Logo Logo


The General Data Protection Regulation (GDPR) and ePrivacy Directive (ePR) affect how you as a website owner must obtain and store cookie consents from your visitors from the EU.


Try our free compliance test to check if your website’s use of cookies and online tracking is GDPR/ePR compliant.

Cookie consent and the GDPR is our area of expertise here at Cookiebot

In this article, you can read what the General Data Protection Regulation (GDPR) and the ePrivacy Regulation means for your cookie consent, and your website’s use of cookies and online tracking.

The GDPR is a regulation that is enforced from 25 May 2018. It affects all websites located in the European Union, and websites that have EU citizens as users.

Next in line is the ePrivacy Regulation, which is currently in process in the EU, and which is expected to be finalized in 2020.

The ePrivacy Regulation will have much of the same scope as the GDPR and will stipulate requirements aimed specifically to protect the privacy of electronic communications.

Why do I need cookie consent on my website?

Cookies of both first- and third-party provenance on websites track users in different ways.

For example, the IP address, or merely the actions and behavior of users on the site and from site to site.

Because of the broad definition of personal data in the GDPR, if you use cookies, you need to ask for consent from your users before setting any cookies other than the strictly necessary - and therefore whitelisted - ones.

If you are using cookies that track direct personal data or data that can potentially be connected or singled out to identify or track a person, you now must either take them away, or update your cookie policy and your cookie consent in accordance with the GDPR.

Many modern websites have dozens of active cookies and online tracking in use on their site.

Try Cookiebot for free today!

The free scan crawls up to five pages of your website and sends you a report on the cookies and online tracking in use on these pages, giving you an insight into the tracking of your users that is going on on your site.

GDPR cookie consent examples

In the wake of the ePrivacy Directive, implemented in 2002 and notoriously known by its nickname, “The Cookie Law”, cookie consent popup and banners started showing up on all but every website.

Read more about the EU Cookie Law here.

Since the enforcement of the GDPR on 25 May 2018, however, simple “accept cookies” banners no longer do.

And since the ruling by the Court of Justice of the European Union (CJEU) on October 1, 2019, no consent banners in the EU are allowed to have pre-ticked checkboxes (with the exception of necessary cookies), as this does not constitute valid consent.

Read more about the CJEU ruling on valid consent here.

Users have to affirmatively tick the boxes of all other cookies on a website before clicking OK.

Here is a GDPR cookie consent example:

Valid consent according to EU privacy laws

A GDPR/ePR compliant consent banner from Cookiebot

Example of a non-compliant cookie banner:

In the latter example (the dark one), the user has two options: click ‘Alright’ or click “read more”, which leads directly to the static page holding the website’s cookie policy.

In other words, the user is not presented with any real choice, and there is no true insight or information about what cookies are set on the browser, where they come from and what purposes they serve.

Cookie consent

Whereas in the compliant cookie message (the white one), the user is informed of the purposes of the cookies up front, and must affirmatively opt in to all categories as part of their prior consent, before those cookies can be activated.

The cookies (which, as mentioned, can be numerous) are arranged in four comprehensible categories. Only strictly necessary cookies are allowed to be pre-ticked on a consent banner in the EU.

Users can also click to see a detailed overview of the cookies in use.

The overview simply folds out of the consent banner, mapping all active cookies and presenting them in an accessible manner.

At a glance, the user can now scroll through all of the cookies, see where they come from, read a description of their function and check their duration.

The user can then easily accept or reject the different types of cookies.

Cookie consent through a GDPR compliant banner from Cookiebot..

A GDPR compliant consent banner unfolded with details by Cookiebot..

Detailed overview in an GDPR cookie consent message.

Checklist of requirements for GDPR compliant cookie consents

Your GDPR and ePrivacy compliant cookie consent system should ensure that the consent is…

The easiest way to comply is to find a reliable cookie consent software that is based upon a thorough study of the new regulations and therefore can ensure compliance with it.

Check out Cookiebot, one of the few fully GDPR and ePrivacy Directive compliant cookie services on the market.

