skip to main content

General Data Protection Regulation (GDPR)

Defining Cookie Consent under the GDPR

The General Data Protection Regulation has everyone talking about cookies, consent, and privacy. But there’s an earlier privacy law called the ePrivacy Directive. This law, along with the GDPR, created the situation that website owners are now trying to navigate.

To understand the GDPR, it helps to first understand the overlap of ePrivacy and GDPR as it relates to cookies and consent.

ePrivacy Directive

Current requirements for cookies in Europe are derived from the ePrivacy Directive (ePD), first introduced in 2002.

The ePrivacy Directive established that storing or retrieving any information from a user’s device is subject to consent. That is, “unless it is technically necessary to enable the intended communication to take place.”

This rule made it necessary for websites to have cookie notification banners that you see on many websites.

But there was a problem…

Since this rule passed as a Directive, each member state had to write it into their national law. Also, while the ePrivacy Directive defined the need for cookie consent, it didn’t define consent.

Because of this, ePrivacy rules and enforcement rolled out in a fragmented way.

Part of the GDPR’s goal was to unify those rules. To do this, the GDPR needed to clearly define what consent is and when it’s needed.

Since the revision of the ePrivacy text in 2009, website operators in Europe have had to obtain the website visitor or app user’s consent to store or retrieve cookies or other tracking technologies on the person’s device (with the exception of strictly necessary cookies).

To ensure consistency with the new rules introduced by GDPR, the EU Commission introduced a proposal for ePrivacy Regulation (ePR) in January 2017 to replace the existing ePrivacy Directive to ensure consistency between the ePrivacy rules and GDPR.


The General Data Protection Regulation (GDPR) is a European Union (EU) regulation that replaces the Directive 95/46/EC and governs the current data protection framework in Europe.

It has a broad scope that impacts organizations that process the personal data of EU residents, wherever they are located in the world. The regulation is meant to harmonize the EU data protection landscape and protect the rights and freedoms of EU individuals.

You do not need to be headquartered in the EU for the GDPR and ePrivacy to apply to your organization. If you have customers from the EU visiting your site, you must have GDPR and ePrivacy compliant processes built into your website for your EU visitors.

Organizations that do not comply with GDPR face heavy fines and penalties. Some violations are subject to up to 4% of the organization’s global annual turnover.

GDPR Data Subject Rights

Data Subject Rights (DSR) are rights that can be enforced against organizations that collect or process personal data. DSRs include the right of a person to access the personal data an organization holds about him/her, and the right to have personal data deleted and corrected.

  • Right to be Informed
  • Right to Access
  • Right to Rectification
  • Right to Erasure
  • Right to Restriction of Processing
  • Right to Data Portability
  • Right to Object
  • Automated Individual Decision Making
  • Right to Withdraw

Cookie Consent Under GDPR

Before the GDPR, cookie consent meant different things throughout the EU. However, in Recital 32, the GDPR established a unified rule that clearly defined what consent is:

“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her.”

Since terms like “clear”, “specific”, and “informed” are subjective, we still have to unpack Recital 32 a bit more.

A Clear Affirmative Act

Recital 32 says that consent can be “ticking a box” or another statement that “clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data.”

Specific, Informed, Freely Given, and Unambiguous.

Additionally, Recital 32 states that you need consent for “all processing activities carried out for the same purpose.” And if processing has multiple purposes, “consent should be given for all of them. Moreover, the consent request must be “clear, concise and not unnecessarily disruptive” to the user. Recital 32 also explains what consent is not, which includes “inactivity” or “pre-ticked” boxes.

One More Condition of Cookie Consent: Withdrawability.

The GDPR says that users must be able to withdraw consent and that it “shall be as easy to withdraw as to give consent.”

Meet EU Cookie Requirements

The GDPR has influenced the drafting of new ePrivacy regulation that brings the current ePrivacy Directive in line with the GDPR. Organizations face increased penalties and more focused regulatory action under the newly drafted regulation.

