Consent must be given freely and obtained through active user behavior, i.e., a traceable user-client request towards the website from which a website operator can unambiguously conclude that consent is specific and informed. Active consent thus includes, for example, clicking on a button or a link, or ticking a box. Browser settings represent sufficient consent only when a website operator is confident that the user has been fully informed and actively configured their browser. Cookie and consent related information must be presented in a manner whereby users are most likely to acknowledge it as such and not mistake it for other content. Accordingly the information must remain visible until consent is given and a mere click on a link to “more information on cookies” cannot be deemed sufficient evidence of consent.
Although some Member States allow making website access contingent on cookie acceptance, the Article 29 Working Party advises that user access to general content should be unconditional. Thus, a user should generally be able to browse web pages without accepting cookies or by receiving only some of them, such as those necessary for the operation of the website and those exempt from the consent requirement. Nevertheless, access to specific website content can be limited if cookies are used for legitimate purposes.