The Article 29 data protection working party released a document providing guidance on obtaining consent for cookies or similar tracking technologies for websites that operate across all EU Member States. According to the working party they should respect four main elements to be legally compliant in each Member State:

1. “Specific information. To be valid, consent must be specific and based on appropriate information. In other words, blanket consent without specifying the exact purpose of the processing is not acceptable.”

2. “Timing. As a general rule, consent has to be given before the processing starts.”

3. “Active choice. Consent must be unambiguous. Therefore the procedure to seek and to give consent must leave no doubt as to the data subject’s intention. There are in principle no limits as to the form consent can take. However, for consent to be valid it should be an active indication of the user’s wishes. The minimum expression of an indication could be any kind of signal, sufficiently clear to be capable of indicating a data subject’s wishes, and to be understandable by the data controller (it could include a handwritten signature affixed at the bottom of a paper form, or an active behaviour from which consent can be reasonably concluded).”

4. “Freely given. Consent can only be valid if the data subject is able to exercise a real choice, and there is no risk of deception, intimidation, coercion or significant negative consequences if he/she does not consent.”

These elements are described in more detail in the original document (.pdf).