Does GDPR Require Consent for Cookies?

The analysis of GDPR’s requirements demonstrates that consent is explicitly required before placing most cookies on users’ devices. Several authoritative sources confirm that cookies, as defined by Article 4(1) of the GDPR as “online identifiers,” are considered personal data when they can identify a user, either directly or indirectly (European Parliament, 2016).

Key findings:

• Consent must be informed, specific, freely given, and unambiguous (GDPR Art. 7).
• The Article 29 Working Party and subsequent European Data Protection Board guidelines clarify that implied consent (e.g., continued browsing without explicit action) is not sufficient.
• Strictly necessary cookies (e.g., those required for website functionality or shopping carts) are exempt from the consent requirement (WP29 Opinion 04/2012).
• For all non-essential cookies—such as tracking, analytics, or advertising—prior active consent is mandatory.

"Consent must be obtained before any cookies are placed or accessed on the user’s device, except for those strictly necessary for the provision of the service explicitly requested by the user" (European Court of Justice, Planet49 case, 2019).

Empirical studies of cookie banners and compliance across EU websites reveal widespread implementation of consent mechanisms. However, dark patterns and misleading designs still result in non-compliant practices (Utz et al., 2019). Effective consent management platforms (CMPs) must provide:

• Clear options to accept or reject cookies
• Equal prominence for both choices
• Granular controls over different cookie categories

Non-compliance with GDPR’s consent requirements has resulted in several high-profile enforcement actions and fines by data protection authorities.

In summary, GDPR mandates prior, affirmative user consent for all cookies except those strictly necessary for website operation, with a growing body of regulatory guidance and legal precedent reinforcing this obligation across the EU and UK.