The General Data Protection Regulation (GDPR) sets strict rules for how websites collect and process personal data through cookies. Despite being in effect since May 2018, many websites still get cookie consent wrong. Enforcement actions from European data protection authorities (DPAs) have increased year over year, with fines ranging from a few thousand euros to hundreds of millions.
This guide explains what GDPR actually requires for cookie consent, what the most common mistakes are, and how to implement consent correctly.
What GDPR says about cookies
GDPR itself does not mention cookies by name. Cookie consent requirements come from the interaction of two pieces of legislation:
- GDPR (Regulation 2016/679) defines consent standards and governs the processing of personal data.
- ePrivacy Directive (Directive 2002/58/EC) specifically covers the storage of information (including cookies) on a user’s device.
Together, they establish that any cookie that is not “strictly necessary” for providing the service the user requested requires the user’s informed, freely given consent before the cookie is set.
The six requirements for valid consent
The European Data Protection Board (EDPB) has issued detailed guidance on what constitutes valid consent under GDPR. Consent must be:
1. Prior (before processing)
Consent must be obtained before any non-essential cookies are set. This means your website must block analytics, marketing, and other tracking scripts until the user actively consents. A banner that sets cookies on page load and then asks for consent afterward does not meet this requirement.
This is the most commonly violated requirement. Many consent implementations load Google Analytics or Facebook Pixel before the user interacts with the banner.
2. Informed
The user must understand what they are consenting to. Your consent banner must clearly explain:
- What categories of cookies you use (e.g., analytics, marketing, functional)
- What each category does in plain language
- Which third parties receive data through these cookies
- How long the cookies persist
Burying this information behind multiple clicks or using vague language like “we use cookies to improve your experience” is not sufficient.
3. Freely given
Consent cannot be coerced. This means:
- No cookie walls. You cannot block access to your website unless the user accepts cookies. The EDPB has stated that making website access conditional on cookie acceptance does not constitute freely given consent.
- No bundled consent. You cannot force users to accept all cookie categories at once. Users must be able to accept some categories and reject others.
- No pre-ticked boxes. The CJEU confirmed in the Planet49 case (C-673/17) that pre-selected checkboxes do not constitute valid consent.
4. Specific and granular
Users must be able to consent to each purpose separately. At minimum, your consent banner should offer separate choices for:
- Necessary cookies (always on, no consent needed)
- Functional cookies (preferences, language settings)
- Analytics cookies (traffic measurement, behavior analysis)
- Marketing cookies (advertising, retargeting, social media)
A single “Accept All” button without the option to make granular choices does not satisfy this requirement.
5. Unambiguous (clear affirmative action)
Consent requires a clear affirmative action. Scrolling, continuing to browse, or closing the banner does not constitute consent. The user must actively click a button or toggle to indicate their choice.
Both “Accept All” and “Reject All” buttons should be equally prominent. Some DPAs, notably the French CNIL, have specifically fined companies for making the reject option harder to find than the accept option.
6. Withdrawable
Users must be able to withdraw consent as easily as they gave it. If a user accepted cookies with one click, they should be able to revoke that consent with one click. This typically means providing a persistent link or button (often in the footer) that reopens the consent preferences panel.
Strictly necessary cookies are exempt
Not all cookies require consent. Cookies that are “strictly necessary” for providing the service the user explicitly requested are exempt from the consent requirement. Examples include:
- Session cookies that maintain login state
- Shopping cart cookies in e-commerce
- Load balancing cookies
- Cookie consent preference cookies themselves
However, the definition of “strictly necessary” is narrow. Analytics cookies, even first-party ones, are not strictly necessary. A/B testing cookies, social media widgets, and advertising cookies all require consent.
Common mistakes that trigger enforcement
European DPAs have issued guidance and fines for these common violations:
Loading scripts before consent. The most frequent violation. If your consent tool operates in “signal-only” mode (telling Google Analytics about consent status but not actually blocking the script), you are likely non-compliant under GDPR’s “prior consent” requirement.
Reject is harder than accept. CNIL fined Google 150 million euros in part because rejecting cookies required navigating through multiple screens while accepting required a single click. Both options should be equally accessible.
No way to withdraw consent. Many sites show the consent banner once and provide no mechanism to change preferences later.
Vague cookie descriptions. Describing all cookies as “improving your experience” without explaining what data is collected and by whom.
Pre-checked consent categories. Setting analytics or marketing toggles to “on” by default in the preferences panel.
Ignoring the ePrivacy Directive. Some sites only consider GDPR’s “legitimate interest” basis and skip consent for analytics. Under the ePrivacy Directive, consent is required regardless of the GDPR legal basis for the underlying data processing.
What full GDPR compliance looks like
A compliant cookie consent implementation:
- Blocks all non-essential scripts until the user consents (full blocking mode)
- Shows a clear banner with Accept All, Reject All, and Manage Preferences options of equal prominence
- Provides granular controls for each cookie category with clear descriptions
- Documents consent with a timestamp and version record
- Allows withdrawal through a persistent, easily accessible preferences link
- Respects Global Privacy Control (GPC) signals from the browser
- Implements Google Consent Mode V2 if using Google services, so that denied consent correctly restricts Google tag behavior
- Keeps a cookie inventory that is regularly updated through automated scanning
- Adapts to jurisdiction using geo-rules (e.g., stricter defaults for EU visitors, different requirements for US visitors under CCPA)
Enforcement is increasing
European DPAs issued over 2.1 billion euros in GDPR fines in 2023 alone. While the largest fines target major tech companies, small and medium businesses are increasingly subject to enforcement. The Austrian DPA (DSB), French CNIL, and Italian Garante have all issued decisions specifically about cookie consent banners.
Cookie consent is often the first thing a DPA checks because it is publicly visible. Unlike internal data processing practices, anyone can visit your website and observe whether your consent implementation meets GDPR requirements.
Getting started
If your website serves European visitors, you need a consent management platform (CMP) that supports full blocking mode, granular consent categories, and consent documentation. CookieBoss provides all of these features with a consent script that loads in under 20KB and blocks non-essential scripts until the user makes a choice.
For a step-by-step implementation guide, see our Google Consent Mode V2 setup guide or start a free trial to see how CookieBoss works on your site.
