All Blog Posts

Cookie Control

The General Data Protection Regulation (GDPR) and ePrivacy Directive (ePR) affect how you as a website owner must obtain and store cookie consents from your visitors from the EU.

Updated October 27, 2020.

Efforts to regulate online surveillance and protect digital privacy has crystalized in the EU as the General Data Protection Regulation (GDPR), and in the US as the California Consumer Privacy Act (CCPA).

In this blogpost, we look at cookie control in the EU and US, including the EDPB guidelines for valid consent in the EU, privacy-friendly web browsers and consent management platforms.

Become compliant with Cookiebot consent management platform (CMP).

In the EU, the use of cookies and trackers on websites is regulated by the General Data Protection Regulation (GDPR) that is law in all EU member states.

The GDPR governs the processing of personal data of individuals inside the EU and most cookies today collect personal data from users, when they visit websites.

The GDPR requires websites to obtain user consent before activating cookies that will process personal data.

Websites are not allowed to activate cookies and trackers that process personal data unless the user has first consented to it, unless the cookies can be deemed strictly necessary for the basic functions of the website.

Flag of European Union - Cookiebot
Cookie control in EU through the General Data Protection Regulation (GDPR)

Personal data is any kind of information that can be directly or indirectly related to a living individual and therefore identify the user.

This includes anything from names, e-mail addresses, social security numbers, but also IP addresses, browser specifications, search history and Unique IDs that most cookies set on user browsers after a website visit.

If your website has visitors from inside the EU and you use cookies that process personal data, you must –

  • Ask for consent before activating cookies and trackers that process personal data,
  • Enable users to give clear and affirmative consent to the processing of their personal data,
  • Make sure that user consents are granular, i.e. users must be able to consent to some cookies rather than others,
  • Inform users of how you use cookies and the purposes of why your website processes personal data,
  • Document all obtained consents,
  • Consent must be renewed annually. However, some national data protection guidelines recommend more frequent renewal, e.g. 6 months. Check your local data protection guidelines for compliance

Is your website GDPR compliant? Test for free with the Cookiebot CMP test.

Learn more about the GDPR and cookie consent

The European Data Protection Board (EDPB) is the leading supervisor of the GDPR in the EU that regularly adopts guidelines and issues decisions on how the GDPR is to be enforced by the national data protection authorities in each EU member country.

On May 4, 2020, the EDPB adopted guidelines on valid consent that make it very clear what constitutes GDPR compliant consent for the processing of personal data on websites… and what does not.

EDPB guidelines clarify that –

  • Consent must be a freely given, specific, informed and unambiguous indication of users’ wishes, i.e. a clear and affirmative action on part of the user before any activation of cookies is allowed on your website.
  • Pre-ticked checkboxes on cookie banners are not allowed, i.e. cookies must be deselected by default when users land on your website.
  • Scrolling and continued browsing on your website (implied consent) does not constitute valid consent, i.e. users must actively select and activate cookies through a cookie banner before your website is allowed to process their personal data.
  • Cookie walls (i.e. making user consent conditional for access to your domain) does not constitute valid consent, i.e. users’ consent must be freely given and specific to each different processing purpose.

Learn more about the EDPB guidelines on valid consent

In doubt whether your website is GDPR compliant? Test with the free Cookiebot CMP compliance test.

Try Cookiebot CMP free for 14 days… or forever if you have a small website.

Cookiebot CMP is a consent management platform that makes your website compliant with the GDPR, the CCPA and other data protection laws across the world.

Cookiebot CMP works by detecting all cookies and trackers in operation on your domain using our unmatched scanning technology that finds even the hidden third-party trojan horses.

Cookieboot Pop Up Banner - Cookiebot
Granular cookie control with Cookiebot CMP.

Cookiebot CMP auto-blocks all cookies and personal data processing on your domain until users have given their granular consent to which trackers, they will allow activated – ensuring that your website fully lives up to the GDPR requirements for prior consent.

