Use this guide to decide when an EU cookie banner must block non-exempt cookies and similar technologies until the user gives valid consent.
Grounded in Article 5(3), EDPB cookie-banner findings, EDPB consent guidance, WP29 exemption guidance, Planet49, CNIL analytics guidance, and Commission ePrivacy material.
Structured answer sets in this page tree.
Cited legal and guidance references.
EU cookie-banner work starts with Article 5(3) of the ePrivacy Directive: storing information, or gaining access to information already stored, in a user's terminal equipment generally needs consent unless the technical storage or access is limited to transmission or is strictly necessary for a service explicitly requested by the user. The banner is therefore not just a notice. It is the control that prevents non-exempt cookies, pixels, SDK reads, local-storage access, fingerprinting, and similar tracker operations until consent is validly given.
Use the exemption narrowly. WP29 Opinion 04/2012 treats Article 5(3) exemptions as limited to two cases: technical storage or access for the sole purpose of carrying out transmission, or storage or access that is strictly necessary to provide an information society service explicitly requested by the user.
The exemption is purpose-based, not label-based. A cookie called essential is not exempt if it also performs analytics, advertising, profiling, fraud measurement for ads, market research, or product improvement. If one identifier supports both an exempt and a non-exempt purpose, split the purposes technically or gate the non-exempt purpose behind consent.
For non-exempt cookies and trackers, consent must be a real affirmative choice before storage or access occurs. The EDPB Cookie Banner Taskforce recorded that, by default, cookies requiring consent cannot be set without consent and that consent must be expressed by a positive user action.
A banner that offers an accept button but no reject or refuse option on any layer with a consent button is a high-risk pattern. The taskforce reported that a vast majority of authorities considered the absence of refuse, reject, or not-consent options on any layer with a consent button inconsistent with valid consent. Put the refusal path where users can actually find it, and avoid link styling, colour contrast, or button emphasis that clearly pushes acceptance.
Do not use pre-ticked boxes, opt-out toggles, silence, scrolling, swiping, continued browsing, or participation in another flow as cookie consent. Planet49 held that consent for storing or accessing cookies is not valid when a pre-checked checkbox must be deselected to refuse. The EDPB consent guidance similarly rejects pre-ticked boxes and inactivity.
Give users clear information before consent: purposes, categories, controller or third-party access where relevant, and the duration of the cookies or similar technologies. Planet49 specifically treats cookie duration and third-party access as part of the clear and comprehensive information users need.
Sorena can turn the cookie-banner requirements on this page into tracker inventories, consent checks, rejection-path tests, withdrawal evidence, and reusable review steps for EU ePrivacy work.
Ask source-linked questions about Article 5(3), cookie consent, analytics caveats, and banner evidence using the cited sources on this page.
Review your cookie banner, tracker inventory, reject-all path, withdrawal controls, and evidence logs with Sorena.
"Most large audience measurement offerings do not fall within the scope"
"storing of information, or the gaining of access to information already stored"
"as easy to withdraw as to give consent"
"access to services and functionalities must not be made conditional"
"information, terminal equipment, gaining access and stored information and storage"
"towards a future proof legal framework"
"pre-checked checkbox which the user must deselect"
"strictly necessary in order for the provider"