Under GDPR the notion of ‘consent’ will also change for cookies that are not ‘strictly necessary’. This is outlined in more detail within Recital 32:
“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.”
A shift towards a much more opt-in (or even soft opt-in) approach for cookies is, therefore, a likely position. This is not dissimilar to the current position under the EU Cookie Law.
There is, however, another condition on consent found in Article 7(3):
“The data subject shall have the right to withdraw his or her consent at any time. …. It shall be as easy to withdraw as to give consent.”
When considered together it would be reasonable to conclude that consent will be valid if the website visitor is displayed an initial notice (and choice) and is able to change this, in a granular way, at a later date.