Skip to main content
C
CookieBeam
Back to Guides
Compliance6 min read

Cookie Consent Expiry: How Long Does Consent Last and When to Re-Ask

Consent isn't forever. Learn how long cookie consent stays valid, what regulators recommend for re-consent intervals, and the events that should always trigger a fresh prompt.

Consent Is Not a One-Time Event

A common misconception is that once a visitor clicks "Accept," you have their consent forever. You do not. Consent under the GDPR is a living state: it can be withdrawn at any time, it goes stale, and there are circumstances where continuing to rely on an old "yes" is no longer lawful. Re-asking too often annoys users and depresses your consent rate; re-asking too rarely risks acting on consent that no longer reflects the user's wishes or your actual processing.

This guide explains how long consent realistically lasts, what regulators recommend, and the specific events that should always trigger a fresh prompt — so you can strike the right balance between compliance and user experience.

What the Law Actually Says

The GDPR does not state a fixed expiry date for consent. Instead, Article 7 and Recital 32 establish principles: consent must be freely given, specific, informed, and unambiguous, and the controller must be able to demonstrate it. Recital 39's transparency requirement implies that consent should reflect the current reality of your processing — if what you do with the data changes materially, the old consent no longer covers it.

National regulators have filled the gap with concrete guidance. France's CNIL recommends that consent be obtained again at an appropriate interval — commonly cited as around six months — and historically pointed to a maximum cookie lifespan in the region of 13 months. The UK's ICO advises reviewing consent at appropriate intervals and refreshing it if anything material changes. The shared theme: consent has a shelf life, even if the exact number is a matter of regulator recommendation rather than statute.

Two different clocks: consent validity vs cookie lifespan

Don't confuse them. Consent validity is how long the user's choice remains a lawful basis to process. Cookie lifespan is the technical expiry set on the cookie itself. A tracking cookie might be set to live two years, but the consent authorising it may need refreshing far sooner. Align the two: there's little point in a two-year cookie if the consent behind it lapses at six months.

Recommended Re-Consent Intervals

Because no single legal number exists, most organisations settle on a defensible interval informed by regulator guidance. In practice:

  • 6 months — a conservative, CNIL-aligned interval favoured by privacy-cautious organisations and those with heavy French traffic.
  • 12 months — the most common industry choice, balancing compliance comfort with user experience.
  • 13 months — often used as an outer bound, reflecting older CNIL guidance on maximum cookie lifespans.

Going much beyond 12–13 months without re-prompting is hard to defend. Within the EEA, choosing 6–12 months and documenting your reasoning is the safe zone. Whatever you pick, store the consent timestamp so the expiry clock is auditable — the same record you need to prove consent to a regulator.

Events That Should Always Trigger Re-Consent

Time-based expiry is only half the story. Certain changes invalidate existing consent regardless of how recently it was given, because the original "yes" no longer matches what you are doing:

1. New purposes

If you start processing data for a purpose the user never agreed to — say, adding behavioural advertising to a site that previously only ran analytics — you need fresh consent for that purpose.

2. New vendors or recipients

Adding third parties who receive the data, or new adtech vendors, changes who is processing it. Under the TCF, a material change to the vendor list is a standard re-prompt trigger.

3. Material changes to the cookies themselves

New categories of cookies, or significant changes in how existing ones work, require re-consent. Run a periodic cookie scan to catch trackers that appeared without a corresponding consent update.

4. A change of legal basis or controller

If your company is acquired, or the data controller changes, the basis on which consent was given may no longer hold.

Don't weaponise re-consent

Re-prompting a user who recently declined — over and over, on every page — is a deceptive design pattern regulators penalise as 'nagging.' Re-consent should be driven by genuine expiry or material change, not used to wear down a refusal. See our guide on cookie banner dark patterns for where the line sits.

Withdrawal: The Other Side of Expiry

Article 7(3) GDPR gives users the right to withdraw consent at any time, and withdrawal must be as easy as giving it. A user who can accept in one click but has to email support to withdraw does not have a real right to withdraw. Practically, this means:

  • a persistent, always-available way to reopen consent settings (a footer link or a floating icon);
  • withdrawal taking effect immediately — trackers stop firing and, where appropriate, cookies are cleared;
  • withdrawal being logged just like the original consent, so you have a complete audit trail.

Treat withdrawal and expiry as two paths to the same outcome: a state where you no longer have valid consent and must stop the relevant processing until the user opts in again.

Managing Expiry Without Hurting UX

Frequent banners are the enemy of consent rates, so make each re-prompt count:

  1. Only re-ask when you must — at genuine expiry or on a material change, never on a whim.
  2. Pre-fill prior choices where lawful — when re-consenting due to a minor vendor change, you can show the user their previous selections rather than resetting everything to off, as long as you make the affirmative action clear.
  3. Explain why you're asking again — "We've updated our cookie partners" reduces friction and builds trust.
  4. Respect a fresh refusal — once re-consent is declined, store it and don't re-prompt until the next genuine trigger.

Done thoughtfully, re-consent is invisible most of the time and only surfaces when it genuinely should. For the techniques that lift opt-in rates honestly, see consent rate optimization.

Consent Expiry & Re-Consent Checklist

  • A defined consent validity interval

    Choose 6–12 months (CNIL-aligned) and document your reasoning.

  • Consent timestamp stored for every choice

    Makes the expiry clock auditable and proves when consent was given.

  • Consent validity aligned with cookie lifespan

    Avoid cookies that outlive the consent authorising them.

  • Re-consent triggered by new purposes or vendors

    A material change to processing or the vendor list prompts a fresh choice.

  • Periodic cookie scans to catch drift

    Detect new trackers that appeared without an updated consent record.

  • One-click, always-available withdrawal

    As easy as giving consent, taking effect immediately and logged.

  • No nagging after a refusal

    Respect a decline; re-prompt only on genuine expiry or material change.

Keep consent current, automatically

The right setup tracks each consent's age, re-prompts on expiry or material change, and makes withdrawal effortless — all without burying users in banners. A consent management platform that timestamps and logs every decision turns consent expiry from a compliance headache into a background process.

Back to all guides
Cookie Consent Expiry: How Long Is Consent Valid & When to Re-Ask | CookieBeam | CookieBeam