1. Help Center
  2. Legal Requirements

Legal peculiarities on consent in different countries

With this article, you will see the differences and similarities between countries on consent.

 

✔️ Yes!

❌ No!

❓ Not specified/No clear data

⚙️ Further details about the country's standards

* Cross-references to the end of the article, toward the section dedicated to the DPA (Data Protection Authorities) and their respective guidelines

 

⚠️ Italian framework may be subject to change!

📆 In December 2020, the Italian Data Protection Authority (the “Garante per la Protezione dei Dati Personali”) reconsidered the Italian guidelines for cookies as they don't always meet the GDPR which entered into force beforehand: they may be some important changes in the future. You'll be able to have a look and anticipate these potential changes (cf.🔎). 

🍪 Are explicit "Accept" and "Refuse" buttons required on a consent notice?

 

          France  ✔️ ⚙️ Accept and reject buttons need to be equally conspicuous.
              UK  ✔️ ⚙️ No "reject all" button is mandatory although preferable, an identical alternative (regarding the non-processing of consent) is fine. It also needs to be as equally visible as the granular option and "Accept" buttons.
           Spain

 ✔️

⚙️ 2 choices according to the AEPD*: either "Accept" and "Refuse" buttons OR "Accept" and link within the consent notice toward the cookie policy enabling a granular choice per purpose. 
         Ireland  ✔️ ⚙️ Accept and reject buttons need to be equally conspicuous for the Irish DPA*.
        Belgium   ❓

⚙️ Possibility to withdraw consent as easy as to give it: the user needs to be informed of this when giving his consent.

        Germany  ✔️

 

        Portugal   ✔️ ⚙️ Preferably, especially to get the proof of consent.
            Italy  ❌ 🔎 This may change to ✔️: "accept"; "refuse" alongside granular choice buttons.
          Poland   ❓ ⚙️ Not precisely specified: consent must be freely given (active motion from the user), specific, informed, unambiguous. It can be collected by other means: if it's by ticking the appropriate box, the user can withdraw consent in an equally easy way. 
         Croatia   ❓ ⚙️ Not specified: consent has to be given freely (active motion from the user), specific, informed and non-ambiguous. It can be collected by other means: if it's by ticking the appropriate box, the user should be able to untick it as easily. 

🍪 Is it needed to block cookies before getting the consent of the user to cookies?

     France ✔️
         UK ✔️
      Spain

✔️

     Ireland ✔️
   Belgium ✔️
  Germany ✔️
   Portugal  ✔️
       Italy ✔️
    Poland ✔️
    Croatia ✔️
      EDPB ✔️

🍪 Are cookie walls legal?

 

   France ✔️ ⚙️ Legal uncertainty for now: legality case-by-base. In case of complaint from users, the CNIL* can investigate and invalidate them if needed.
       UK ⚙️ "Unlikely to be valid" according to the ICO*.
     Spain

⚙️ "Cookie walls are only acceptable if the user has an alternative for accessing the service without accepting cookies."
   Ireland  ❓ Likely not legal, but not specified.
  Belgium  
 Germany  
  Portugal   
      Italy 🔎 Users will maybe need to be given the option to access an equivalent content/service without having to give their consent (case-by-case basis).
   Poland ⚙️ cf. EDPB*'s guidelines: if a website provider blocks the content from being visible as long as the user does not "Accept cookies", the consent is not freely given.
   Croatia  
     EDPB  

    🍪 What is the duration of validity of consent choices once collected? 

     

       France   6 months

    ⚙️ Analytics cookies cannot last more than 13 months. Information collected by cookies can be stored for a maximum of 25 months.

           UK   6 months ⚙️ Consent duration must be justifiable for the stated purpose of the cookie. Users need to be informed of the duration of the cookies.
        Spain

     24 months    maximum 

    ⚙️ The AEPD* says consent should be asked again no later than 24 months after it has been collected.
      Ireland   6 months  
     Belgium           ❓ ⚙️ The consent to a cookie cannot be stored for longer than necessary to achieve the stated purpose for the Belgian DPA*.
    Germany           ❓  
     Portugal            ❓  
         Italy           ❓ 🔎 This may change with the GPDP*'s new guidelines.
       Poland           ❓ ⚙️ No specific time limit for the UODO*, that follow the best practice suggested by the EDPB: refreshing of consent at appropriate intervals. Providing all the information again helps to ensure the data subject remains well informed about how their data is processed and how to exercise their rights.
       Croatia           ❓ ⚙️ Session cookies, for example, which are designed to only function for the duration of a browser session or slightly longer, should have a short lifespan and to be set to expire once they have served their limited purpose. The expiry date of a cookie should be proportionate to its purpose.
        EDPB           ❓

    ⚙️ EDPB* guidelines: "In principle, it can be sufficient to ask for a data subject’s consent once. However, controllers do need to obtain a new and specific consent if purposes for data processing change after consent was obtained or if an additional purpose is envisaged." If the processing operations change or evolve considerably then the original consent is no longer valid.

    🍪 Is consent valid by scrolling/continuing navigation?

     

        France  ❌  
             UK  ❌  
          Spain  ❌  
        Ireland  ❌ ⚙️ For scrolling, the cookie notice must not disappear until the user makes a choice on his own, whatever the action is.
       Belgium  ❌ ⚙️ Consent is valid if there is an active interaction from the user, like a like a click or the activation of a button by dragging (toggle buttons). 
      Germany  ❌  
       Portugal   ❌  
           Italy  ✔️ 🔎 This may change to ❌ in the future.
         Poland  ❌ ⚙️ cf. EDPB* May 2020 guidelines : scrolling or swiping through a webpage or similar user activity will not under any circumstances satisfy the requirement of an affirmative action as "silence, pre-ticked boxes or inactivity should not [...] constitute consent." (GDPR* Recital 32)
        Croatia  ❌

    ⚙️ Cookies that do not meet one of the two specific use cases in the ePrivacy Directive that make them exempt from the need to obtain consent must not be set or deployed on a user’s device before you obtain their consent.

