Guide to EU (GDPR + ePrivacy Directive Art. 5(3)) Cookie Consent Compliance
Complete technical implementation guide for EU/EEA privacy regulations. Learn about consent requirements, banner elements, record keeping, and technical specifications.
Summary
This guide provides comprehensive technical implementation requirements for EU (GDPR + ePrivacy Directive Art. 5(3)). ePrivacy governs cookies; GDPR governs personal data.
This jurisdiction requires an opt-in consent model (prior consent), meaning websites must obtain explicit user consent before placing non-essential cookies or similar tracking technologies. Users must actively accept cookies through clear consent mechanisms.
Additional requirements for this jurisdiction include: providing consent banners and privacy information in all required languages, and special protections and consent mechanisms for children's personal data.
Website owners and operators subject to these regulations must implement compliant cookie consent banners, maintain proper consent records, and ensure their tracking technologies respect user privacy choices. This guide outlines all technical requirements needed to achieve compliance.
Key Requirements Overview
Technical Requirements
Required Banner Elements
First Layer (Cookie Banner)
- Concise Purpose Summary
- Accept All Button
- Reject All Button Or Link
- Manage Preferences Button
- Link Privacy Policy
- Controller Identity
Second Layer (Preferences Modal)
- Granular Purpose Toggles
- Vendor List If Applicable
- Retention Periods If Known
- Third Country Transfers Notice If Applicable
- Legal Basis Per Purpose If Applicable
Implementation Guidance
EDPB 2022 guidance on dark patterns: Cookie banners must not have misleading button hierarchy, confusing language, or manipulative design. "Reject All" button required on first layer with equal prominence to "Accept All". Cookie walls are non-compliant unless equivalent service offered without tracking. Information must be provided in user's language (translation required). French CNIL and other DPAs actively enforce against deceptive cookie interfaces.
Special Protections
Children's Privacy
Parental consent required for children under age 13-16 (member-state dependent) when processing personal data including tracking cookies. Sites targeting children must obtain verifiable parental consent for non-essential cookies.
Sensitive Data
Consent typically required for processing sensitive data; avoid inferring without a lawful basis.
Record Keeping Requirements
Required Consent Record Fields
For each consent action, you must maintain records containing:
- Timestamp ISO
- User Choices By Purpose
- Policy Version
- Jurisdiction Detected
- Consent UI Version
CookieChimp handles all of this automatically. Our platform maintains comprehensive consent records including all required fields, timestamps, consent strings, IP addresses, user agents, and more. Records are securely stored and easily exportable for compliance audits. Learn more about our consent management
Exempt Cookie Types
The following types of cookies are typically exempt from consent requirements:
Legal References & Resources
Official legal documents and regulatory guidance for this jurisdiction:
Explore Other Jurisdictions
View All
UK (UK GDPR + PECR)
United Kingdom
PECR governs cookies; UK GDPR governs personal data.
Switzerland (FADP + TCA)
Switzerland
Hybrid model: some cookies allowed under legitimate interest; profiling/marketing require consent. Opt-out always required.
California (CPRA/CCPA Regs)
United States - California
Covers 'sharing' for cross-context behavioral advertising.
Colorado (CPA)
United States - Colorado
Targeted advertising and sale require easy opt-out.
Virginia (CDPA)
United States - Virginia
Opt-out rights for targeted ads and sale; no mandatory GPC recognition.
Connecticut (CTDPA)
United States - Connecticut
Opt-out for targeted ads and sales; GPC recognition required from Jan 2025.