Skip to main content

Zest

Cookie consent

Menu

Choose a theme and configure high-contrast mode. Preferences are saved in your browser only.

User Preferences

Theme

Pick a palette or follow your system preference.

High Contrast

Sharper text and borders. System follows your OS setting.

Regulations

ePrivacy Directive — The Cookie Law

The EU law that actually requires cookie consent banners. What it is, how it works with GDPR, and what it means for your website.

The ePrivacy Directive (Directive 2009/136/EC) is the actual law that requires cookie consent banners in the EU and UK. Not the GDPR. The ePrivacy Directive.

People confuse the two constantly. Here’s the distinction that matters:

  • GDPR says you need a legal basis to process personal data. Consent is one option.
  • ePrivacy Directive says you specifically need consent before placing cookies or similar tracking technologies on someone’s device.

GDPR sets the standard for what valid consent looks like. ePrivacy says you need consent for cookies. They work together.

What the ePrivacy Directive covers

Article 5(3) is the key clause. It requires:

  • Prior informed consent before storing or accessing information on a user’s device
  • Clear and comprehensive information about the purpose of the storage/access

This covers cookies, tracking pixels, local storage, device fingerprinting, and any other technology that accesses or stores data on a user’s device. If you’re placing tracking pixels, the same consent rule applies.

Exceptions: strictly necessary

The only exception: cookies that are strictly necessary to provide a service explicitly requested by the user.

Examples of strictly necessary cookies:

  • Session cookies to keep you logged in
  • Shopping cart cookies during a purchase
  • Load-balancing cookies
  • Security cookies (e.g., CSRF tokens)

Not strictly necessary:

  • Analytics cookies
  • Advertising cookies
  • Social media embeds
  • Preference cookies that aren’t essential to the service
  • A/B testing cookies

The bar is high. When in doubt, it’s not strictly necessary. We walk through the strictly necessary cookie test in detail elsewhere.

Because ePrivacy consent must meet the GDPR standard, cookie consent must be:

  • Freely given. No cookie walls. Users must be able to say no without penalty.
  • Specific. Separate consent for separate purposes. No “all or nothing” bundling.
  • Informed. Explain what each category of cookies does.
  • Unambiguous. Clear affirmative action. Scrolling is not consent. Continuing to browse is not consent.
  • Easy to withdraw. As easy to say no as it was to say yes.

Pre-ticked boxes are illegal. Implied consent doesn’t exist. Cookie walls (blocking access unless you accept) are not valid consent.

National implementations

The ePrivacy Directive is an EU directive, so each member state implements it through national law. The UK implements it through PECR. This means rules can vary slightly between countries, but the core consent requirement is universal.

The upcoming ePrivacy Regulation

The ePrivacy Directive is slated to be replaced by an ePrivacy Regulation, a directly binding EU law that doesn’t need national implementation. It’s been delayed for years, but when it passes, it will update cookie consent rules for the modern web. Expect stricter rules for tracking, clearer rules for IoT data, and potentially more exemptions for analytics.

How Zest handles it

Zest blocks non-essential cookies and trackers until the user gives explicit consent. Categories are clearly separated. The reject button is as prominent as the accept button. Consent is documented with timestamps. Zest was built for ePrivacy compliance from day one.

Own your cookie banner.

Zest is free and MIT-licensed, and it doesn't phone home to anyone.
Drop the script in and you're done.

Try it free