Iubenda logo
Start generating

Documentation

Table of Contents

GDPR Cookie Consent Cheatsheet

Disclaimer: Please note that these tables summarise the most recent guidelines from EU national authorities. They may evolve over time, depending on future legislative texts, case-law, or guidelines published on the subject.

NOTE: page or paragraph numbers for each country always refer to the respective document specified underneath the table.

Rules for collecting cookie consent: Per-country Comparison

Questions
🇬🇧 UK
🇮🇹 Italy
🇩🇪 Germany
🇫🇷 France
🇪🇸 Spain
🇩🇰 Denmark
🇬🇷 Greece
🇧🇪 Belgium
🇮🇪 Ireland
🇸🇪 Sweden
🇨🇿 Czech Republic
🇳🇱 Netherlands
🇱🇺 Luxemburg
🇦🇹 Austria
🇨🇭 Switzerland
🇪🇺 EDPB
Is consent by scrolling valid?

NO

NO

NO

NO

NO

NO

NO

NO

NO

NO

NO

NO

NO

NO

YES

NO

Is consent by continuing navigation valid?

NO

Likely no, but not specified

NO

NO

NO

NO

NO

NO

NO

NO

NO

NO

NO

NO

YES

NO

Are explicit “accept” AND “reject” buttons required to be on the cookie notice?

YES

YES

YES

YES

YES

YES

YES

YES

YES

Not specified

YES

YES

NO

YES

Not specified

Must accept and reject options be equally conspicuous (equal prominence requirement)?

YES

YES

YES

YES

YES

YES

YES

Not specified

YES

Not specified

YES

See above

Not specified

YES

YES

Not specified

YES

Is the prior blocking of cookies necessary where consent is required?

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

NO

YES

Are full cookie walls admitted?

Unlikely

NO

NO

Possibly

NO

Possibly

NO

NO

Likely no

NO

NO

NO

NO

YES

Not specified

NO

Must cookies be listed one by one?

NO

Not specified

NO

NO

NO

NO

Not clear

Not clear

Likely no

YES

YES

YES

Likely no

Likely no

Not specified

Must purposes be listed in the first layer of the cookie notice?

Not mentioned, but unlikely.

Best practice

YES

YES

YES

YES

YES

YES

Not specified

Not specified

YES

YES

YES

Not specified

Not specified

Must consent be granular on a per-purpose basis?

Per-service but not necessarily per-purpose

YES

YES

YES

YES

YES

YES

YES

YES

YES

It should be

Not specified (but implied)

Not specified (but implied)

YES

Not specified

YES

Is a GDPR-aligned proof of consent required?

YES

YES

YES

YES

Not specified (but implied)

YES

YES

YES

YES

YES

YES

YES

YES

NO

Likely yes

Should withdrawing consent be as simple as giving it?

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

The FAQs issued by the DSB in December 2023 indicate that “Possibility of revocation: The cookie banner must clearly and precisely describe where and how consent can be revoked. Revocation must be as simple as giving consent”.

Not specified

YES

Is the use of a consent banner recommended?

YES

YES

YES

Not specifically

YES

Not specifically

YES

Not specified

Not specifically

Not specifically

YES
if non-technical cookies are used

YES

Best practice

Best practice

NO

Are strictly necessary cookies exempt from the consent requirement?

YES

YES

YES

YES

YES

YES

YES

YES

YES

YES

It is only technical cookies that can be placed without the users’ consent

YES

YES

YES

Only those technically strictly necessary for providing the service requested by the user, like session management, entries in an online form via several subpages of a website, information about the consent status (unless a unique online identifier is assigned for this).

YES

YES

Can GDPR legal bases other than consent (e.g. legitimate interest) apply?

NO

NO

YES

NO

NO

YES

NO

NO

NO

NO

Technically YES

NO

NO

NO

YES

Do third parties have to be listed and identified?

YES

YES

YES

YES

YES

YES

YES

Not specified

Not completely clear

YES

Not specified

YES

YES

Not specified

YES

Is it specified how long the consent to a cookie should last?

NO

YES

YES

YES

Specified good practice

NO

YES

NO

YES

YES

YES

NO

YES

Not specified

Not specified

No duration explicitly stated

Are pre-ticked boxes allowed?

NO

NO

NO

NO

NO

NO

NO

NO

NO

NO

NO

NO

NO

NO

YES

NO

🎯
New requirement

Data Protection Authorities across Europe have aligned their rules on cookies and trackers with the requirements of the GDPR and now explicitly require you to document your users’ preferences for the use of cookies. 

That’s why we’ve added the Cookie and Consent Preference Log to our Privacy Controls and Cookie Solution. Find out more here.