsers
  • the data accumulated by analytics cookies must not be cross-checked or coupled with other data and it must remain anonymous,
  • the IP address must not indicate anything more than the user’s city and must be deleted once the geolocalization has taken place,
  • these cookies must not be kept for longer than 13 months in this context, and this timeframe must not be automatically prolonged at new visits of the website,
  • and the data collected by the cookies must not be kept for longer than 25 months.

You can find more information here.

NO

The use of analytics cookies can actually be based on a legitimate interest (“Reichweitenmessung und statistische Analysen”) , subject to the conditions of Art. 6 of the GDPR.

Read more

In relation to the legal basis of legitimate interest, Art. 6 GDPR lit. f) states that the basis applies only if “the processing is necessary for achieving the goal of legitimate interest” and “it overweights potential harm (if any) to the interests and fundamental rights and freedoms of data subjects”.

It’s important to note that generally, where legitimate interest applies, the user also has the right to object to the processing. Also, do keep in mind that in one example, the German DSK has stated that using an analytics tool that transfers data to third parties would not be acceptable under legitimate interest.
You can find more information here (see p12).

NO

Certain technical cookies such as preference and customisation cookies are exempted from the consent requirement, however, consent is required for analytics cookies. Furthermore, the exemption for technical cookies is subject to the condition below.

Read more
  • Exempted cookies must have a lifetime (how long the cookie is stored) which matches their purpose. If the lifetime of the cookie is undefined, then it’s likely that consent is required.

According to the Spanish DPA, it’s not necessary to collect consent, or to inform users about the use of these exempt technical cookies – whether the cookies are first or third party.

You can find more information here (see p30).

NO

According to the latest guidelines from the Dutch Data Protection Authorities, ePrivacy guidelines still apply to cookies.

Read more

Under the Danish implementation of the ePrivacy (the Danish Cookie Order), informed consent is required for the use of cookies (including analytics cookies). However, cookies related to internet connection (only applicable to internet providers) and cookies strictly necessary the functioning of a service that the user has requested are exempted. To be a technical necessity, the service must not be able to function without the use of the cookie or a similar technology. More details in the Danish ‘Cookie Order‘- translated.

NO

According to the latest press release from the Greek Data Authority, consent is generally required, including analytics cookies. Cookies exempt from this rule are those necessary:

Read more
  • to identify and / or maintain content that the subscriber or user uploads during a session on a website throughout the specified connection, such as a “shopping cart”,
  • to connect the subscriber or user to services that require authentication,
  • for the safety of the user,
  • to perform the load balancing technique on a web site link, or
  • to maintain the user’s choice of website presentation, e.g. language selection, save search history.

Read the guidelines here (in Greek) and the press release here in Greek or the unofficial translation here in English.

NO

Essential cookies, which are strictly necessary to provide a service requested by the user, do not require consent. In general, analytics cookies are not exempted.

Read more

However, cookies that are strictly necessary to guarantee communications, performance and load balancing may only be used for anonymised analytics without user’ consent.

NO

ePrivacy-directive exemptions apply, but they are interpreted very restrictively; analytics (even first party) are not exempted.

NO

Exemptions currently apply for technical cookies strictly necessary for the functioning of the service, first-party analytical cookies, and even third-party analytical cookies could be exempted subject to further conditions.

Read more

In such cases, the third-party analytical cookies must be used for mere statistical purposes and their ability to identify users must be reduced by tools like anonymization.

The use of these cookies must also be subject to contractual obligations between sites and third parties, in which the third party commits to using them only for the provision of the service, to keep them separately and not “enrich” them by cross referencing or other means. It should be noted here that may EU states are moving towards a GDPR centered approach to cookies and similar technologies, and so these rules may shift in the near future.
You can read more here.

Is consent by scrolling valid?

NO

NO

NO

YES

According to the Spanish authority consent is valid if given via an affirmative and explicit action.

Read more

The examples mentioned in the Authority’s guide include scrolling on the website, clicking on any command/button on the website, navigating to a different section of the website or closing the cookie banner. However, please note that occurrences such as inactivity, merely typing on the keyboard or just moving the mouse are not considered to be valid indicators of consent.

NO

NO

NO

NO

The cookie notice must not disappear if the user hasn’t made a choice via an affirmative action.

YES

However, please note that this is likely to change in the near future.

NO

Is consent by continuining navigation valid?

NO

NO

NO

YES

*See above.

NO

NO

Integer posuere erat a ante venenatis dapibus posuere velit aliquet.

NO

YES

However, please note that this is likely to change in the near future.

NO

Are explicit “accept” AND “reject” buttons required to be on the cookie notice?

