Consent Expiration Settings – Managing Consent Duration

Consent expiration determines how long a user’s cookie preferences remain valid before they’re asked to renew their consent. This setting balances user experience with compliance requirements—long expiration periods create a seamless experience for returning visitors, while shorter periods ensure users stay informed about your data practices as they evolve. Understanding and properly configuring consent expiration is essential for maintaining valid consent under privacy regulations.

This comprehensive guide explains what consent expiration is, why it matters for compliance, how different regulations view consent duration, and how to configure expiration settings in DigiConsent to meet both legal requirements and user experience goals.

Understanding Consent Expiration

Consent expiration is the mechanism that determines when stored consent preferences are no longer valid and users must be asked again.

What Happens When Consent Expires

When a user’s consent reaches its expiration date:

1. Consent is cleared: The stored consent preference is deleted
2. Banner reappears: The cookie consent banner shows again on the next visit
3. Tracking stops: Non-necessary cookies and tracking scripts are blocked again
4. User chooses again: User must make a fresh consent decision
5. New expiration set: A new expiration period begins when consent is given

This ensures consent remains fresh and users stay informed about your data practices, particularly if they’ve changed since the original consent.

How Consent Expiration is Stored

DigiConsent stores consent preferences in a cookie (typically named something like digiconsent_consent). This cookie contains:

• Consent choices: Which categories the user accepted or rejected
• Timestamp: When consent was given
• Expiration date: When the consent should expire
• Version: Which version of your privacy policy/cookie notice was shown

The cookie itself has an expiration date matching your configured consent duration. When the cookie expires, so does the consent.

Legal Requirements for Consent Duration

Different privacy regulations have varying guidance on how long consent can remain valid.

GDPR (European Union)

GDPR doesn’t specify an exact consent expiration period, but provides principles:

• Must be “fresh”: Consent shouldn’t become stale or meaningless over time
• Context-dependent: Duration should match the context and user expectations
• Regular review: Users should periodically reconsider their choices
• Change notification: If practices change, consent must be renewed

European Data Protection Board (EDPB) guidance suggests consent should typically expire within 12 months, though this isn’t a hard rule. Many privacy authorities recommend 6-12 months for cookie consent.

CCPA/CPRA (California)

CCPA is less prescriptive about consent duration:

• Focuses more on the right to opt-out than ongoing consent
• No specific expiration period mandated
• Consent should remain valid as long as practices don’t change
• Users must be able to withdraw consent easily at any time

Other Jurisdictions

UK GDPR: Similar to EU GDPR, recommends 6-12 months

France (CNIL): Explicitly recommends maximum 6 months for cookie consent

Germany: Generally aligns with GDPR principles, 12 months typical

Brazil (LGPD): No specific duration, but consent must be “freely given and informed”

Recommended Duration

Based on regulatory guidance and best practices:

• Conservative (safest): 6 months
• Standard: 12 months (1 year)
• Maximum: 24 months (2 years), only if practices are very stable

Most websites use 12 months as a balance between compliance and user experience. If you operate in France or target French users, use 6 months maximum.

Configuring Consent Duration in DigiConsent

DigiConsent makes it easy to set your preferred consent expiration period.

Setting Expiration Duration

1. Navigate to DigiConsent > Settings > Consent Duration
2. Find the Consent Expiration setting
3. Choose your duration:
   • Select from preset options (3 months, 6 months, 12 months, 24 months)
   • Or enter a custom duration in days
4. Review the setting to ensure it matches your compliance requirements
5. Save changes

Duration Options Explained

3 Months (90 days):

• Very conservative approach
• Ensures consent is frequently refreshed
• May annoy returning visitors with frequent consent requests
• Consider for websites with rapidly changing data practices

6 Months (180 days):

• Recommended for French market (CNIL requirement)
• Conservative but reasonable
• Balances compliance with user experience
• Good default for GDPR compliance

12 Months (365 days):

• Most common duration
• Generally acceptable under GDPR
• Provides good user experience for returning visitors
• Recommended for most websites

24 Months (730 days):

• Maximum recommended duration
• May be questioned by privacy authorities
• Only use if data practices are extremely stable
• Not recommended for GDPR compliance

Factors Affecting Consent Duration Choice

Several factors should influence your consent expiration decision.

Target Audience Geography

Where your users are located affects appropriate duration:

• Primarily EU/UK: 6-12 months recommended
• French users: 6 months maximum (CNIL requirement)
• US-only audience: 12-24 months may be acceptable
• Global audience: Use the strictest requirement (6 months to cover France)

Frequency of Privacy Practice Changes

How often you update cookies and tracking:

• Frequent changes: Shorter duration (6 months) ensures users see updates
• Stable practices: Longer duration (12 months) is acceptable
• Rule: If practices change, you must obtain fresh consent regardless of expiration

User Visit Frequency

How often users return affects their experience:

• Daily/weekly visitors: Longer duration (12 months) prevents frequent consent requests
• Infrequent visitors: Shorter duration (6 months) ensures consent isn’t extremely old when they return
• Mixed audience: Balance based on majority behavior

Type of Data Processing

Sensitivity of tracking affects appropriate duration:

• Basic analytics only: 12 months is typically fine
• Heavy marketing tracking: 6-12 months ensures users stay informed
• Sensitive categories: Shorter duration shows respect for privacy

Consent Renewal and User Experience

When consent expires, users must go through the consent process again. Design this experience thoughtfully.