Cookiebot CMP also offers full CCPA compliance for websites.

Try Cookiebot CMP free for 14 days… or forever if you have a small website.

Learn more about GDPR and cookie consent

Learn more about CCPA compliance

In the US, the use of cookies and the processing of personal information is not regulated on a federal level as it is in the EU by the GDPR.

Instead, some states have their own set of laws governing personal information collection and digital privacy, while other states have no real protection for users.

The biggest data protection in the US that covers cookie control is the California Consumer Privacy Act (CCPA) that took effect in January 2020.

Flag of United States - Cookiebot
Cookie control in the US through the California Consumer Privacy Act (CCPA).

The CCPA grants consumers the right to request disclosure of the categories and specific pieces of personal information that a business has collected on them. It also grants consumers the right to request deletion, as well as the right to opt out of having their data sold to third parties.

The CCPA requires that users are informed of what cookies are in operation on a website, what kind of personal information they collect and for what purposes.

CCPA also requires websites to inform users of what third parties they share their personal information with.

Learn more about the California Consumer Privacy Act (CCPA)

Learn more about CCPA compliance with Cookiebot CMP

The UK left the EU in January 2020 and by the end of this year will no longer be governed by the EU’s General Data Protection Regulation.

However, the UK has adopted new data protection laws that mirror the GDPR and that will ensure a continued equivalent data protection regime.

Learn more about Brexit and cookie control in the UK

The Information Commissioner’s Office (ICO) is the leading data protection authority in the UK, responsible for enforcement and supervision of the country’s data protection laws.

The UK’s data protection laws after Brexit is the UK-GDPR and the Data Protection Act 2018.

In the summer of 2019, the ICO has updated its guidelines for the use of cookies and trackers and put a significantly tighter cookie control in place in the UK.

When it comes to a website’s cookie management, implied consent as we know it today – the soft opt-in that allows websites to interpret as consent the continued browsing of its users – do not meet the requirements for valid consent, ICO has ruled.

Flag of United Kingdom - Cookiebot
Cookie control in the UK through the UK-GDPR and Data Protection Act 2018.

Instead, users must give their affirmative consent to anything that is not necessary cookies (or non-essential, as ICO calls them) and it is the legal responsibility of websites to have a cookie manager in place that enables this for their users.

Pre-ticked boxes (or any equivalent) are not lawful to use on anything but necessary cookies, according to the new ICO guidelines.

This means that preference, statistics and marketing cookies must abide by the same rules: they all need to be un-ticked and now require affirmative opt-in to be viewed as valid consent.

In other words, users must now choose to tick the boxes of preference, statistics and marketing cookies alike, in order for these categories of cookies to be activated.

The ICO guidelines clarify that –

  • Users must take a clear and positive action to consent to non-essential cookies,
  • Websites and apps must tell users clearly what cookies will be set and what they do – including any third-party cookies,
  • Pre-ticked boxes or any equivalents, such as sliders defaulted to “on”, cannot be used for non-essential cookies,
  • Users must have control of any non-essential cookies,
  • Non-essential cookies must not be set on landing pages before you gain the user’s consent.

Inform yourself on ICO’s updated guidelines on cookies.

Digital self-defense is also an option a lot of people are choosing in exasperation when learning about the ugly truth of the dismal state of privacy on the Internet today.

This type of digital self-defense is essentially a version of privacy protection, where everyone has to fend for themselves, by downloading the right browser that then block cookies automatically.

Privacy-friendly browsers such as Epic, Brave or Firefox offer cookie control through non-discriminatory, across-the-board cookie blockers that stop all cookies, even necessary and benign ones.

The downside is that they often break websites, because they block cookies that support the basic functions of a domain. This full cookie stop is the default mode of both Epic and Brave, whereas Firefox utilizes a tracker list from Disconnect to determine which cookies they block.

