If you run a website that uses cookies, your visitors have two primary options regarding cookie preferences: accept or decline cookies.

Let's say they accept cookies, and your website dutifully sets cookies on their devices. What happens if the user later withdraws their consent? Do you have to delete previously set cookies, even if they're no longer active?

The short answer is no, you don't. Of course, there's a lot more to unpack with this conclusion, considering both the letter of the law and the technical limitations of cookie management.

This article closely examines these considerations to help you understand what's required and what's practical for stored cookies when users withdraw their consent.

Use our Cookie Consent all-in-one solution (Privacy Consent) for cookies management to comply with GDPR & CCPA/CPRA and other privacy laws:

  • For GDPR, CCPA/CPRA and other privacy laws
  • Apply privacy requirements based on user location
  • Get consent prior to third-party scripts loading
  • Works for desktop, tables and mobile devices
  • Customize the appearance to match your brand style

Create your Cookie Consent banner today to comply with GDPR, CCPA/CPRA and other privacy laws:

  1. Start the Privacy Consent wizard to create the Cookie Consent code by adding your website information.

    TermsFeed Privacy Consent: Add website information - Step 1

  2. At Step 2, add in information about your business.

    TermsFeed Privacy Consent: Add about your business type, select the country - Step 2

  3. At Step 3, select a plan for the Cookie Consent.

  4. You're done! Your Cookie Consent Banner is ready. Install the Cookie Consent banner on your website:

    TermsFeed Privacy Consent: Install the Cookie Consent banner on your website - Step 4

    Display the Cookie Consent banner on your website by copy-paste the installation code in the <head></head> section of your website. Instructions how to add in the code for specific platforms (WordPress, Shopify, Wix and more) are available on the Install page.



Website visitors often interact with cookie banners in predictable ways. Some accept all cookies, a few adjust their preferences on a granular level, and others decline everything.

But there's another less discussed yet equally important scenario: when users change their minds about previously accepted cookies.

Here's how it plays out:

A user visits your website and accepts cookies. Your website proceeds to set cookies on their devices. Some cookies come from your domain (first-party cookies) while others are from external services like your analytics or advertising platforms (third-party cookies).

A while later, the same user navigates to your cookie preference center and withdraws their consent. Maybe they've become more privacy-conscious, or are simply clearing their digital footprint. In any case, they declined cookies they previously accepted.

The questions are:

  • Do you have to delete previously stored cookies after consent is withdrawn?
  • Is it even technically feasible to delete these cookies?
  • What do laws and regulatory authorities say about this area of cookie compliance?

In the following sections, we'll clear up this admittedly complex scenario, helping you understand both the legal and technical implications.

Before going any further, it's worth noting that the question of whether cookies must be deleted after consent withdrawal remains a gray area, with no straightforward legal directive.

That said, we can still get some meaningful guidance about how to approach things from major privacy laws and data protection authorities. Let's get into it.

GDPR and ePrivacy Directive Requirements

The General Data Protection Regulation (GDPR) and ePrivacy Directive (also known as the EU Cookie Law) jointly set the standards for digital privacy and personal data protection across the European Union (EU).

As the most comprehensive privacy and cookie regulations to date, the GDPR and ePrivacy Directive are considered trendsetters in the data protection landscape.

Under both regulations, cookies (particularly those used for tracking or profiling) can be considered personal data if they can potentially identify an individual. Here's precisely what the GDPR says in Recital 30:

"Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them."

While the GDPR doesn't offer any further guidance on cookies, it does provide a clear directive on consent. Under Article 4, the GDPR explains what valid consent should look like:

EUR-Lex GDPR Article 4 Sections 11 and 12

And when it comes to withdrawing consent, here's what the GDPR has to say in Article 7 (3):

EUR-Lex GDPR Article 7 Section 3

In essence, the GDPR doesn't clarify whether to delete the artifacts (i.e., cookies) that house personal data once consent is withdrawn. It only addresses the right to withdraw and how easy it must be.

