Page tree

Use of the cookie consent kit is mandatory on each page of the DGs and executive agencies owned websites, regardless of the cookies used.

Scope of these rules

Techniques other than cookies are often used in an attempt to circumvent the data protection related obligations. Therefore, all the following technologies fall under the category cookies and similar technologies:

  • Cookies
  • Scripts (such e.g. JavaScript code) and components (such as browsers plug-ins) to be executed on the client side
  • Web caching mechanisms
  • HTML5 local storage
  • “Device fingerprinting”
  • “Canvas fingerprinting” and “Evercookies”
  • Web beacons.

Cookies and similar technologies requiring consent

Cookies and similar technologies that generally DO need consent:

  • Social plug-in tracking mechanisms
  • Third party advertising cookies
  • Analytics cookies (except for the exemption described further below)

Cookies and similar technologies that generally do NOT need consent:

  • User input cookies, for the duration of a session
  • Authentication cookies, for the duration of a session
  • User centric security cookies, used to detect authentication abuses and linked to the functionality explicitly requested by the user, for a limited persistent duration
  • Multimedia content player session cookies, such as flash player cookies, for the duration of a session
  • Load balancing session cookies, for the duration of session
  • User interface customisation cookies, for a browser session or a few hours, unless additional information in a prominent location is provided (e.g. “uses cookies” written next to the customisation feature)

Exceptionally, Data Protection Authorities consider that, due to the low risk for users, prior consent can be skipped in case of first party cookies used for anonymous, aggregate statistics under specific assumptions and safeguards. The web service must although provide the user with a simple, easy-to-use functionality to “opt out” from analytics.


The EU institution must adequately inform users and obtain their consent before setting cookies and any other technology falling within the scope of Article 5(3) of the ePrivacy directive. By default, none of those cookies must be set.

  • For all Commission owned websites within the domain, consent is managed centrally on domain level by implementing the Cookie Consent Kit. The consent indicated via the mandatory cookie consent kit covers the domain
  • All cookies within the domain, placed by Commission-owned websites, are described on the Commission central cookie policy page:

Regarding the actual cookies on a specific site, the site owner has to check whether the cookies used are already mentioned on the corporate cookies page. If not, DG COMM should be contacted with an inventory of all first- and third-party cookies providing information on their purpose, the type of data collected, stored or transmitted by cookies, and the lifetime of the cookie.


These procedures are dedicated to external and internal developers and web masters of the European institutions. Consequently, features documented below are tailored to the European Commission's content management systems and internal guidelines.

Implementing user consent should be done by implementing the Cookie Consent Kit.

The cookie consent solution is a JavaScript‑based kit that, after some site‑specific configuration, will automatically add a header banner to the page. This header banner will disappear once the user has accepted or refused the cookies used on the website.

This solution provides the following functionalities:

  • JavaScript to display automatically the header banner in 24 languages
  • a wizard to declare your cookies and the link to your cookies notice page
  • a JavaScript API with methods and functions that help to prevent prior storage of cookies
  • a corporate‑consent cookie to remember the choice of the user across websites
  • a template for the cookie notice page

This guide's page related to data protection

Directive 2009/136/EC (ePrivacy Directive)

Regulation (EU) 2018/1725 (Data protection regulation for EU institutions)

EDPS Guidelines on the protection of personal data processed through web services provided by EU institutions

Documentation Cookie Consent Kit

Contact and support

Within the European Commission, the first level of contact for any data protection related issues is the DG's Data Protection Coordinator (EU Login required).

For adding new cookies that are not described on the central Cookies policy pages, please contact the team in charge of Europa Domain Management (EU Login required).

We are interested in your opinion. Please log in to reply to the question below: 

Click for anchor link Did you find what you were looking for?

Choices Your Vote Comments
Partially, tell us more

  • No labels
Attention: Public content on the Europa Web Guide has moved to the EC core website: Europa Web Guide. Restricted pages are now on SharePoint: European Commission website content governance.
Important note: Please update any links to the guide in your documentation or intranet pages accordingly.

The Europa Web Guide is the official rulebook for the European Commission's web presence, covering editorial, legal, technical, visual and contractual aspects.
All European Commission web sites must observe the rules and guidelines it contains.
Web practitioners are invited to observe its contents and keep abreast of updates. More information about the web guide.