Skip to main content

When Is Cookie Consent Required?

The general rule is simple: consent is required for all cookies except those that are strictly necessary. But the details matter. Knowing exactly when consent is and is not required prevents both over-compliance (annoying users with unnecessary consent prompts) and under-compliance (placing cookies without legal basis).

The General Rule

ePrivacy Directive Article 5(3) establishes the baseline:

Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information [...] about the purposes of the processing.

This covers all cookies, all local storage, all device-level storage or access. If your website writes anything to the user's device, consent is the default requirement.

The Strictly Necessary Exemption

The same article provides the only exemption:

This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service.

There are two limbs to this exemption:

  1. Technical transmission: Cookies that are technically required for the communication to happen. This is narrow — essentially limited to load balancing cookies and similar network-level necessities.
  2. Strictly necessary for the service: Cookies that are essential for a service the user has explicitly requested. The key phrase is "explicitly requested by the subscriber or user." The service must be something the user asked for, and the cookie must be indispensable for providing it.

Cookies That Are Strictly Necessary (No Consent Required)

  • Session authentication cookies. When a user logs in, the session cookie that maintains their authenticated state is strictly necessary for the service they requested (accessing their account).
  • Shopping cart cookies. On an e-commerce site, the cookie that keeps track of items in the cart is strictly necessary for the shopping service the user is using.
  • CSRF protection tokens. These are strictly necessary for the secure operation of form submissions.
  • Cookie consent preference cookies. The cookie that stores the user's consent choices is strictly necessary — without it, you cannot respect their privacy preferences.
  • Input-related cookies. Cookies that remember form input across a multi-step process (like a checkout form) where the user has initiated the process.
  • Load balancing cookies. Technical cookies that route requests to the correct server. These fall under the "transmission" limb of the exemption.
  • User interface customization cookies. When a user explicitly selects a language or theme via a control on the page, the cookie storing that choice is strictly necessary for the service they requested. However, this is context-dependent — see below.

Cookies That Are NOT Strictly Necessary (Consent Required)

  • Analytics cookies. Measuring website traffic benefits the website operator, not the user. The user did not request a traffic analysis service.
  • Advertising and retargeting cookies. These serve the interests of advertisers and the website operator, never the user.
  • Social media sharing cookies. These are set by third-party social networks, not for a service the user requested.
  • A/B testing cookies. These serve the operator's optimization goals.
  • Affiliate tracking cookies. These track which partner referred the user, serving the operator's business interests.
  • Persistent login ("remember me") cookies. The EDPB has noted that while a session cookie for a current login is necessary, a persistent cookie that keeps the user logged in across sessions goes beyond what is strictly necessary. The user could log in again.
  • Performance monitoring cookies. Cookies used to monitor page load times, error rates, and similar technical metrics serve the operator, not the user.

The First-Party Analytics Debate

One of the most contested areas in cookie compliance is whether first-party analytics cookies can be used without consent. The answer varies by jurisdiction and is evolving.

The CNIL Position (France)

The French CNIL has issued specific guidance stating that certain audience measurement cookies may be exempt from consent, provided:

  1. The purpose is strictly limited to measuring audience (no cross-site tracking)
  2. The data is not shared with third parties
  3. The cookies are first-party only
  4. The data is used only to produce anonymous statistics
  5. The cookies have a limited lifetime (13 months maximum)
  6. Users are informed of their use
  7. Users can opt out

Under these conditions, the CNIL considers certain tools (such as Matomo configured in a privacy-respecting mode) to be eligible for the exemption. Google Analytics does not qualify, primarily because Google processes the data on its own infrastructure and may use it for its own purposes.

The Dutch AP Position (Netherlands)

The Dutch Autoriteit Persoonsgegevens has similarly indicated that analytics cookies with minimal privacy impact may be used without consent, but has set conditions comparable to the CNIL's.

Other Jurisdictions

Most other European DPAs have not adopted an explicit analytics exemption. The ICO (UK) has stated that analytics cookies require consent. The German DPAs generally require consent for all non-essential cookies. The Spanish AEPD's position aligns with requiring consent.

Practical Recommendation

Unless you operate exclusively in France or the Netherlands and can meet all the CNIL/AP conditions, the safest approach is to treat analytics cookies as requiring consent. If you do rely on the analytics exemption, document your reasoning, ensure you meet every condition, and monitor regulatory developments — this area is still evolving.

Consent Exemptions by Cookie Purpose: A Decision Flowchart

For each cookie on your website, walk through these questions:

  1. Is the cookie technically required for the communication to be transmitted? (e.g., load balancing) If yes: no consent needed. If no: continue.
  2. Has the user explicitly requested a service that requires this cookie? (e.g., logging in, adding items to cart) If yes: continue. If no: consent required.
  3. Would the requested service fail to function without this specific cookie? If yes: no consent needed (strictly necessary). If the service would function but be less convenient: consent required.
  4. Is the cookie first-party, limited to aggregated analytics, with data not shared with third parties, and are you in a jurisdiction with an analytics exemption? If yes to all: potentially exempt, but document your reasoning. If no to any: consent required.
  5. In all other cases: consent required.

Special Situations

Cookie Walls

A cookie wall blocks access to a website unless the user accepts cookies. The EDPB's position is that cookie walls generally prevent consent from being "freely given" and are therefore not compliant. However, some DPAs (notably the Dutch AP, following a court ruling) have indicated that cookie walls may be acceptable if a genuine, equivalent alternative is offered — such as a paid, cookie-free version of the service. This remains a contested area.

Paywall vs. Cookie Wall

Some publishers offer a "consent or pay" model: accept tracking cookies for free access, or pay for a cookie-free experience. The EDPB issued an opinion in 2024 addressing this practice, acknowledging it may be permissible under certain conditions but expressing concern that the "pay" alternative must be genuinely reasonable and not set at a price designed to coerce consent.

Children

Under GDPR Article 8, consent for information society services directed at children requires verification and, for children below a certain age (varying from 13 to 16 depending on the member state), parental consent. If your website targets children, cookie consent requirements are more stringent.

Employee and B2B Contexts

The ePrivacy Directive applies to the "subscriber or user" — not just consumers. If your B2B SaaS platform uses non-essential cookies, consent is still required from the individual user, even in a business context.

What Happens Without Valid Consent

If you place non-essential cookies without valid consent:

  • The data you collect may be unlawful under both the ePrivacy Directive and GDPR.
  • You face potential fines under GDPR of up to EUR 20 million or 4% of global annual turnover, whichever is higher (Article 83(5)).
  • You may be ordered to delete the unlawfully collected data.
  • Your analytics and advertising data may be compromised — if the legal basis for collection is invalid, the data cannot be lawfully used.
  • Downstream recipients of that data (ad networks, analytics providers) may also face liability.

These are not hypothetical risks. The CNIL fined Google EUR 150 million and Facebook EUR 60 million specifically for cookie consent violations. Smaller businesses have faced fines in the tens of thousands of euros for similar failures.

Passiro identifies every cookie on your website and flags those requiring consent, so you can be confident your consent mechanism covers the right cookies — no more, no less.

Next, let's compare the two fundamental consent models: opt-in versus opt-out, and which one applies where.

Samtykke Opt-in vs. opt-out

Overholder nettstedet ditt informasjonskapselreglene?

Skann nettstedet ditt gratis og finn alle informasjonskapsler på noen få minutter.

Skann informasjonskapslene dine gratis