As a website owner, you're responsible for handling personal data according to privacy laws like the GDPR and ePrivacy Directive. These apply if you operate in the EU, the European Economic Area (EEA), or process data from EU residents.
In this guide, we'll show you how to check if your website meets consent requirements.
Before you start
Here are a few things to know before you start:
This guide covers six key consent requirements under the GDPR and ePrivacy Directive for using cookies and similar technologies. Keep in mind this isn’t a full compliance checklist, just the essentials for collecting valid consent.
The ePrivacy Directive, often called the Cookie Law, governs how websites use cookies and other tracking technologies. Read more
The GDPR sets rules for collecting, managing, and withdrawing consent. It also requires you to tell visitors what data you collect, why, and who you share it with. Read more
These regulations often work together. If your website uses cookies for profiling or handles personal data, you’ll need to follow both.
Check if your website meets privacy consent requirements
A website needs to have a consent pop-up to be compliant. These are typically found as an overlay pop-up (see picture below) or as a banner in the website's bottom, top, or sides.
To meet GDPR and ePrivacy consent requirements, your website should include the following:
A way to collect consents, such as a consent popup.
Give visitors the option to decline cookies.
Block non-essential cookies until visitors give consent.
Let visitors change or withdraw consent.
Explain how you use visitors' data.
List the cookies and third-party services (data processors) you use.
1. A way to collect consents, such as a consent popup
Under the ePrivacy Directive, you need consent before using any non-essential cookies or similar technologies. Only strictly necessary cookies can be used without it.
The GDPR sets rules for how you collect, use, and share personal data. It also requires you to inform visitors and let them manage or withdraw their consent at any time.
A consent popup is typically an overlay popup or a banner at the website's bottom, top, or sides.
Example:
2. Give visitors an easy option to decline cookies
All site visitors under the GDPR and ePrivacy Directive must have a clear option to accept or decline non-essential cookies before those cookies are used.
Consent should be granular, letting visitors accept or decline cookies based on specific purposes, such as marketing, analytics, etc.
Show Accept all and Reject all options with equal prominence and effort on the first layer of the consent banner, which is a requirement highlighted by the European Data Protection Board and several national data protection authorities.
Note: Equal in this context means same visibility (size, color/contrast, placement) and same effort (no extra clicks). Don’t hide Reject all functionality behind More options.
The Cookie Information consent popup lets visitors decline or accept all cookies for all data processing purposes. It requires one click from the visitor.
3. Block non-essential cookies until visitors give consent
You need to hold off on using non-essential cookies until visitors give consent; that’s the rule.
It’s possible to block non-essential cookies using the first-party cookies autoblocking and the third-party cookie blocking script.
Check if cookies are set before consent, for example in Google Chrome. Use this method to test whether your website sets cookies before users give consent:
Open Google Chrome.
Click the three-dots icon in the top right corner and select New incognito window.
Ensure Block third-party cookies is turned off in Settings.
In the incognito window, go to the website you want to test.
Right-click anywhere on the page and select Inspect.
Go to Application>Storage.
Click Cookies.
Select the website URL listed.
Check if any marketing, tracking, or third-party cookies have been set.
Note: If you see such cookies already placed, your site is not properly blocking cookies before consent.
10. Once you've confirmed cookies are blocked before consent, click Accept all cookies in your consent popup.
Note: The appropriate cookies, for example, Google Analytics, Facebook Pixel, Microsoft UET, etc., are triggered and placed after the visitor agrees.
11. All set. Your browser blocks cookies before consent.
Then, you need to block non-essential cookies in your website’s source code until your site visitors give consent. Read more in this article for the full instructions.
4. Let visitors change or withdraw consent
Visitors must be able to update their consent at any time. You can make this possible by:
Under the GDPR, consent must also be “freely given”. This means that access to your site shouldn’t be conditioned on accepting non-essential cookies, the so-called “cookie walls” most European regulators consider unlawful.
5. Explain how you use visitors' data
Make sure your visitors know what data you collect, why, who you share it with, and how they can manage their choices before setting non-essential cookies.
That’s why most websites:
Provide a separate cookie policy page linked in the consent banner or footer.
List cookies in a clear, easy-to-find privacy policy that covers all data practices.
6. List data processors and cookies used
While the GDPR and ePrivacy Directive don’t clearly require you to list every cookie and data processor, European privacy authorities expect it. This includes the European Data Protection Board and local data protection agencies.
Clearly showing who processes data, why you collect it, and which cookies you use builds trust and helps you stay compliant.
A simple way to stay compliant is to include in your privacy policy:
The name of each service or data processor placing cookies.
The purpose of each cookie and why you process this data.
The expiry date of each cookie – how long the visitor data will be stored, or how you decide that timeframe.