YES

Yes, this feature is explicitly required according to the UK’s latest ICO guidelines.

Read more

The ICO seems to favor combining both the “accept” and the “reject” buttons on the banner. This combination should put the options at equal prominence, in order to avoid any “nudging behaviour”.

Also, according to the ICO: “A consent mechanism that emphasises ‘agree’ or ‘allow’ over ‘reject’ or ‘block’ represents a non-compliant approach, as the online service is influencing users towards the ‘accept’ option”.

NOT SPECIFIED

However,the use of two buttons titled “accept all” and “reject all” are shown as best practice on page 14 of CNIL’s guidance documents.

YES

YES

The Spanish Authority lists two examples as valid (page 20 of the guide):

Read more
  • where the cookie notice contains both “Accept” AND “Reject” buttons, or
  • where the cookie notice contains an “Accept” button and a link within the text of the notice which goes to the extensive cookie policy – allowing users to set preferences on a per-purpose basis.

NOT EXPLICITLY SPECIFIED

However it is clearly and heavily suggested, as the Authority stresses that both the choice to grant or withold consent must be equally conspicuous.

Read more

Furthermore, it appears that the “Accept all” choices may only be valid if users also have the option to make a granular choice. The Authority statesA consent is not assumed to have been given voluntarily if the procedure for obtaining consent does not gives the data subject the opportunity to give separate consent to different processing activities concerning personal data and thus be forced to consent to all purposes.“ (Translated)

NOT SPECIFIED

NOT SPECIFIED

YES

If an “accept all” button is provided, an equally prominent “reject all” button must be also available.

NO

Is the prior blocking of cookies necessary where consent is required?

YES

YES

Users can also be given a neutral option (i.e. neither consenting, or rejecting), e.g. by clicking on a “x” or outside the cookie banner. In such cases, cookies cannot be placed until the user gives consent, upon renewed request.

YES

YES

It’s also possible to collect consent in one go (p.28) for the use of cookies on several websites that belong to you or even third parties connected to you. However this must only apply to Spanish users.

NOT SPECIFIED

However, the guidelines state that consent-based processing of personal data must not be performed before consent is collected, so while prior-blocking isn’t directly mentioned, it is indicated.

YES

YES

YES

YES

YES

Are full Cookie walls admitted?

UNLIKELY

No definitive statement has been made however the ICO guidelines state that cookie walls are “unlikely to be valid”.

NOT CLEAR

CNIL has stated that neither full or partial cookie walls are valid (as per the European Data Protection Supervisor’s position on the subject), however, as of 2020, France’s Conseil D’Etat ruled that CNIL’s recommendation banning cookie walls exceeds CNIL’s competences and is therefore void.

NO

YES

But users must be informed of this fact. Also, they are not allowed in cases where they prevent users from accessing a service which is the only way to exert a specific legal right (e.g the right to be informed).

NO

NO

NO

NOT SPECIFIED

But based on other requirements, most likely no.

NOT SPECIFIED

However, in Cassazione (17278/2018), walls were forbidden for Newsletters, which could be understood as applicable to Cookies.

NO

Must cookies be listed one by one?

NO

The ICO states that simply listing numerous cookies could be confusing to the user and best practice would be to give a description of the cookies. According to the PECR, the clarity and comprehensiveness of cookies is key (see Section 6 (2))

NO

NO

NO

A per-purpose listing is valid and sufficient.

NOT SPECIFIED

NOT CLEAR

There have been contradictory statements issued. A recent press release states that the purpose of “each single tracker” must be specified (point 3), while the very next point (4) states that information about lifetime, controller and recipients of each tracker or category of trackers of the same purpose must be disclosed.

NOT CLEAR

There have been contradictory statements issued. The DPA states expressly that “the GDPR does not require per-cookie consent”, however, it also states that, while on a first level consent must only be collected on a per-purpose basis, on the second level users must be given the option to allow cookies granularly (on a per-cookie basis).

LIKELY NO, BUT NOT CLEAR

The guidance states “Controllers must ensure that consent is obtained for each purpose for which cookies are set. This does not mean that consent needs to be obtained individually for each cookie, but merely for the purpose for which it is being used.

NOT CLEAR

An uncommon practice so far.

Must consent be granular on a per purpose basis?

PER-SERVICE BUT NOT NECESSARILY PER-PURPOSE

The consent must be specific to the particular service.

Read more

Users should be able to manage consent to individual third parties on a granular basis – however, global consent can be used, provided that the user at least has the option to consent on an individual basis, should they choose to.

