Iubenda logo
Start generating


Table of Contents

Is consent the only legal basis for cookies?

To process personal data, you must have a lawful basis. The GDPR has six lawful bases, one of which is consent. But how about cookies?

If consent is required under the Cookie Law, you cannot rely on the full range of possible lawful grounds provided by the GDPR, as Cookie Law requirements are separate from, and different to, those of the GDPR.

iubenda's cookie consent banner

Is consent the only possible legal basis?

If you’re setting cookies, you need to look to Cookie Law first and comply with its specific rules, before considering any of the general rules of the GDPR.

It’s worth remarking that in the following circumstances the use of cookies is not subject to the user’s consent requirement:

  • for any technical storage or access, the sole purpose of which is to transmit a communication over an electronic communications network, or
  • if strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.

That said, according to the ICO, UK’s Data Protection Authority, certain “strictly necessary” cookies (essential to provide an online service at someone’s request) are unlikely to require consent. However, it is still good practice to provide users with information about these cookies, even if you do not need consent.

Does legitimate interest apply to cookies?

If your cookies do not meet one of the exemptions, then you can only use consent – and this must be of the GDPR standard. If you have obtained consent in compliance with the Cookie Law, then consent is also the most appropriate lawful basis under the GDPR. Trying to apply another lawful basis (such as legitimate interests) when you already have GDPR-compliant consent would be completely unnecessary.

If your cookies meet one of the exemptions, then the requirement to have consent to set it doesn’t apply.

Is consent to cookies needed for analytics?

For some countries (i.e. Germany), analytics cookies could be based on a legitimate interest, but, in general, they are not exempted and – according to the ICO – always require consent.

How long can the user’s consent to cookies last?

Guidelines for cookie consent storage range from just a few months to 12 months. It’s important to check the guideline specific to the EU country that applies to you.

Anyway, according to the ICO, it depends on the purpose of the cookie. You need to ensure that your use of the cookie is:

  • proportionate in relation to your intended outcome; and
  • limited to what is necessary to achieve your purpose.

Manage cookie consent with the Cookie Solution

Generate a cookie banner

About us


Cookie consent management for the ePrivacy, GDPR and CCPA


See also