The ePrivacy Directive picks up where the GDPR left off by going a bit further on how to handle cookies in Article 25:

EUR-Lex ePrivacy Directive Article 25

When it comes to consent, the ePrivacy Directive is clear about the need to get informed consent before using cookies, as presented in Article 5 (3) of its 2009 amendment:

EUR-Lex ePrivacy Directive Article 5 3 with the beginning highlighted

In short, neither the GDPR nor the ePrivacy Directive explicitly addresses deleting existing cookies after consent withdrawal, creating a gap that leaves things open to interpretation.

Guidance from Data Protection Authorities

Like the laws above, Data Protection Authorities (DPAs) haven't provided definitive insights about deleting cookies when consent is withdrawn.

Case in point, here's an excerpt of a cookie consent guidance from the EU Data Protection Commission (the national authority that enforces the ePrivacy Directive):

"The user must be able to withdraw consent as easily as they gave it... You should provide information in your cookies information about how users can signify and later withdraw their consent to the use of cookies, including by providing information on the action required for them to signal such a preference... Any record of consent must also be backed up by demonstrable organisational and technical measures that ensure a data subject's expression of consent (or withdrawal) can be effectively acted on."

The Commission essentially restates the cookie consent provisions of the GDPR and ePrivacy Directive.

While the last sentence does touch on cookie consent withdrawal, it remains vague about what "demonstrable organisational and technical measures" looks like and whether it involves deleting cookies.

Given the lack of explicit direction, it appears stopping further data processing once users withdraw consent should suffice under the law rather than retroactively deleting cookies.

Specifically, website owners should take note of the following:

  • Ensure no new data collection occurs once users withdraw consent
  • Make it impossible for third parties to access previously collected data

If you use an effective Consent Management Platform (CMP), this should all be done automatically.

With the legal requirements out of the way, let's take a look at the technical realities of the cookie deletion scenario and the role of CMPs.

An especially important area to address is the controls available for first-party and third-party cookies in the context of cookie deletion after consent withdrawal.

Let's take a look:

  • First-Party Cookies: Your website directly controls first-party cookies since they live on your domain. While it's technically possible to delete these cookies after consent withdrawal through JavaScript, it's not necessary for compliance since they become dormant without user consent.
  • Third-Party Cookies: Third-party cookies present a different challenge. Set by external domains (e.g., analytics and ad services), these cookies live outside your website's jurisdiction, and as such, can't be deleted. This isn't just a general limitation; it's a security measure to prevent unauthorized manipulation of third-party data.

In short, it's technically possible to delete first-party cookies by implementing some code on your cookie consent solution if you're keen. On the other hand, third-party cookies are outside your control, and as such, can't be deleted or manipulated in any way.

Consent Management Platforms (CMPs) are specialized services that handle the complexities of cookie consent and privacy compliance. So naturally, CMP operations are informed by legal and privacy experts.

When it comes to the cookie deletion scenario, CMPs generally don't delete cookies when users revoke consent. Instead, they ensure cookies stop collecting information and tracking user behavior as required by law.

However, given the widespread concerns over this cookie deletion fiasco, some CMPs have released helper scripts to allow website owners to delete first-party cookies once consent is withdrawn.

To be clear, this action isn't required or recommended for compliance purposes. In fact, it may be considered intrusive since it involves deleting cookies from users' browsers.

Take this note from a CMP, for example:

CMP: Clearing cookies from your domain

And here's another CMP giving users the same option to delete first-party cookies while making it clear that it doesn't recommend this action and isn't responsible for implementing it:

CMP: Removing Cookies After User Opt-Out

Similarly, another CMP offers its users an optional helper script while clarifying that it only works for first-party cookies (as we've established):

CMP helper script to delete first-party cookies

The bottom line: CMPs generally don't delete cookies when users withdraw their consent. And while some have decided to offer a workaround for first-party cookies, they maintain that it's not legally required or even recommended. Plus, it's not feasible for third-party cookies.