Epic, Brave & Firefox Logos - Cookiebot

This digital self-defense is not a viable final solution to the privacy problems of surveillance capitalism, since most people don’t have the time or the technical skills to navigate the abundant market of privacy tools, browsers, VPNs or adblockers.

There is also another way to protect privacy in our digital infrastructures…

Cookie control through a cookie manager like Cookiebot CMP is a technology that we – obviously – have put our weight behind and think of as a vital part of a sustainable solution for protecting privacy.

Using a consent solution that is specific to each website (implemented through the cloud and integrated seamlessly onto a domain) not only prevents websites from breaking by allowing them to discriminate between different categories of cookies, it also holds the potential to be fully GDPR and CCPA compliant.

Cookiebot CMP makes your website fully compliant with the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

A website owner looking for cookie control can use Cookiebot CMP to –

  • have their domains scanned for all cookies and similar trackers,
  • enable prior consent for users through a customizable cookie,
  • obtain a cookie declaration,
  • feature a Do Not Sell My Personal Information link on their website,
  • be able to be fully compliant with the GDPR and the CCPA,
  • protect the privacy of their users against against unwanted and non-consensual third-party tracking.

Try Cookiebot CMP free for 14 days… or forever if you have a small website.


What is cookie control in EU?

The use of cookies on websites in the EU is governed by the General Data Protection Regulation (GDPR) that controls how websites, companies and organizations are allowed to process personal data of users inside the EU. The GDPR requires that websites obtain the clear and affirmative consent from users before activating any cookies that process personal data. The GDPR also gives users the right to access collected data, right to have it rectified or deleted.

Learn more about GDPR and cookie consent

What is cookie control in US?

The use of cookies on websites in the US is not regulated on a federal level. However, the California Consumer Privacy Act (CCPA) is a state-wide law that governs the collection, processing and sharing of the personal information of California residents. The CCPA requires businesses to inform users of what type of personal information they collect, how, for what purposes and who they share it with. Businesses must also enable users to opt out of having their data sold to third parties.

Learn more about CCPA and cookies

What is cookie control in UK?

The use of cookies on websites in the UK have been regulated by the EU’s GDPR, when the UK was still a member of the European Union. However, after the UK has left the EU, its own domestic data protection laws govern the processing of personal data in the country. The UK-GDPR and Data Protection Act 2018 require websites to ask for and obtain user consent before the activation of cookies that process personal data.

Learn more about UK-GDPR and Data Protection Act 2018

What is a CMP?

A consent management platform (CMP) scans a website, detects and controls the cookies that process personal data and then asks users for their consent to which of the cookies and trackers they will allow to collect their personal data. A consent management platform is a technology that helps websites become compliant with data protection laws like the GDPR, the CCPA, the UK-GDPR and more by controlling the website’s cookies and managing user consent for the activation of those cookies.

Learn more about consent management platforms


General Data Protection Regulation (GDPR)

EDPB guidelines on valid consent in EU

GDPR and cookie consent

California Consumer Privacy Act (CCPA)

CCPA and cookies

Take a look at ICO’s guide to what good cookie use for website owners and operators look like.

UK PECR (Privacy Electronic Communications Regulations)

UK Data Protection Act 2018

US California Consumer Privacy Act (CCPA)

Will the EU and UK find an adequacy decision post Brexit?

Record fine against Facebook in FTC privacy settlement

Google settles fine for child data collection

US Federal Trade Commission (FTC)

Prospects of a US Data Protection Authority

Epic, a privacy-friendly web browser

Brave, a privacy-friendly web browser

Firefox, a privacy-friendly web browser

    Stay informed

    Join our growing community of data privacy enthusiasts now. Subscribe to the Cookiebot™ newsletter and get all the latest updates right in your inbox.

    By clicking on “Subscribe” I confirm that I want to subscribe to the Cookiebot™ newsletter. I can easily cancel my Cookiebot™ newsletter subscription and revoke consent to use my data by clicking the unsubscribe link or I can write to [email protected] to make the request. Privacy policy.