YES

Per-purpose is the rule, however, global consent is possible where the following conditions are met:

Read more
  • all purposes have been previously “presented” to the user;
  • it’s also possible to consent on a per-purpose basis; and
  • it’s possible and equally easy to reject globally.

The recommendation seems to suggest that consent may be collected for several websites or application collectively, as long as the websites or applications are mentioned specifically and singularly.

YES

There are to aspects to this requirement:

Read more
  • You must clearly separate cookies requiring consent from those that do not (Don’t collect consent for cookies that do not need it).
  • Consent must be granular. However, it’s not clear how granular. The DPAs have simply mentioned that “it must be possible to select single processing activities singularly”.

However, so far there has been no practical implementation of a cookie-by-cookie selection, or any literature or case-law on the matter. As an extreme level of granularity may actually confuse and reduce transparency for users, it seems likely that per-purpose grouping would be sufficient in this case.

YES

Not explicitly stated but clearly implied.

YES

The Danish Authority states “If a data controller wishes to process personal data for several purposes, the data subjects must be free to choose which purposes they wish to consent to.” (Translated)

YES

YES

The Authority’s FAQ states that consent must be collected “at least” on a per-purpose basis. The same FAQ also states that a per-cookie approach is not required under the GDPR.

YES, PER PURPOSE

NO

YES

Is proof of consent requested according to the criteria established under the GDPR?

YES

YES

However, the consent records must only include the data strictly necessary for the proof/storage of evidence.

YES

NOT SPECIFIED (but implied)

YES

NOT SPECIFIED

YES

YES

NO

The current guidelines refer to using a “technical cookie” as proof of consent as the guidelines have not been updated to meet the GDPR requirements.

NOT EXPLICITLY STATED

But likely, yes.

Should withdrawing consent be as simple as giving it?

YES

According to the ICOIt must also be as easy to withdraw consent as it was to give it. This means the process of withdrawing consent should be an easily accessible one-step process. If possible, individuals should be able to withdraw their consent using the same method as when they gave it.”

YES

Users must be informed of how they can withdraw consent at a later stage before even choosing whether or not to grant consent. It must always be easily possible to manage preferences and withdraw consent. Technically the recommendation suggests a widget always visible in the lower left corner of the screen.

YES

YES

The technical implementation of this largely depends on how the consent is collected. For example, if consent is collected by scrolling down, there must be a “reject all” button on the banner to allow for an equally easy way to reject.

YES

For example, by providing a static link in the website’s header or footer.

YES

YES

YES

NO

It’s considered sufficient to simply link to the cookie policy where a user can then toggle consent preferences.

YES

Is the use of a Consent banner recommended?

YES

NOT SPECIFIED (but seemingly encouraged)

The French Authority’s own implementation uses two step process featuring a banner that allows users to manage cookies via a second modal which facilitates granular consent.

BEST PRACTICE

Most common practice for collecting consent for cookies that require it. Cookies that do not require consent (see first row above) must not be listed on the banner.

YES

It’s mentioned as one of the ways to collect consent.

YES

It’s mentioned as an example of how to comply with the relevant provisions

YES

NOT SPECIFIED

The guidance simply states that your cookie notice “may not disappear as long as the user hasn’t made an active choice.”

NOT SPECIFICALLY

But mentioned as the most common solution

YES

Do third parties have to be listed and identified?

YES

ICO guidelines state “if you use any third party cookies, you must clearly and specifically name who the third parties are and explain what they will do with the information”

YES

Guidelines state the the user must be able to identify all the entities using cookies before giving consent. This list should be kept up-to-date.

Read more

To be specific, according to the 2020 draft recommendation, the listing of “controllers” is required. The data controller can either be the website/application owner or the third-party cookie-provider – whenever the third-party also has their own purposes for processing data via the cookie (e.g. advertising).

NOT SPECIFICALLY STATED

Depends on the legal basis for processing. If the basis is consent, then the third-parties should be mentioned in order for the consent to be considered “informed”. In other cases, it is still the best and most common practice to identify the third-parties.

YES and NO

Third-parties must be identified by their commonly known brand, however, identifying the specific legal entity is not required.

YES

The guidelines state: “If the data controller also integrates content or plug-ins from third parties, this may be the case several (joint) data controllers . . . all these data controllers must be named.”

YES

This appears to be required whether or not the third-parties are joint data controllers or processors.

NOT SPECIFIED

The Authority’s FAQ does not include naming third parties in their list of minimum requirements for cookie policies.

NOT COMPLETELY CLEAR

The guidance states that you’re required to provide links to each third-party’s privacy policy while simultaneously stating that you must “provide the information required under the GDPR” – which does not necessarily include listing all third-parties. However, it seems likely.

