Consent Decay: When Does Your Cookie Consent Expire Under GDPR
January 16, 2026
•
5 min read
Table of contents
back
to the top
Consent Decay: When Does Your Cookie Consent Expire Under GDPR?
You obtained consent from a user six months ago—but is that consent still valid today? In the world of GDPR, consent is not "forever." It is a dynamic choice that can expire or "decay" over time.
While the GDPR doesn't give a specific expiration date for cookie consent, Data Protection Authorities (DPAs) are clear: if the context changes or too much time passes, you must ask again.
This blog breaks down the legal guidelines for consent lifespan, explains the concept of "decay," and shows how an automated Consent Management Platform (CMP) is essential to managing this risk and keeping your data collection compliant.
1. What is "Consent Decay" and Why Does It Happen?
Consent Decay is the legal risk that the original consent a user gave is no longer considered valid because of changes in your business or user expectation.
It happens for two main reasons:
- Change in Purpose: If you start collecting data for a new reason (e.g., using a new tracking vendor, or launching a remarketing campaign you didn't have before), the original consent is no longer Specific or Informed—two core pillars of GDPR validity.
- Change in Expectation (Time): A user's relationship with your site degrades over time. After a year or more of inactivity, their original choice may no longer reflect their current wishes. This is why DPAs recommend regular review.
2. The Legal Rule: GDPR's Non-Specific Shelf Life
The GDPR is clear on what makes consent valid (Freely Given, Specific, Informed, Unambiguous), but it intentionally does not set a time limit on how long consent lasts.
- The Problem: This ambiguity puts the burden of proof entirely on you (the data controller). You must be able to argue in an audit that the consent is still "informed" and "specific" based on the user's current relationship with your brand.
- DPA Best Practice: European regulators, including France's CNIL and the UK's ICO, recommend reviewing and refreshing consent at appropriate intervals (often cited as 6 to 24 months, depending on the frequency of the user's interaction). This is the best defense against a fine.
- The Key Requirement: If your processing operations or purposes evolve, you must seek fresh consent.
3. Compliance Risk: When Invalid Consent Leads to Fines
The penalty for collecting data based on decayed consent is the same as collecting data without a banner at all—a GDPR violation.
- Audit Failure: If an auditor sees that you are using consent given three years ago for a user who hasn't visited in two, they can argue the consent is not Informed or Specific enough.
- Missing Withdrawal: If the original banner was non-compliant (e.g., no easy "Reject All") and you didn't fix it, all subsequent processing is based on a flawed foundation.
- Misleading Data: Relying on ancient consent skews your data. You may be tracking users who have long since forgotten they agreed, leading to ineffective marketing campaigns based on inaccurate, old intent.
4. Best Practices: How to Automate Consent Renewal Responsibly
The key to managing decay is using your CMP to set logical, compliant time limits and re-prompt the user at the right moment.
- Set a Consistent Renewal Period: Based on DPA recommendations and your business logic, set your CMP to trigger a re-prompt. 12 months is a common, responsible benchmark for active users.
- Trigger by Inactivity: For users who haven't returned to your site in a set period (e.g., 6 months), their consent is more likely to be decayed. The CMP should re-display the banner upon their next visit.
- Update on Policy Change: If you update your Privacy Policy or add a new tracking vendor, the CMP must automatically invalidate all existing consent and trigger a new banner display for all users, asking them to agree to the new terms.
- Use the CMP's Audit Logs: Your CMP should record the date and time of the last consent action. This proof is essential if you ever need to demonstrate in an audit that you refreshed consent properly.
Final Takeaway
While GDPR doesn't stamp an expiration date on consent, failing to manage Consent Decay is a compliance failure. Consent must be actively managed to remain "informed" and "specific."
A robust CMP is the only reliable tool for automating this process, ensuring your data collection is legally sound.
Sources:
Explore further
How GDPR Affects EU Citizens Living in the US: Key Legal Insights
Even in the US, EU citizens’ data is protected by GDPR when processed by EU/EEA companies or when businesses target or monitor them — US firms must comply.
June 15, 2025
5 min
DIY CMPs: Why Building Your Own Consent Platform Rarely Works
Most DIY CMPs fail GDPR rules. Learn the key risks of building your own consent tool, hidden maintenance costs, and why certified CMPs offer stronger long-term compliance.
December 04, 2025
3 min
CMP Myths Busted, Part 2: “GDPR Doesn’t Apply to My Website”
GDPR applies to any site with EU or UK users. This article explains why location doesn’t exempt you and how a CMP helps ensure compliance, consent control, and global readiness.
December 18, 2025
2 min
