Does this tool produce a binding determination?

No. It applies Article 5(3) of the ePrivacy Directive and the GDPR consent standard (Articles 4(11) and 7), read with the EDPB Guidelines 05/2020 on consent, to your answers and returns a structured assessment. Whether a specific cookie or tracker is strictly necessary is a fact-based judgement for your organisation, and Article 5(3) applies through national law, so the guidance of the competent authority in your country governs the detail. When the position is unclear, document your reasoning and take advice.

Do I always need a cookie consent banner?

Not always. You need prior consent (commonly collected through a banner) whenever you set or read non-essential cookies or trackers, such as analytics or advertising. If you use only strictly necessary cookies, you do not need consent for them, though you still tell users what you use and why. The trigger is non-essential storage or access, not the banner itself.

Which cookies count as strictly necessary?

Only those essential to deliver a service the user explicitly requested, or solely needed to carry out a transmission. Common examples are session and authentication cookies, security and load-balancing cookies, a shopping-cart cookie, and the cookie that stores the user's own consent choice. The test is judged against the requested service and is narrow: analytics, advertising, and most third-party trackers generally do not qualify.

Do analytics cookies need consent?

Generally yes. Analytics and measurement are not strictly necessary to deliver the service the user asked for, so they generally need prior consent under Article 5(3). A few national authorities allow a narrow exemption for certain privacy-preserving, first-party audience-measurement analytics under strict conditions, so check your national authority's guidance before relying on one rather than assuming it applies.

Are pre-ticked boxes or "by continuing you accept" valid consent?

No. GDPR consent must be unambiguous and given by a clear affirmative action (Article 4(11)). The CJEU held in Planet49 (Case C-673/17, judgment of 1 October 2019) that a pre-ticked checkbox the user must deselect is not valid consent for cookies. Accept-only banners, consent inferred from scrolling or continued browsing, and silence are not valid consent either.

Are cookie walls allowed?

It depends and is contested. The EDPB position is that conditioning access to a service on consent to non-necessary cookies generally makes consent not freely given, so a strict cookie wall usually undermines valid consent. Some national authorities permit limited "consent or pay" or equivalent models under specific conditions, so this is one of the areas where you should check your own competent authority's current guidance.

How is this different from a privacy policy or a DPIA?

This checks one specific question: whether you need prior consent before setting cookies or trackers, and whether your consent mechanism meets the standard. A privacy policy is your broader transparency notice under Articles 13 and 14, and a DPIA assesses high-risk processing under Article 35. They are related but distinct: our DPIA necessity checker and the other GDPR tools cover those.

Free tool

GDPR cookie consent checker

Answer six questions to see whether your website or app needs prior consent before it sets cookies or trackers, whether you fall under the strictly-necessary exemption, and whether your consent banner meets the standard. The cookie rule is Article 5(3) of the ePrivacy Directive; the standard of consent is the GDPR standard. A structured assessment, not legal advice.

Based on Article 5(3) of the ePrivacy Directive 2002/58/EC and the GDPR consent standard (Articles 4(11) and 7), read with EDPB Guidelines 05/2020 on consent.

Primary sources

Jurisdiction: EU/EEA. Instruments: Directive 2002/58/EC (ePrivacy Directive), Article 5(3), as amended by Directive 2009/136/EC; and Regulation (EU) 2016/679 (GDPR), Articles 4(11) and 7, for the standard of consent. Applied through national law by each Member State's competent authority (the data-protection supervisory authority or, in some States, another national regulator).

Directive 2002/58/EC (ePrivacy Directive), Article 5(3), as amended by Directive 2009/136/EC (EUR-Lex) (Last verified 2026-06-09)
Regulation (EU) 2016/679 (GDPR), Articles 4(11), 7, and 13, for the standard of consent (EUR-Lex) (Last verified 2026-06-09)
EDPB Guidelines 05/2020 on consent under Regulation 2016/679, version 1.1, adopted 4 May 2020 (Last verified 2026-06-09)
EDPB Report of the work undertaken by the Cookie Banner Taskforce, adopted 18 January 2023 (on reject controls and banner design) (Last verified 2026-06-09)
CJEU, Planet49 (Case C-673/17), judgment of 1 October 2019 (pre-ticked boxes are not valid cookie consent) (Last verified 2026-06-09)

Frequently asked questions

Does this tool produce a binding determination?: No. It applies Article 5(3) of the ePrivacy Directive and the GDPR consent standard (Articles 4(11) and 7), read with the EDPB Guidelines 05/2020 on consent, to your answers and returns a structured assessment. Whether a specific cookie or tracker is strictly necessary is a fact-based judgement for your organisation, and Article 5(3) applies through national law, so the guidance of the competent authority in your country governs the detail. When the position is unclear, document your reasoning and take advice.
Do I always need a cookie consent banner?: Not always. You need prior consent (commonly collected through a banner) whenever you set or read non-essential cookies or trackers, such as analytics or advertising. If you use only strictly necessary cookies, you do not need consent for them, though you still tell users what you use and why. The trigger is non-essential storage or access, not the banner itself.
Which cookies count as strictly necessary?: Only those essential to deliver a service the user explicitly requested, or solely needed to carry out a transmission. Common examples are session and authentication cookies, security and load-balancing cookies, a shopping-cart cookie, and the cookie that stores the user's own consent choice. The test is judged against the requested service and is narrow: analytics, advertising, and most third-party trackers generally do not qualify.
Do analytics cookies need consent?: Generally yes. Analytics and measurement are not strictly necessary to deliver the service the user asked for, so they generally need prior consent under Article 5(3). A few national authorities allow a narrow exemption for certain privacy-preserving, first-party audience-measurement analytics under strict conditions, so check your national authority's guidance before relying on one rather than assuming it applies.
Are pre-ticked boxes or "by continuing you accept" valid consent?: No. GDPR consent must be unambiguous and given by a clear affirmative action (Article 4(11)). The CJEU held in Planet49 (Case C-673/17, judgment of 1 October 2019) that a pre-ticked checkbox the user must deselect is not valid consent for cookies. Accept-only banners, consent inferred from scrolling or continued browsing, and silence are not valid consent either.
Are cookie walls allowed?: It depends and is contested. The EDPB position is that conditioning access to a service on consent to non-necessary cookies generally makes consent not freely given, so a strict cookie wall usually undermines valid consent. Some national authorities permit limited "consent or pay" or equivalent models under specific conditions, so this is one of the areas where you should check your own competent authority's current guidance.
How is this different from a privacy policy or a DPIA?: This checks one specific question: whether you need prior consent before setting cookies or trackers, and whether your consent mechanism meets the standard. A privacy policy is your broader transparency notice under Articles 13 and 14, and a DPIA assesses high-risk processing under Article 35. They are related but distinct: our DPIA necessity checker and the other GDPR tools cover those.

By ISMS Copilot. Based on Article 5(3) of the ePrivacy Directive 2002/58/EC and the GDPR consent standard (Articles 4(11) and 7), read with EDPB Guidelines 05/2020 on consent.

Ready to do compliance work faster?

Built for speed, accuracy, and audit-ready output.

Try ISMS Copilot 2.0