The Legal Foundation

Cookie consent obligations flow from the GDPR (Regulation 2016/679) and the ePrivacy Directive (2002/58/EC). The ePrivacy Directive requires consent before storing information on a user’s device (Article 5(3)), while the GDPR defines valid consent (Article 4(11), Article 7, Recital 32).

The 14 Requirements

1. Prior Consent

Non-essential cookies must not fire until the user consents. Article 5(3) of the ePrivacy Directive is explicit. CNIL fined Google EUR 150 million (2022) for loading cookies before user interaction.

2. Freely Given Consent

Consent cannot be a condition of access (GDPR Article 4(11)). No bundling cookie consent with terms of service.

3. Granular Purpose Selection

Users must consent to each purpose independently — analytics, advertising, functional (GDPR Recital 43). A single “Accept All” without category selection is insufficient.

4. Equal Prominence for Accept and Reject

Reject must be as visible as Accept. CNIL requires a “Refuse All” button on the first layer with equal visual weight. Microsoft was fined EUR 60 million (2022) partly for hiding the reject option.

5. No Pre-Ticked Boxes

CJEU Planet49 ruling (C-673/17, 2019): pre-checked boxes are not valid consent. All categories must default to off.

6. No Cookie Walls

Blocking site access until consent is given is generally non-compliant. The EDPB and Dutch DPA have confirmed this.

7. Clear, Plain Language

GDPR Article 7(2) — consent requests must use clear, plain language. “We use cookies to improve your experience” is insufficient.

8. Language Matching

GDPR Article 12(1) — information must be intelligible. The banner should match the website’s language.

9. Link to Cookie Policy

GDPR Articles 13-14 require comprehensive information. The banner must link to a full cookie policy listing every cookie.

10. Easy Withdrawal

GDPR Article 7(3) — withdrawal must be as easy as giving consent. A persistent widget or footer link must allow reopening the consent interface.

11. Consent Record-Keeping

GDPR Article 7(1) — you must demonstrate that consent was obtained. Log timestamps, choices, and banner versions.

12. Third-Party Disclosure

GDPR Article 13(1)(e) — disclose all third-party data recipients. Under TCF 2.3, the vendor list must be accessible from the consent interface.

13. Data Retention Transparency

GDPR Article 13(2)(a) — disclose how long cookies persist.

14. Mobile Responsiveness

No GDPR exemption for mobile. Buttons must be tappable, text readable, interface functional on all screen sizes.

Quick Audit Checklist

• No non-essential cookies fire before consent
• Accept and Reject are equally visible on the first layer
• Individual category selection is available
• No pre-selected toggles for non-essential categories
• Site is accessible even if user rejects all
• Banner language matches content language
• Plain, non-technical language used
• Link to full cookie policy visible on banner
• Cookie policy lists every cookie by name, purpose, duration
• Persistent widget allows reopening consent interface
• Withdrawing consent takes the same number of clicks as giving it
• Consent records are logged with timestamps
• Third-party recipients are disclosed
• Banner is functional on mobile devices
• No manipulative colors, sizing, or wording

Automate this: FlexyConsent handles every requirement out of the box — Google-certified CMP with IAB TCF 2.3, Consent Mode V2, 43+ languages, plans from EUR 0/month. Get started at panel.flexyconsent.com.