European Union

A website requires me to accept all cookies to use it. Is this valid consent under EU law?

GDPR Art. 4(11)
Consent definition
ePD Art. 5(3)
Cookie consent rule
2021 CJEU rulin
Bundesverband case
No pre-ticked b
CJEU requirement
The Short Answer

No, requiring users to accept all cookies to access a website is not valid consent under EU law because consent must be freely given, specific, informed, and unambiguous.

What the Law Says

EU law sets strict conditions for valid cookie consent. The General Data Protection Regulation (GDPR) defines consent, while the ePrivacy Directive (ePD) specifically governs electronic communications and cookie use.

Under the GDPR, consent must be 'any freely given, specific, informed and unambiguous indication of the data subject's wishes' — meaning users must have real choice and control.

The ePrivacy Directive requires that storing or accessing information on a user’s device is only allowed 'if the subscriber or user has given his or her consent, having been provided with clear and comprehensive information'.

Crucially, consent cannot be bundled: users must be able to refuse non-essential cookies without losing access to core services.

Statutory Text

consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes

Regulation (EU) 2016/679, Art. 4(11) — Definition of consent
Statutory Text

the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user has given his or her consent

Directive 2002/58/EC, Art. 5(3) — Cookie consent rule

What Courts Have Said

The Court of Justice of the European Union (CJEU) has ruled decisively that forced consent violates EU law.

Bundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband eV v Planet49 GmbH
Court of Justice of the European Union · 2019

The CJEU held that pre-ticked checkboxes do not constitute valid consent, and that users must actively opt in — not be forced to accept all cookies to access a service.

What to Do

1

Reject websites that block access unless you accept all cookies — this is unlawful under EU law.

2

Use browser settings or privacy tools to block non-essential cookies by default.

3

Report non-compliant sites to your national data protection authority (e.g., CNIL in France, ICO in the UK pre-Brexit, or DPA in your member state).

4

Look for granular cookie controls: legitimate sites offer separate toggles for analytics, advertising, and functional cookies.

Sources

statuteRegulation (EU) 2016/679, Art. 4(11) — Definition of consentstatuteDirective 2002/58/EC, Art. 5(3) — Cookie consent rulecaseCJEU Case C-673/17 — Bundesverband v Planet49caseBundesverband der Verbraucherzentralen und Verbraucherverbände – Verbraucherzentrale Bundesverband eV v Planet49 GmbH (2019)

Same Question, Other Jurisdictions

GermanyIrelandUKSouth KoreaCompare all →

Not legal advice. This article is general information based on publicly available sources, written for educational purposes. Laws change and individual situations vary. Consult a licensed attorney in your jurisdiction before acting on anything you read here. Last reviewed: 2026-06-08.