TermsBox
PricingBlog
LoginGet Started
PricingBlogLogin
Get Started
  1. Home
  2. Blog
  3. Cookie Consent GDPR: Requirements and Implementation
Cookie Policy

Cookie Consent GDPR: Requirements and Implementation

Understand GDPR cookie consent requirements. Learn what the law says, how to collect valid consent, and avoid fines up to 20M EUR.

TermsBox Team|April 3, 202612 min read

Cookie consent under the GDPR is one of the most enforced areas of European data protection law. GDPR cookie consent requires websites to obtain a visitor's explicit, informed agreement before placing any non-essential cookies on their device, and regulators have issued hundreds of millions of euros in fines against organizations that get it wrong.

This guide explains exactly what the GDPR requires for cookie consent, how the ePrivacy Directive interacts with it, what valid consent looks like, and how to implement it correctly. This is educational content, not legal advice. For guidance specific to your situation, consult a qualified attorney.

What GDPR Cookie Consent Actually Requires

GDPR cookie consent obligations come from two pieces of legislation working together: the General Data Protection Regulation (GDPR) and the ePrivacy Directive (Directive 2002/58/EC, as amended by Directive 2009/136/EC).

Article 5(3) of the ePrivacy Directive is the primary rule for cookies. It states that storing information on a user's device, or accessing information already stored, requires the user's prior consent. The GDPR then defines what valid consent means through Article 4(11) and Article 7.

Together, these laws establish that:

  • Consent must be given before non-essential cookies are placed (prior consent, not retroactive)
  • Consent must be freely given, meaning the user has a genuine choice without negative consequences for refusing
  • Consent must be specific, with clear information about what each cookie category does
  • Consent must be informed, requiring plain-language explanations of purposes and data recipients
  • Consent must be unambiguous, requiring a clear affirmative action such as clicking a button

The only cookies exempt from consent are those that are "strictly necessary" for providing a service the user explicitly requested. This narrow exception covers session cookies, authentication tokens, shopping cart cookies, and security cookies such as CSRF tokens. It does not cover analytics, advertising, social media, or personalization cookies.

Which Cookies Require GDPR Consent

Understanding which cookies fall under GDPR cookie consent rules requires examining the purpose of each cookie, not just its technical characteristics.

Cookies that require consent

  • Analytics cookies: Google Analytics, Matomo (when using cookies), Hotjar, Mixpanel, and any tool that measures visitor behavior
  • Advertising cookies: Google Ads remarketing, Facebook Pixel, LinkedIn Insight Tag, programmatic advertising trackers
  • Social media cookies: Share buttons, embedded social feeds, login-with-Facebook/Google widgets
  • Personalization cookies: Content recommendations, A/B testing tools, user preference tracking beyond what the user explicitly configured
  • Third-party cookies: Any cookie set by a domain other than the one the user is visiting, with very few exceptions

Cookies exempt from consent

  • Session management: Server session identifiers that maintain login state
  • Shopping cart: Cookies that remember items in a cart during an active shopping session
  • Load balancing: Technical cookies that distribute server traffic
  • Cookie consent choices: The cookie that stores the visitor's own consent preferences
  • Security: CSRF tokens, fraud detection mechanisms, authentication state
  • User interface preferences: Language selection or accessibility settings that the user explicitly chose

The EDPB has emphasized that the "strictly necessary" exception must be interpreted narrowly. A cookie is not strictly necessary just because the website owner considers it important.

What Valid GDPR Cookie Consent Looks Like

The GDPR sets a high bar for valid consent. Regulators and courts have clarified exactly what does and does not meet the standard through enforcement actions and case law.

Requirements for valid consent

Valid GDPR cookie consent must satisfy all of the following conditions:

  1. Prior: No non-essential cookies load before the visitor makes a choice. The consent banner must appear, and the visitor must act, before analytics or marketing scripts execute.

  2. Granular: Visitors must be able to consent to specific categories independently. An "accept all" button is permitted only if an equally prominent option to manage individual categories exists.

  3. Informed: The banner or its linked cookie policy must explain what cookies are used, who sets them, what data they collect, and how long they last. A cookie policy generator can produce this documentation based on the cookies detected on your site.

  4. Freely given: Consent cannot be bundled with other agreements (such as terms of service). The visitor must be able to refuse cookies without losing access to the service. Cookie walls that block content are prohibited under EDPB Guidelines 05/2020, with narrow exceptions.

  5. Unambiguous affirmative action: Scrolling, continuing to browse, or closing the banner does not constitute consent. The visitor must actively click a button or toggle individual categories.

  6. Withdrawable: Article 7(3) of the GDPR requires that withdrawing consent is as easy as giving it. A persistent link or icon must allow visitors to reopen their preferences at any time.

  7. Documented: Article 7(1) of the GDPR states that controllers must be able to demonstrate consent. You need records showing what the visitor consented to, when, and what information was presented.

Practices that invalidate consent

Enforcement actions across Europe have identified these common violations:

  • Pre-checked boxes: The Court of Justice of the EU ruled in Planet49 (Case C-673/17) that pre-ticked checkboxes do not constitute valid consent.
  • Dark patterns: Making the "accept" button large and colorful while making "reject" a small gray text link is manipulative. The CNIL fined Google 150 million EUR and Facebook 60 million EUR in 2022 partly because rejecting cookies required multiple clicks while accepting required only one.
  • Implied consent: Banners stating "by continuing to use this site you agree to cookies" do not collect valid consent. Continued browsing is not an affirmative action.
  • Bundled consent: Requiring cookie acceptance as a condition of using the site or completing a purchase violates the "freely given" requirement.

