ODO24 Logo
ODO24 Logo
ODO24 Logo
GDPR questions and answers

GDPR: QUESTIONS AND ANSWERS

Category:
Cookie Files

How should a cookie banner be designed to ensure consent is valid?

ANSWER

The website administrator is free to design the cookie banner in any way they choose. However, it should be remembered that the requirements for obtaining consent are based on Article 4(11) and Article 7 of the GDPR.

Consent for the storage and reading of cookies (other than those that are technically necessary), as well as for the subsequent processing of data based on such cookies, will remain valid only if the GDPR requirements are fully met.

When designing a cookie banner, the following principles must always be observed:

  • Consent first, cookies second: Consent must be obtained before any action is taken. When creating a website, it must be ensured that no cookies other than technically necessary cookies are stored before consent has been obtained.
  • Awareness of the data subject: The data subject must clearly understand that they are giving consent to the use of cookies. Continuing to browse the website without interacting with the cookie banner, or accidentally clicking a "hidden consent button," cannot be interpreted as unambiguous consent. Furthermore, consent cannot be assumed merely because the data subject "implicitly allows" cookies through their browser settings.
  • Privacy by default: The data subject must provide consent consciously. Pre-ticked checkboxes in a cookie banner are not permitted.
  • Voluntary consent: Consent must be given freely. The data subject must not suffer inconvenience and/or detriment if they choose not to consent. As a general rule, it is not permissible to deny access to a website solely because a user has not provided consent.
  • Ability to withdraw consent: The cookie banner must clearly explain where and how consent can be withdrawn. Withdrawing consent must be as easy as giving it.
  • Fulfilment of the information obligation: The data subject must clearly understand what they are consenting to. This requires the full provision of all mandatory information.
  • Refusing consent must be as easy as giving it: Refusing consent (or continuing to browse without consenting) must be just as easy as granting consent. The decision to refuse consent should not require more interaction with the cookie banner than the decision to grant consent. Users should not be required to search for a refusal option on a second or third layer of the information notice.
  • No unfair practices: The data subject must not be pressured into giving consent, either directly or indirectly. It is not permissible to design the refusal button in a way that makes it less visible than the consent button.
Show all
PreviousNext

Read also:

07 June 2026

Przygotuj się na atak phishingowy, nim będzie za późno

07 June 2026

TikTok a RODO w sektorze publicznym – czego urzędy mogą dowiedzieć się z niemieckich zaleceń dla instytucji

02 June 2026

Czy do spełnienia wymogów ustawy o krajowym systemie cyberbezpieczeństwa (KSC / NIS2) potrzebne jest Security Operations Center (SOC)?

Ranking aplikacji dla sygnalistów

Ochrona sygnalistów - ranking aplikacji

Receive a free package of 4 tutorials and 4 e-learning trainings
The controller of your data is ODO 24 sp. z o. o.
How to design a GDPR-compliant cookie banner? | ODO 24 | ODO 24