TL;DR
GDPR and the ePrivacy Directive do not impose a single universal maximum duration for cookies. However, the ICO and the EDPB recommend a maximum lifespan of 13 months for analytics and advertising cookies, and a maximum consent validity period of 6 months. Duration must be proportionate to the purpose and documented in the cookie policy.
What cookie duration does GDPR require?
Cookie duration is one of the most frequent compliance questions. The regulation does not set a single universal maximum, but establishes a clear principle: retention must be proportionate to the cookie's purpose. A cookie that no longer serves a purpose should no longer exist.
Several texts govern cookie duration in Europe: the ePrivacy Directive (2002/58/EC), GDPR (data minimisation principle, Article 5.1.e), and national guidance from supervisory authorities such as the ICO in the UK and the EDPB at European level.
ICO and EDPB guidance on cookie duration
- Maximum recommended duration for analytics and advertising cookies: 13 months.
- Beyond 13 months, duration must be justified and proportionate to the purpose.
- Session cookies (no fixed duration) expire when the browser is closed.
- Maximum recommended consent validity period: 6 months.
- After consent expires, the banner must reappear to collect new consent.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Duration by cookie category
Strictly necessary cookies
No fixed limit is imposed, but duration must remain proportionate. An authentication session cookie typically expires at session close. A language preference cookie can legitimately last 1 year. These cookies do not require consent but must be listed in the cookie policy.
Analytics cookies
Maximum recommended duration: 13 months. Analytics tools such as Google Analytics 4, Matomo, or Adobe Analytics use cookies with varying durations. GA4 notably uses _ga (2 years by default) and _ga_[ID] (2 years). These durations exceed the recommendation: shorter durations must be configured in the tool's settings.
Advertising and retargeting cookies
Maximum recommended duration: 13 months. In practice, advertising platform cookies (Meta Pixel, Google Ads, LinkedIn Insight Tag) often have default durations of 1 to 2 years. A CMP manages consent for these cookies, but cannot control the lifespans set by third parties. Document them as defined by the third party in your cookie policy.
Functional cookies
Duration varies by purpose. A shopping cart cookie can legitimately last 30 days. An interface personalisation cookie can last up to 1 year. The rule: the minimum duration needed to fulfil the declared purpose.
Consent duration is separate from cookie duration
This is a common source of confusion. Cookie lifespan and consent validity are two different things.
Cookie lifespan is the period during which the cookie file remains stored on the user's device. Consent validity is the period during which the consent recorded by the CMP remains valid without requiring renewal.
The recommended maximum for consent validity is 6 months. Beyond that, the banner must reappear to collect new consent. This applies regardless of the technical lifespan of the cookies. See our guide on storing cookie consent proof for proper record-keeping.
How to configure durations in practice
Configuring Google Analytics 4
GA4 allows reducing cookie lifespans in the data stream configuration. In the GA4 interface, navigate to Admin > Data Streams > Google tag settings > Configure your settings. It is possible to set shorter durations for cookie_expires_time. The recommendation is not to exceed 13 months.
Configuring your CMP
A CMP like FlowConsent lets you configure consent validity (6 months recommended) and automatically manage banner re-display. The CMP also records the timestamp, version, and duration of each consent.
Documenting durations in the cookie policy
Every cookie listed in the cookie policy must state its retention duration. This documentation is mandatory to meet GDPR's transparency requirements.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Common mistakes on cookie duration
Leaving third-party tool default durations in place. Most tools (GA4, Meta Pixel, LinkedIn) use 1 to 2 year default durations. These often exceed the recommendation. Configure them manually in each tool.
Confusing cookie duration with consent duration. Consent validity (6 months max) and cookie lifespan (13 months max recommended) are two separate parameters. Configure them independently in your CMP and analytics tools.
Not listing durations in the cookie policy. Omitting duration from the cookie policy violates the transparency obligation. Every cookie must be accompanied by its lifespan.
Forgetting third-party cookies set by embedded scripts. Some third-party scripts (widgets, video players, sharing buttons) set cookies with their own, often long, durations. Regular auditing via the FlowConsent scanner identifies them.
Never renewing consent. If consent is collected but never renewed, the legal basis for processing weakens over time. The CMP must redisplay the banner every 6 months for users who have already consented.
Cookie GDPR duration compliance checklist
- The lifespan of every cookie is documented in the cookie policy.
- Analytics and advertising durations do not exceed 13 months.
- Consent validity is set to a maximum of 6 months in the CMP.
- The banner reappears automatically at consent renewal.
- Session cookies expire at browser close.
- Default durations of third-party tools (GA4, Meta, LinkedIn) have been adjusted.
- Regular audits of third-party cookies on the site are carried out.
- Consent records include the consent expiry date.
- Functional cookies have durations proportionate to their purpose.
- No cookie is retained beyond its declared purpose.
Conclusion
Cookie retention duration is not a technical detail: it is a compliance obligation under GDPR's data minimisation principle. The practical rule: 13 months maximum for analytics and advertising cookies, 6 months maximum for consent validity.
Audit the cookies present on your site and their durations with the FlowConsent cookie scanner.
Frequently asked questions
What is the maximum cookie duration allowed under GDPR?
GDPR does not impose a maximum legal duration for cookies. However, CNIL recommends a maximum of 13 months for audience measurement cookies and 6 months for advertising cookies. Duration must be proportionate to the purpose and justifiable to supervisory authorities.
Does cookie duration need to be disclosed?
Yes. GDPR (Article 13) requires informing users about the data retention period. For cookies, this means specifying their expiration duration in the cookie policy and consent banner. An undisclosed duration constitutes a failure to meet transparency obligations.
Can cookie duration be renewed automatically?
Not without renewed consent. If a page is reloaded and the cookie duration resets without a new user action, this may be considered a non-compliant tacit renewal. Consent must be periodically renewed (CNIL recommendation: every 6 months).
What is the difference between session cookies and persistent cookies?
Session cookies expire when the browser is closed and are generally not subject to consent if strictly necessary. Persistent cookies remain on the device until their expiration date. Their duration must be justified and declared in the cookie policy.
How often should users be asked to renew their cookie consent?
CNIL recommends renewing consent every 6 months. Other European authorities (ICO, EDPB) do not impose a precise frequency but indicate that consent must remain current. FlowConsent automatically manages consent expiration and banner renewal.