As the owner/operator/publisher of a website available in Europe, you need to collect the user’s consent before storing cookies or other tracking technologies that are not strictly necessary on their device.

Consent needs to be given for all types of cookies that are not strictly necessary when a user lands on a particular webpage and the website publisher is the person responsible for collecting the user’s consent (whether the cookie is a first-party cookie or a third-party cookie).

In short, to achieve compliance with the GDPR, you must enable a user to show their consent with a clear, affirmative action. Moreover, that action must be:

  1. Specific
  2. Informed
  3. Freely Given
  4. Unambiguous
  5. Withdrawable

How CookiePro Helps

CookiePro conducts ongoing website scans, and automatically generates a detailed report that categorizes cookies and tracking technologies found. Using CookiePro, you can create a customizable cookie banner and cookie notice using the results of your website scan. Within the cookie banner, provide visitors with a preference center to put them in control of opting-in and out of tracking.

Intake Data Subject Requests

Under the GDPR, data subjects have such as data portability, access, erasure or “right to be forgotten”, rectification, and more. When a data subject makes a request, there are requirements to manage the request, respond the request, validate the identity and transmit the response to the user.  

How CookiePro Helps

Using CookiePro, users are able to configure a branded web form that intakes requests and receive notifications when a request has been submitted. When the request is fulfilled, securely transmit the data to the individual, and link the request to the underlying data map to efficiently fulfill the request, as well as ultimately generate the proper documentation and evidence should a regulator inquire about the request.

Ensuring Compliance with GDPR’s Rules Governing Cookie Consent

The GDPR is not just for organizations located in the EU. Any business with customers visiting their site from the EU are subject to the GDPR and its consent rules. And with proposals for new privacy regulations in the works, it’s becoming increasingly risky to ignore outdated cookie consent processes.

Browse our packages, which include Website Scanning & Cookie Consent, and make sure your business has a GDPR compliant cookie policy.

Other GDPR Resources:

Cookie Consent Models

There are several approaches to a cookie banner, and you can choose what’s best for your company depending on your level of risk tolerance.

Option A

Opt-Out Consent

What does it mean?

Drop all cookies when the user reaches the landing page, show the cookie notice and allow action on the notice.

Why Choose This?

  • Most common approach on websites today
  • Easies to implement technically
  • Least impact on user experience
  • Organization willing to accept higher level of risk
  • Bet that a warning will occur before actual enforcement
  • Waiting to see what ePrivacy Regulation will actually require when finalized

Option B

Implied Consent

What does it mean?

Drop strictly necessary cookies only when the user reaches the landing page, show a cookie notice indicating “Continue Browsing” or “Clicking ok” will amount to consent, and drop the rest of the cookies once one of these actions has been taken.

Why Choose This?

  • Increasingly adopted by organizations
  • Question of whether approach is compliant with the definition of consent under GDPR
  • More difficult to implement technically, need developer support to implement cookie blocking logic provided by OneTrust
  • Implement this as reasonable approach while waiting to see what new ePrivacy Regulation will actually require when finalized

Option C

Expressed Consent

What does it mean?

Drop strictly necessary cookies only when the user reaches the landing page, show a cookie notice with clear and comprehensive information about the purposes of processing the cookies, require an affirmative action from the user, and only after that drop the rest of the cookies.

Why Choose This?

  • Increasingly adopted by organizations taking a “privacy first” approach
  • Most in line with the definition of consent under GDPR
  • Likely to be what will be required under new ePrivacy Regulation
  • Already required in some jurisdictions (Netherlands, Italy)
  • Likely impact on user experience since requires action prior to progressing
  • Assume higher percentage of users who decline tracking which may have business impact
See GDPR and ePrivacy Terms and Definitions

Privacy Risk Assessment

Is Your Website Cookie Compliant?

With a few simple clicks in CookiePro, scan your website against our database of 9 million cookies to identify and auto categorize the tracking technologies on your site. Automatically generate a cookie policy based on the scan, and schedule an auto scan to keep it up-to-date.

Start Scan