All Blog Posts

Consent management

The General Data Protection Regulation (GDPR) and ePrivacy Directive (ePR) affect how you as a website owner must obtain and store cookie consents from your visitors from the EU.

Updated October 27, 2020.

The General Data Protection Regulation (GDPR) requires your website to ask for and obtain the clear and affirmative consents from users before processing any of their data.

So, what is consent management?

How do you manage consent in GDPR compliance on your website?

What is valid consent according to the GDPR?

And is there such a thing as a consent management software that can do it all for you?

You’ll find answers to all of these questions in this article.

Consent management is the act or process of managing consents from your users and customers for processing their personal data.

In other words, consent management means to enable for your users the ability to opt-in and out of the specific cookie categories (preferences, statistics and marketing), to consent and to withdraw their consent again if they chose to. 

Consent management is really all about empowering your users to exercise their right to privacy.

A proper consent management system encompasses the following:

  • Asking for consent by clearly disclosing what the consent is being given to and how the data will be used.
  • Holding back all tracking until proper consent has been given.
  • Securely storing all consents as documentation that the consent has been obtained.
  • Giving your users access to withdraw their consent at any time.
  • Consent must be renewed annually. However, some national data protection guidelines recommend more frequent renewal, e.g. 6 months. Check your local data protection guidelines for compliance

A consent management software like Cookiebot consent management platform (CMP) does all of this automatically.

In doubt whether your website is GDPR compliant? Test with the free Cookiebot CMP compliance test.

Try Cookiebot CMP free for 14 days… or forever if you have a small website.

The General Data Protection Regulation is an EU law that came into force on 25 May 2018. It affects all organizations, companies and websites, worldwide, that handle personal data of EU citizens.

The GDPR definition of personal data is very wide, and includes “any information relating to an identified or identifiable natural person”, including information that can be combined to single out or build a rich profile of a particular data subject.

Under this definition, statistics (analytics cookies) and marketing cookies (tracking cookies), as used by most websites, are subject to the GDPR.

This means that you need proper consent from your users prior to the setting of all cookies that track personal data. Your users must be informed about all tracking and consent to it before any data can be processed, says the GDPR.

The European Data Protection Board (EDPB) is the leading supervisor of the GDPR in Europe, responsible for directing the national data protection authorities in each EU country on how the GDPR is to be enforced.

On May 4, the EDPB released guidelines on valid consent in the EU, clarifying what constitutes a proper, lawful user consent on websites for the processing of personal data.

The EDPB guidelines specify that –

  1. Cookie banners are not allowed to have pre-ticked checkboxes as a default. Instead, cookies (except strictly necessary cookies) must be deselected and deactivated by default, so that users can give their consent as a clear and affirmative action.
  2. Cookie walls (forcing users to consent to cookies in order to gain access to a website) are deemed unlawful. Users must be able to filter their consent and also give it freely.
  3. Continued browsing and scrolling on a website does not constitute valid consent.

Learn more about the EDPB guidelines on valid consent in EU

Consent management is a key issue in the GDPR.

The GDPR definition of proper or valid consent is very clear and leaves a clear responsibilities on the shoulders of website owners and operators.

Consent & GDPR go hand in hand – 

Article 7 of the GDPR treats the conditions for consent, and lists the following:

  1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
  2. If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.

    Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
  3. The data subject shall have the right to withdraw his or her consent at any time.

    The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.

    Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
  4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

Real GDPR consent is thus informed, prior to any processing of user data, withdrawable and not on conditions of providing a service.

GDPR consent management is best done with an all-in-one solution, so that you can be sure that your website is compliant and your user’s privacy protected.

You most probably do.

If your website makes use of tracking cookies, you need to obtain consent from your users first.

Is your website hosted, for example on WordPress?

Do you make use of Google Analytics or similar tools on your website?

Do you have embedded content on your site, such as YouTube videos or social media buttons?

If yes, then your website most likely sets third party tracking cookies on your users’ browsers – and you need to implement a consent management platform to make sure that:

  1. all cookies are paused until proper consent has been obtained,
  2. the user gets transparent information on the cookies,
  3. and that he or she may withdraw his or her consent at any time.

The truth is that most websites today need consent management, because almost no website operates without the most basic tools for statistics, marketing or implementation of social media functions.

But consent management is not something you have to sweat about doing yourself.

Being non-compliant with the GDPR is, on the other hand, something you should sweat about: fines can reach €20 million or 4% of the annual global turnover of a company.

ePR & GDPR consent management is our niche expertise here at Cookiebot CMP.

We take our responsibility of protecting privacy very close to heart, and our role as consent manager reflects this.

There exists a vast range of consent management tools that offer to manage your website’s user consents.

However, make sure to do your research properly and take care to choose one that is fully compliant and meets all of the above requirements.

Many of the consent management tools available – even amongst those that claim to be fully compliant – are not.

Cookiebot CMP is a consent manager and fully compliant software-as-a-service that helps you scan, know and control your website’s cookies and other tracking. We offer granular consent and full transparency for yourself and for your users.

Once a month, Cookiebot CMP scans all of the pages of your website, by directing a number of simulated users, that activate and detect all cookies and other known tracking technologies in use on all of the pages of your website.

The result of this audit is sent to you in a report, that can also be integrated on your website, for example as part of your privacy policy or cookie policy, thus ensuring that your information on the tracking activity is always up to date and accurate, as required by the GDPR.

Learn more about the Cookiebot CMP functionality and features

Try our free test that scans up to five pages of your website and sends you a report on the cookies and online tracking in use on these pages and gives you an indication of whether your website is GDPR/ePR compliant.

See if you need a GDPR consent management solution for you website and if Cookiebot CMP is the right consent manager for you.


What is GDPR?

The General Data Protection Regulation (GDPR) is a data privacy law that governs the processing on personal data of individuals inside the EU. Websites that have users from inside the EU must comply with the GDPR. The GDPR requires websites to secure the consent of users before activating cookies and trackers on their domain that process personal data.

Learn more about GDPR and cookies


EDPB guidelines on valid consent in EU

GDPR and cookie consent

i-scoop: GDPR and consent

Performancefoundry: WordPress cookie consent notification plugins review

    Stay informed

    Join our growing community of data privacy enthusiasts now. Subscribe to the Cookiebot™ newsletter and get all the latest updates right in your inbox.

    By clicking on “Subscribe” I confirm that I want to subscribe to the Cookiebot™ newsletter. I can easily cancel my Cookiebot™ newsletter subscription and revoke consent to use my data by clicking the unsubscribe link or I can write to [email protected] to make the request. Privacy policy.