Our takeaway on cookie deletion after consent withdrawal? All signs indicate that deleting cookies after users withdraw consent is unnecessary.

That being said, website owners should handle cookie consent in a way that balances user privacy, legal compliance, and technical feasibility. Let's see a few best practices to do just that.

A reliable Consent Management Platform (CMP) is your first line of defense in cookie compliance matters. It handles your consent updates efficiently, allowing users to easily change their preferences whenever they wish.

When it comes to cookie deletion after consent withdrawal, a CMP ensures that once consent is withdrawn, all data collection from cookies is disabled immediately. What's more, it allows for real-time updates to consent status to reflect users' latest choices.

CMPs also effectively manage both first-party and third-party cookie considerations while integrating seamlessly with your existing website infrastructure. In short, the right CMP solution makes compliance easier by automating much of the technical heavy lifting.

Maintain Complete Transparency

Transparency is crucial for both legal compliance and user trust. To that end, your Cookie Policy (also called a Cookie Notice) should explain your cookie consent practices in plain language and avoid any technical jargon that might confuse users.

In particular, it needs to clearly explain the following:

  • Why you use cookies
  • What types of cookies you use
  • Who you share cookie data with
  • How long cookies will stay on users' devices
  • What happens when users withdraw their consent

Practically speaking, you'll need to provide this information in two key places:

  1. A summary in your cookie consent solution (i.e., cookie banner or pop-up)
  2. A more detailed explanation in your Privacy Policy or Cookies Policy

Here's how Spotify's cookie notice banner concisely summarizes its cookie practices, particularly when it comes to withdrawing consent:

Spotify Cookie Notice Banner

Your Privacy or Cookies Policy is also where you'll let users know that while first-party cookies can be managed directly by your site, third-party cookies must be removed by users themselves through their browser settings.

Once again, Spotify does this well, detailing how users can manage their cookie preferences for both first-party and third-party cookies. It also explains how users can further manage their cookie preferences (including deleting cookies) through their browser settings:

Spotify Cookies Policy: Cookies and interest-based advertising management options

Being upfront about these limitations helps set the right expectations and demonstrates your commitment to privacy. Most importantly, it supports your compliance with the transparency requirements of privacy and cookie laws.

Documentation serves as your compliance safety net. You can keep accurate records by maintaining comprehensive logs of user consent choices, including timestamps of when consent was given and withdrawn.

You should also keep records of which categories of cookies were accepted or rejected, and any technical measure implemented after consent withdrawal. These records prove invaluable during audits and help demonstrate your ongoing commitment to privacy compliance.

Legal requirements and technical capabilities are constantly evolving. To keep up, you need to regularly audit your cookie practices to ensure they align with current standards.

This means periodically reviewing how cookies are being used on your site, ensuring your cookie consent solution remains compliant, and adapting to relevant legal changes or industry best practices.

Summary

Do previously set cookies need to be deleted after users withdraw their consent? Our conclusion is no, they don't, primarily because they become dormant once consent is withdrawn.

From a legal standpoint, the GDPR and ePrivacy Directive require transparent cookie consent practices but offer no explicit guidance on whether cookies should be deleted when users withdraw consent. The EU Data Protection Commission reflects the same provisions of these laws with no definitive guidance or recommended course of action.

From a technical standpoint, cookies are tools for data collection rather than data repositories. When consent is withdrawn, these tools simply stop collecting data.

Think of it like unplugging a security camera; the camera is still there, but it's no longer recording. Website visitors (through their consent) control whether cookies collect and use data.

And while it's possible to delete first-party cookies by implementing some code, third-party cookies can't be removed due to security limitations across domains.

All in all, website owners can adopt a few best practices to ensure their activities remain transparent and compliant:

  • Implement a reliable Consent Management Platform (CMP) if you haven't already
  • Be completely transparent about your cookie consent practices
  • Keep accurate records of cookie consent preferences
  • Regularly audit your cookie practices to ensure ongoing compliance

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy