What is Cookie Consent
Cookie consent is the practice of asking website visitors for permission before storing cookies on their devices. Multiple privacy laws around the world require it, and the rules vary by jurisdiction.
This page explains the concept. For implementation, see the Quick Start guide.
Why cookie consent exists
Cookies allow websites to track visitor behavior, remember preferences, and serve targeted ads. Because this involves processing personal data, privacy regulations require websites to inform visitors about the cookies they use and, in most cases, obtain consent before setting them.
The core principle is simple: visitors should know what data is being collected about them and have the ability to control it.
Which laws require it
These are the most common regulations your site may need to comply with:
GDPR (EU/UK)
Requires explicit opt-in consent before setting any non-essential cookies. The most prescriptive cookie consent framework currently in force. Enforced by national data protection authorities in each EU member state and by the ICO in the UK.
CCPA / CPRA (California)
Uses an opt-out model. Cookies may be set by default, but visitors must have a clear way to opt out of the sale or sharing of their personal information. Applies to for-profit businesses meeting certain revenue or data volume thresholds.
LGPD (Brazil)
Requires a legal basis for processing personal data, including data collected through cookies. Consent is one of several valid legal bases (others include legitimate interest). In practice, cookie consent banners are the most common implementation.
PIPEDA (Canada)
Requires meaningful consent for the collection, use, and disclosure of personal information. In general, implied consent may be acceptable for non-sensitive data, but Quebec's Law 25 requires explicit opt-in consent for residents of that province.
Opt-in vs. opt-out
The two fundamental consent models differ in what happens before the visitor makes a choice:
| Model | Default state | Used by |
|---|---|---|
| Opt-in | No non-essential cookies until visitor actively agrees | GDPR (EU/UK), Quebec Law 25 |
| Opt-out | Cookies may be set, but visitor can opt out at any time | CCPA / CPRA (California) |
Some regulations don't fit neatly into either model. LGPD and PIPEDA allow multiple legal bases for data processing, and the consent approach depends on the type of data and context. When in doubt, opt-in is the safer default.
What counts as valid consent
Under GDPR, valid consent must be:
- Freely given: the visitor must have a real choice. Access to the website cannot depend on accepting cookies.
- Specific: consent must be given for each purpose separately. An "Accept All" button is allowed, but there must be an equally accessible way to reject non-essential cookies or choose specific categories.
- Informed: the visitor must know what they're consenting to. The banner must explain what cookies are used for.
- Unambiguous: consent must involve a clear affirmative action (clicking a button). Scrolling or continuing to browse does not count.
Pre-ticked checkboxes and implied consent through inaction are not valid under GDPR. Cookie walls (blocking content until cookies are accepted) are generally considered non-compliant, though enforcement varies by jurisdiction.
When consent is not required
Strictly necessary cookies are exempt from consent requirements under all major privacy laws. These are cookies that the website cannot function without:
- Session cookies for maintaining login state
- Shopping cart cookies on e-commerce sites
- CSRF protection tokens
- Load balancer cookies
- Cookie consent preference cookies (storing the visitor's consent choice itself)
Analytics cookies (including Google Analytics), advertising cookies, and social media tracking cookies always require consent under GDPR.
How LiteConsent handles cookie consent
LiteConsent automatically adapts the consent experience based on the visitor's location. EU visitors see a GDPR-compliant opt-in banner, California visitors see a CCPA opt-out notice, and visitors from regions without specific consent requirements see a minimal notice or no banner at all. The jurisdiction is determined at the CDN edge based on the visitor's IP address. For details on how this works and how to configure it, see Jurisdictions.
Ready to add cookie consent to your site? Start with the Quick Start guide.