NOT SPECIFIED

However, it’s both common practice and implicitly suggested.

Is it specified how long the consent to a cookie should last?

NO

However, it must be justifiable for the stated purpose of the cookie. You must also inform users of the duration of the cookies you use.

YES

However, the duration of consent “depends on the context”. Generally speaking, CNIL considers *six months *as acceptable, and analytics cookies that have been consented to cannot last more than 13 months.

Read more

In any case, consent should be re-collected periodically without waiting for the user to first withdraw it. The information collected by the cookies can be stored for a maximum of 25 months.

Note that rejection of cookies must be stored for as long as consent would be stored. This means that you must not re-request consent from a user who rejected sooner than from a user that consented, otherwise users may be pushed to consent out of exasperation.

NO

INDIRECTLY

Via reference to the WP29, the recommendation is to re-ask for consent no later than 24 months after it has been collected.

NO

The guidelines suggest that technically consent “doesn’t expire”. However, do note that these guidelines are meant for any consent-based processing – they’re specifically tailored for cookies or trackers.

NO

However, it’s heavily suggested that in case of “rejection” users should not be prompted again and again at each new website visit to give consent. Currently there’s no specification on how long after rejection they can be asked again.

NO

Currently what’s stated is that cookies may not be stored for longer than necessary to achieve the stated purpose.

YES

The Authority states that as best practice, consent should never be valid for more than 6 months – after 6 months users must be asked for consent again.

NO

NO DURATION EXPLICITLY STATED

The EDPB states “In principle, it can be sufficient to ask for a data subject’s consent once. However, controllers do need to obtain a new and specific consent if purposes for data processing change after consent was obtained or if an additional purpose is envisaged.”

Are pre-ticked boxes allowed?

NO

NO

NO

Not for cookies requiring consent.

NOT SPECIFIED

NO

NO

NO

NO

NO

Not for cookies requiring consent.

NO

What is the territorial scope of national cookies laws?

NOT SPECIFIED

According to the IAPP, based on previous guidelines, the scope could likely include controllers or processors established in the UK, or outside the UK but aiming at UK users. However, note: The processing of personal data is under the territorial scope of Article 3 of the GDPR.

FRANCE

French cookie laws apply to controllers established in the French territory. However, note: The processing of personal data is under the territorial scope of Article 3 of the GDPR.

GERMANY

German cookie laws apply to controllers established in Germany. However, note: The processing of personal data is under the territorial scope of Article 3 of the GDPR.

SPAIN

NOT SPECIFIED

However, likely Denmark and Greenland.

NOT SPECIFIED

Therefore, likely just Greece.

NOT EXPLICITLY STATED

However, based on the pre-GDPR guidelines, Belgian Law applies when:

Read more
  • cookies are used within the controller’s activities occurring in the Belgian territory,
  • the storage or processing of cookies in the Belgian territory is carried out by a controller who does not have a fixed establishment in the EU,
  • the processing of personal data is under the territorial scope of Article 3 of the GDPR.

IRELAND

NOT SPECIFIED

Therefore, likely just Italy.

Irish cookie laws apply to controllers established in the Ireland.

Sources and further reading

*Unless otherwise stated, all sources linked are in their respective languages.

Belgium

2020 Cookie guidelines on DPA website + Cookie FAQ | 2015 Guidelines

Denmark*

2020 Guidelines on the “Processing of personal data of website visitors“ | 2019 Executive Order (“EO”) regarding cookies (still applies unless the above 2020 document states differently)

*guidelines apply to any consent-based processing of personal data, not only to cookies or trackers, strictly speaking.

European Data Protection Board – EDPB

2020 EDPB Guidelines 05/2020 on consent under Regulation 2016/679 (English)

France

2020 CNIL’s draft recommendation | 2019 Deliberation n ° 2019-093 of July 4, 2019

Finland

2020
Summarizing article (English) | Decision by the Ombudsman | Information on the Finnish Traffic and Communication Authority’s website

Germany

2020 Guidance from the supervisory authorities for providers of telemedia

Greece

2020 Guidelines | Press release | Unofficial English translation

Italy:

2014 Identification of simplified procedures for information and the acquisition of consent for use | Clarifications on the implementation of the legislation on cookies

Ireland

2020 Data Protection Commission guidelines on the use of cookies | Survey on the use of cookies

Spain (2020)

2020: Guide on the use of cookies | 2019: Cookie Guide | 2012: Guide to the rules of use of cookies

UK

2019 Guide to PECR: Cookies and similar technologies