Please note:
2020-01-24: Below article was written to be in accordance with GDPR as of May 2018. Current legal developments across EU member nations makes it less clear how GDPR and ePR is interpreted and enforced. Because of this we advise that you consult your national DPA and configure your cookie consent banner to have no pre-ticked boxes and require 'Explicit consent'.

1. In most cases, ’active consent’ (also called ‘implied consent’ or ‘soft opt-in’) is sufficient.

What is required for 'active consent' to be valid 

Active consent is also referred to as 'implied consent' or 'soft opt-in'. For most website owners this is sufficient (see exceptions in point 2. In a few cases, 'explicit consent' (also called 'hard opt-in' or 'strict opt-in') is necessary below.)

Essentially this is the type of cookie consent banner that 'disappears' if a user ignores the cookie consent banner and continues to use the website. Specifically, if the user clicks on a link on your website and (optional) if the user continues to scroll or refreshes the page.

Please note that the fact that a user just enters your website is not enough to be regarded as a valid active/implied consent.

For an 'active consent' to be sufficient and valid under GDPR, you must make sure that the cookie consent banner:

1. Is very visible to the user when they first enter your website
2. Contains clear information that if the user continues to use the website, it will constitute an active/implied consent
3. Contains information about who the data controller is

Please note that ‘prior consent’ must be enabled (as always under GDPR and ePR). Please see point 1. Make sure you have enabled ‘prior consent’.

How to choose a cookie consent banner that has ‘active consent’

1. Log in to your account https://manage.cookiebot.com/goto/login

2. Go to the menu point ‘Settings’ and the tab ‘Dialog’

3. From the 'Method' drop-down menu, choose 'Active consent'

4. Choose if 'active consent' should also be based on 'page refresh' and/or on 'scrolling' (in addition to clicking on a link on your website)

5. From the drop-down menu 'Template' choose a visible position for the banner

6. Adjust the cookie consent banner text with the needed information (see requirements 2 and 3 in the text above). See How can I customize the content in the cookie consent banner?

7. Save your settings (tick mark in the blue bar on the left-hand side)

Please note that if you choose that active consent should also be based on the user scrolling on the website ('page scroll') then you must make sure the marketing checkbox is not pre-ticked. See below.

If you are using a cookie consent banner template with checkboxes, make sure the marketing category is not pre-ticked.

The Article 29 Data Protection Working Party (WP29) has recently finalized and issued an updated Guidelines on consent under Regulation 2016/679 (wp259rev.01). In these guidelines they clearly state that the use of pre-ticked checkboxes (for cookie categories containing personal data) is not allowed under GDPR. They also state that consents obtained prior to 25 May 2018 by the use of pre-ticked checkboxes will not be valid after 25 May 2018. Please see: Is it GDPR compliant to have all 4 checkboxes in the banner pre-ticked?

Therefore, if you have previously used a cookie consent banner where the checkbox for ‘marketing cookies’ has been pre-ticked, it is advisable to un-tick the checkbox in order not to risk being non-compliant after 25 May 2018. If we do not receive a formal clarification on this matter before 25 May 2018, we recommend that you implement these changes and renew your existing consents. This can easily be done by a click on a button and with minimal disturbance to your users. See Renew existing user consents. 

How can I make sure the 'marketing cookies' (containing personal data) checkbox is un-ticked:

1. Log in to your account https://manage.cookiebot.com/goto/login

2. Go to the menu point ‘Settings’ and the tab ‘Dialog’

3. From the 'Checkboxes default mode' un-tick the 'Marketing' checkbox

4. If you are using personal data in your statistics cookies - e.g. if you have not anonymized the data - then you should also untick the 'Statistics' category

5. Save your settings (tick mark in the blue bar on the left-hand side)

Obtain consent for each of the purposes personal data is used for – and allow the user to opt-in and opt-out

If the cookies on your website – regardless of whether they are set by yourself or by embedded third party providers (that are also your responsibility) – contain personal user data and the data is used for different purposes, then the user must consent to all the different purposes (GDPR Recital 32). 

For example, if the cookies on your website use the user’s (non-anonymized) IP address to collect statistics about how the user browses your website AND to identify the user and display targeted advertising when the user visits another website, then the user must give consent for both statistics cookies and marketing cookies. The user should also be able to choose not to give consent for one or more of the purposes.

See above for choosing a cookie consent banner with multiple checkboxes. 

2. In a few cases, 'explicit consent' (also called 'hard opt-in' or 'strict opt-in') is necessary.

There are some special cases where ‘explicit consent’ is required under GDPR. Essentially this is the type of cookie consent banner that does not 'disappear' until the user has clicked the OK button on the banner to confirm the consent. See also below how to choose 'explicit consent' as the consent method for your cookie consent banner.

A. Check whether cookies and trackers contain any ‘sensitive’ personal data – and if yes, ask your users for an explicit consent

Please note that most websites do not process so-called sensitive personal data.

What is sensitive personal data? Sensitive personal data include data about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, a person’s sex life or sexual orientation, health data, genetic data and biometric data (see GDPR Article 9.2(a) and Recitals 51 and 71 for more information). An IP address or a name is considered personal data but NOT sensitive personal data. 

If the cookies on your website collect and use sensitive personal data about your users (which most websites do not), then you need to ask your users for an explicit consent.

B. Check whether cookies and trackers send personal data to ‘inadequate countries’ – and if yes, ask your users for an explicit consent

If the cookies and trackers on your website send personal user data to a third country or an international organization outside of the EU, you need to check if the third country (or organization) ensures an adequate level of protection of the user data (GDPR Article 45.1). The European Commission decides which countries outside the EU are deemed adequate. 

Many website owners are unaware of where their users’ data is being sent and of the fact that some embedded third-party cookies send your users’ data to e.g. countries in Asia for processing. If cookies in use on your website are sending your users’ personal data to non-adequate countries, you can either

1. a) delete those cookies or
2. b) ask your users for explicit consent and adjust the text in the cookie consent banner to include information about the possible risks (GDPR Article 49(1) a.). 

Please see point 6. Make sure your users' personal data is only being sent to 'adequate' 3rd countries for how to find out if this is relevant for your website.

C. Check whether data is being used for ‘automatic profiling’ – and if yes, ask your users for explicit consent

GDPR Recital 71 states that your website users should have the right not to be subject to a decision, which is based solely on automated processing. This could be e.g. an automatic refusal of an online credit application or e-recruiting practices without any human intervention. GDPR Article 22. 2(c) states that if the user has given an explicit consent, then it is okay to use automated processing, including profiling.

Please refer to the full GDPR legal text for details, exemptions and examples.

How to choose explicit consent for the cookie consent banner:

From the ‘dialog tab’ under ‘Methods’ choose ‘Explicit consent’ from the drop-down menu.

1. Log in to your account https://manage.cookiebot.com/goto/login

2. Go to the menu point ‘Settings’ and the tab ‘Dialog’

3. From the 'Method' drop-down menu, choose 'Explicit consent'

4. Save your settings (tick mark in the blue bar on the left-hand side)

If you want to customize the banner text (see point 2.B above) then please see How can I customize the content in the cookie consent banner?.

If you have previously used a cookie consent banner that may not be compliant under GDPR after 25 May 2018, you can change the banner type and then renew your user consents. Please see Renew existing user consents.

Please note that since Cookiebot can help your website's use of cookies and online tracking be compliant with both EU's General Data Protection Regulation (GDPR) and EU's ePrivacy Directive 2009/136/EC (ePR), then all cookies and trackers found on your website are listed in the Cookiebot scan report. Not all cookies and trackers necessarily contain personal data - it is however fair to assume that marketing cookies do.

Please also note that the above should not be seen as legal advice. If you are in doubt about your website's use of personal data or about how to interpret the GDPR legal text, please reach out to a trusted legal source or to the Data Protection Authority in your own country - contact information can be found in 7. Check up on other GDPR requirements for your website (not related to cookies and online tracking). 

Last updated: 18 May 2018