Renewal User Flow

1. User returns after expiration: They visit your site after consent period has ended
2. Banner appears again: They see the consent banner as if they were a new visitor
3. Previous choices shown (optional): Some implementations show their previous choices pre-selected for convenience
4. User confirms or changes: They can keep previous choices or make different decisions
5. New expiration set: Fresh consent period begins

Should Previous Choices Be Pre-Selected?

There’s debate about whether to pre-select previous choices when consent expires:

Pre-selecting previous choices:

• Pros: Better UX, users likely want same choices, reduces friction
• Cons: May not meet GDPR “freely given” requirement, can feel manipulative
• Verdict: Risky under GDPR; safer to start fresh

Starting fresh (no pre-selection):

• Pros: Clearly complies with GDPR, ensures active consent
• Cons: More friction for returning users
• Verdict: Safest approach for compliance

The conservative approach is to show the banner as if the user were new, with no pre-selected choices.

Consent Expiration vs. Withdrawal

Expiration and withdrawal are different mechanisms for ending consent.

Consent Expiration (Automatic)

• Happens automatically after configured time period
• User doesn’t actively trigger it
• Ensures consent stays fresh over time
• Compliance-driven mechanism

Consent Withdrawal (User-Initiated)

• User actively changes or revokes consent
• Can happen at any time, regardless of expiration
• Triggered by clicking “Manage Cookie Preferences” or similar
• User right under GDPR and other regulations

Both mechanisms are necessary: expiration ensures compliance over time, withdrawal empowers users to change their minds immediately.

Handling Consent Changes

When your privacy practices change, you may need to obtain fresh consent before the normal expiration.

Material Changes Requiring Re-Consent

Obtain fresh consent when:

• New tracking tools: Adding Facebook Pixel, new analytics platforms, etc.
• New data uses: Using data for purposes not originally disclosed
• New third parties: Sharing data with new partners or service providers
• Privacy policy changes: Significant updates to how you handle data
• New cookie categories: Adding cookies that weren’t previously disclosed

Invalidating Existing Consent

When material changes occur, you can invalidate existing consent:

1. Update your privacy policy and cookie descriptions
2. Increase the consent version number in DigiConsent
3. Existing consent becomes invalid (treated as expired)
4. All users see the consent banner again with updated information
5. Users provide fresh consent based on new practices

This ensures all users are informed about and consent to the new data practices.

Regional-Specific Expiration

Advanced implementations can set different expiration periods for different regions.

Why Regional Expiration Matters

Different jurisdictions have different requirements:

• French users require 6-month maximum (CNIL)
• EU users generally expect 6-12 months (GDPR)
• US users might accept longer durations
• Other regions have varying expectations

Implementing Regional Expiration

If DigiConsent supports regional settings:

1. Configure base expiration (e.g., 12 months for most users)
2. Set regional overrides:
   • France: 6 months
   • EU/EEA: 12 months
   • Other: 12 or 24 months
3. DigiConsent detects user location (via IP or browser settings)
4. Applies appropriate expiration period

This maximizes user experience globally while meeting strictest local requirements.

Testing Consent Expiration

Verify that consent expiration works correctly before going live.

Manual Testing

1. Give consent: Accept cookies on your site
2. Check expiration: In DevTools → Application → Cookies, find the DigiConsent cookie
3. Verify expiration date: Confirm it’s set to your configured duration from now
4. Manually expire: Edit the cookie and set expiration to past date
5. Reload page: Banner should reappear as if consent expired
6. Verify tracking stops: Non-necessary cookies should be blocked

Automated Expiration Testing

For thorough testing, temporarily set very short expiration:

1. Configure expiration to 1 minute (for testing only)
2. Give consent and accept cookies
3. Wait 61 seconds
4. Reload the page
5. Banner should reappear
6. Tracking should stop
7. Reset expiration to production value after testing

Best Practices for Consent Expiration

• Follow strictest regulation: If you have global audience, use 6 months to cover French requirements
• Document your decision: Record why you chose your expiration period for compliance audits
• Don’t exceed 12 months: Unless you have specific reasons and legal advice
• Communicate changes: If you change expiration duration, update privacy policy
• Test thoroughly: Verify expiration works before launching
• Monitor consent rates: Track how many users consent after expiration
• Consider user experience: Balance compliance with not annoying frequent visitors
• Provide easy withdrawal: Let users change consent anytime, not just at expiration
• Keep records: Maintain logs of when consent was obtained and when it expires
• Re-consent on changes: Don’t wait for expiration if practices change materially

Consent Duration Configuration Checklist

• Consent expiration duration configured in DigiConsent
• Duration chosen based on target audience geography
• Duration complies with strictest applicable regulation
• 6 months used if French users are targeted
• 12 months or less for GDPR compliance
• Privacy policy states consent duration
• Consent cookie expiration verified in browser DevTools
• Expiration tested—banner reappears after expiration
• Tracking stops when consent expires
• Regional expiration configured if needed
• Documentation maintained for compliance audits
• Process established for invalidating consent when practices change
• Users can withdraw consent anytime via preference center

Consent expiration is a critical but often overlooked aspect of privacy compliance. By setting an appropriate expiration period, regularly reviewing your configuration as regulations evolve, and ensuring users can easily manage their preferences at any time, you create a consent system that respects user privacy while maintaining a positive experience. Remember that consent expiration isn’t just a technical setting—it’s a commitment to keeping users informed and in control of their data over time.