Take a look at what a great, compliant cookie text looks like here.

What is the GDPR all about?

The main purpose of the General Data Protection Regulation is to bring the EU legislation up to date with the digital age, protecting personal privacy and restoring the control over their own data to the users.

The latest law on protection of personal data dates from back in 1995.

1995. That’s almost ten years prior to Facebook!

… and long before cookies were used for anything and everything from customizing websites to fencing in customers in a sophisticated web of targeted marketing.

The GDPR sets out strict requirements on data handling procedures, transparency, documentation and user consent.

For a quick overview of the main themes of the GDPR, check out the EU Commission’s infographic on the subject, Data Protection: Better rules for small businesses.

What does the GDPR mean for my website in general?

For website owners, the two primary aspects to be aware of are:

1. How you manage and store personal data in general:

What personal data are you handling? Do you really need this data, or can you get by without it? Are you able to detect and properly delete personal data, if a user so requests? Is the data securely stored? Do you have proper procedures in place in case of a data breach?

2. The cookies and tracking in use on your website:

This goes for both first-party and third-party cookies in use on your website. All cookies that directly identifies a person or can potentially be combined to identify a person may only be used once you have your user’s proper consent to it.

Nowadays, there can be up to hundreds of cookies and tracking technologies in use on websites, and more often than not, website owners don’t even themselves have the full picture of the tracking in use on their own website.

To meet the requirements, make sure to have a thorough and compliant setup for getting and securely storing the consents to the cookies on your website. Start by finding out what cookies are in action on your website, and whether the use is compliant.

All cookies that process personal data are subject to the new regulations.

In practice, this means most cookies, such as cookies for analytics, cookies for advertising and for functional services, for example survey and chat tools.

The GDPR also means you will have to revise your website’s cookie policy or privacy policy, so that they meet the requirements of accuracy and transparency.

What is personal data in the GDPR?

The GDPR covers both data that is directly personal, such as a name, a photo, an email address, bank details, IP address etc., and data that can be combined in a way that can single out and identify individual users.

If your website or organization processes such data, then it must be revised to meet the new requirements.

Six lawful reasons to process data

It is worth knowing that consent is one of six lawful reasons to process personal data.

Therefore, before applying a setup for user consents, consider whether the processed personal data falls under one of the other categories for lawfulness.

I use Google Analytics, Mailchimp, social media buttons, Salesforce etc. Do I need a cookie consent?

All of the services and features mentioned above are examples of third-parties on your website.

They deposit cookies on your user’s browsers as they visit your website.

You are responsible for protecting your website users and for giving them clear information and choice about how their data is being used, both by you and by third parties in use on your website.

It is therefore adamant that you do have a proper and GDPR compliant cookie policy and cookie consent.

How do I implement a cookie consent message on my website?

The easiest way to become compliant is by finding a solution that takes care of your cookie consent for you.

Cookiebot is one of the few fully compliant solutions on the market.

Cookiebot offers a smooth user experience - both for you as a website owner and for the users of your website.

Once you have found the cookie consent solution of your choice, there are two main ways of implementing it on your website:

If you have a Wordpress site, you can simply use a Wordpress plugin.

Otherwise, you can add a cookie consent script directly to your website.

GDPR cookie consent plugin - Wordpress plugin for compliant cookie use 

If you have a Wordpress website, the easiest way to implement cookie consent on your website is by making use of a Wordpress plugin.

You can find and install GDPR cookie consent plugins in the plugin menu point in the admin area of your Wordpress site.

Be sure to look for the Cookiebot plugin which is fully compliant with both GDPR and the EU ePrivacy Directive.

Script for GDPR compliant cookie consent notice

You can also add a cookie consent script to your website. This is typically a simple javascript.

See the cookiebot script here.


Article explaining the EU ePrivacy directive and the GDPR

How to make your website compliant

On Cookies in the EU Internet Handbook

Google’s infopage on cookie choice

New CCPA configuration 

Cookiebot offers CCPA compliance!



Make your website’s use of cookies and online tracking compliant today

Try for free