The key cookie rule is Article 5(3) ePrivacy Directive: storing or accessing information on a user's device (a cookie) needs the user's consent after clear and comprehensive information. The EDPB treats this consent as identical to GDPR consent (specific, informed, freely given, by a clear affirmative action, before the cookie is set). The ePrivacy rules apply to OBA whether or not the data is personal data. Implementation varies widely by member state.
Inform the user of the cookie's intended use/purposes (specific and informed).
The user must consent before the cookie is placed or information is retrieved, by a clear affirmative action.
The user must have a real choice and give an active indication (freely given).
🔑 Personal data is not the test
Article 5(3) applies to OBA regardless of whether the information collected is 'personal data'. The trigger is storing/accessing information on the device, not whether it identifies someone. The narrow strictly-necessary exemptions almost never cover OBA cookies, which usually rely on third-party cookies.
Key terms - quick answers
What is “Article 5(3)”?
ePrivacy provision requiring consent (with prior clear information) to store or access information on a user's device - the 'cookie consent' rule.
What is “Clear affirmative action”?
An active, unambiguous indication of agreement required for valid consent (no pre-ticked boxes / no silence).
What is “Strictly-necessary exemption”?
Cookies needed solely to transmit a communication, or strictly necessary for a service the user explicitly requested (e.g. a shopping basket), are exempt - but this very rarely covers OBA cookies.