    The two exemptions are known as the communications exemption and the strictly necessary exemption.*

           EDPB  ❌  

    🍪 Is it legal to have pre-ticked boxes on cookie banners?

     

          France  ❌
              UK  ❌
           Spain

      ❓

         Ireland  ❌
        Belgium  ❌
        Germany  ❌
         Portugal   ❌
            Italy  ❌
         Poland  ❌
         Croatia  ❌
           EDPB  ❌

    🍪 Is the proof of consent mandatory as it is specified in the GDPR?

     

       France ✔️ ⚙️ The consent collecting entity must also be able to hand over proof of consent to the third parties who processed the user's data based on that consent.
            UK ✔️  
         Spain ✔️ ⚙️ Not specified but implied.
       Ireland ✔️  
      Belgium ✔️  
     Germany ✔️  
      Portugal  ✔️  
          Italy

    ⚙️ The publisher must, in any case, keep track of the user’s consent: "an ad-hoc technical cookie might be relied upon […] The availability of this type of “documentation” of the user’s preferences will enable the publisher not to display the information notice on subsequent visits made by that user to the website." (May 2014 Italian DPA*)

    🔎 This may change to ✔️ in the future.

       Poland ✔️

    ⚙️ cf. GDPR Recital 42: “Where processing is based on the data subject's consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation.”

       Croatia ✔️

     

         EDPB ✔️ ⚙️ Not specified but implied.

    🍪 Does consent have to be granular per-purpose on consent notices?

     

        France ✔️

    ⚙️ Consent is collected by website/app except if it is clearly specified that it is collected for a group of websites/apps. Consent should be unique and renewed for each platform. In case of consent to cross-website/apps trackers, the user should be informed on the first level.  

           UK ⚙️ Not necessarily on a per-purpose basis but consent must be specific to a particular service.
        Spain ✔️ ⚙️ Not specified but implied.
       Ireland ✔️ ⚙️ For scrolling, the cookie notice must not disappear as long as the user hasn't made a choice on his own, whatever the action is.
     Belgium ✔️  
     Germany ✔️ The need for granularity per purpose is implied:  "it must be possible to select single processing activities singularly".
      Portugal  ✔️  
          Italy

    🔎 This may change to ✔️ in the future.

       Poland ✔️ ⚙️ cf. EDPB* guidelines on granularity.
       Croatia ✔️ ⚙️ cf. GDPR guidelines about granularity: Recital 32*. If multiple purposes are conflated for the processing and that there is no possibility to seek consent independantly for each, there is a lack of freedom.
         EDPB ✔️  

    🍪 Do cookies have to be listed one by one? 

     

        France  
           UK ⚙️ The best practice would be giving a description of the cookies.
         Spain ⚙️ A per-purpose listing is valid.
       Ireland ✔️ Likely: ⚙️ Consent is obtained for each purpose for which cookies are set. Consent doesn't necessarily need to be obtained individually for each cookie, "but merely for the purpose for which it is being used."
      Belgium  ❓ ⚙️ Ambivalence between the per-purpose basis suggested on the first level of consent, and the per-cookie basis afterward, whilst highlighting that the GDPR doesn't make a per-cookie basis mandatory.
     Germany  
       Portugal ✔️

    ⚙️ For the CNPD*, consent has to be given to each cookie along with relevant information, including the retention period. As the choice is individual, it should also be possible to accept all or reject all.

         Italy  ❓ ⚙️ Unuasual practice to list cookies one-by-one.
       Poland  ❓
     
       Croatia  ✔️ ⚙️ It is highly recommended to list cookies one by one.

     

    💡 In case of doubt, please get in touch with your Data Protection Officer (DPO) or your legal department! 


    📕 Useful sources and information about cookies guidelines

    🍪 France

    DPA (Data Protection Authority): Commission Nationale de l'Information et des Libertés (CNIL) 

    🍪 UK

    DPA: Information Commissioner's Office (ICO)

    🍪 Spain 

    DPA: Agencia de Protección de Datos (AEPD)

    🍪 Ireland

    DPA: Office of the Data Protection Commissioner

    🍪 Belgium

    DPA: Autorité de Protection des Données

    🍪 Germany

    DPA: Die Bundesbeauftragte für den Datenschutz und die Informations freiheit

      🍪 Portugal

      DPA: Comissão Nacional de Proteção de Dados (CNPD)

      🍪 Italy

      DPA: Garante per la protezione dei dati personali (GPDP)

      🍪 Poland

      DPA: Urząd Ochrony Danych Osobowych (UODO)

      🍪 Croatia

      DPA: Agencija za zaštitu osobnih podataka (AZOP)

      *Is consent valid by scrolling/continuing navigation?

      • The communications exemption

      This applies to cookies whose only purpose is to carry out the transmission of a communication over a network, for example to identify the communication endpoints. This may also apply to cookies used to allow data items to be exchanged in their intended order, like numbering data packets. It also applies to cookies used to detect transmission errors or data loss.

      • The strictly necessary exemption

      A cookie that is exempt under this criterion must simultaneously pass two tests:

      - the exemption applies to ‘information society services’ (ISS) – i.e. a service delivered over the internet, such as a website or an app.

      - This service must have been explicitly requested by the user and the use of the cookie must be restricted to what is strictly necessary to provide this service.

      🍪 EU

      DPA: EDPB (European Data Protection Board)