GDPR Cookie Consent Penalties and Enforcement

GDPR cookie consent enforcement has been aggressive and consistent. Regulators across Europe have made cookies a priority because violations are easy to detect (just visit the website), affect large populations, and demonstrate whether an organization takes data protection seriously.

Notable enforcement actions

  • Google (France, 2022): 150 million EUR fine from CNIL for making cookie rejection harder than acceptance
  • Facebook/Meta (France, 2022): 60 million EUR fine from CNIL for the same reason
  • Amazon (France, 2020): 35 million EUR fine for placing advertising cookies without prior consent
  • TikTok (France, 2023): 5 million EUR fine for not providing an equally simple way to refuse cookies
  • Criteo (France, 2023): 40 million EUR fine for collecting consent through partners without adequate verification

Smaller companies are not exempt. National data protection authorities regularly fine small and medium businesses for cookie violations, though penalties are typically proportionate, ranging from several thousand to several hundred thousand euros.

How regulators detect violations

Data protection authorities use automated scanning tools to check websites for compliance. They look for:

  • Non-essential cookies set before any consent interaction
  • Cookie banners without a reject option or with dark patterns
  • Missing or inadequate cookie policies
  • Consent records that cannot be produced on request
  • Cookie banners that do not reappear for visitors who have not previously consented

Complaints from visitors are another common trigger for investigations.

How to Implement GDPR Cookie Consent Correctly

Implementing compliant GDPR cookie consent involves more than installing a banner. The technical implementation must match the legal requirements precisely.

Step 1: Audit every cookie on your site

Before configuring consent, identify every cookie your website sets. This includes cookies from your own code, third-party scripts, embedded content (YouTube, Google Maps, social widgets), and analytics tools. Document each cookie's name, provider, purpose, category, and retention period.

An automated compliance scanner can detect cookies that manual audits miss, particularly those set by iframes and third-party scripts that only load under certain conditions.

Step 2: Categorize cookies

Group cookies into consent categories. The standard categories are:

Cookie Policy Generator

Create a cookie policy for GDPR compliance. Create yours in minutes with TermsBox.

Generate Now
  • Strictly necessary: Exempt from consent
  • Analytics/performance: Requires consent
  • Marketing/advertising: Requires consent
  • Functional/preferences: Requires consent (unless the user explicitly requested the preference)

Each cookie must be assigned to exactly one category. When in doubt about whether a cookie is "strictly necessary," it almost certainly is not. The exception is narrow by design.

Step 3: Implement prior blocking

This is the most technically important step. Your consent mechanism must prevent all non-essential scripts from executing until consent is received. Methods include:

  • Script type modification: Change type="text/javascript" to type="text/plain" and add a consent category attribute. The consent tool flips scripts back to executable after consent.
  • Tag manager integration: Use Google Tag Manager or a similar tool with consent triggers that fire tags only after receiving a consent signal.
  • Server-side blocking: Intercept the page before it reaches the browser and remove non-essential script tags until consent status is confirmed.

Test blocking by opening your site in a private browser window and checking the DevTools Application tab for cookies before interacting with the banner. If any non-essential cookies appear, your blocking is not working.

Step 4: Design the consent interface

Your cookie banner must meet specific design requirements under the GDPR:

  • Present "Accept All" and "Reject All" with equal visual prominence. Both should be buttons of similar size and color contrast.
  • Provide a "Manage Preferences" option that opens category-level controls.
  • Do not pre-check any non-essential category.
  • Include a link to your full cookie policy.
  • Use clear, plain language that a non-technical visitor can understand.
  • Do not use manipulative design patterns (color contrast tricks, confusing button labels, hidden reject options).

Step 5: Store and manage consent records

Build or use a system that records every consent decision with:

  • A timestamp of when consent was given or refused
  • The specific categories accepted and rejected
  • The version of the banner text displayed
  • An anonymized visitor identifier
  • The method of consent (which button was clicked)

These records are your proof of compliance if a regulator asks. Article 7(1) of the GDPR places the burden of demonstrating valid consent on the data controller.

Step 6: Create a cookie policy

Your GDPR cookie consent implementation requires a comprehensive cookie policy that lists every cookie by name, explains its purpose, identifies who sets it, specifies its retention period, and states its category. A cookie policy generator can create this documentation from your scan results.

Link the cookie policy from your consent banner, your privacy policy, and your website footer. Visitors must be able to find it easily.

GDPR Cookie Consent and Google Consent Mode

Google introduced Consent Mode v2 as a requirement for advertisers in the European Economic Area starting March 2024. It directly interacts with GDPR cookie consent by communicating consent status to Google's tags.

When a visitor has not consented, Consent Mode instructs Google tags to run in a restricted state. No cookies are set, and no personal identifiers are collected. Google uses aggregated, modeled data to fill measurement gaps. When consent is granted, full tracking resumes.

To implement Consent Mode with your GDPR cookie consent setup:

  • Set the default consent state to "denied" for analytics_storage, ad_storage, ad_user_data, and ad_personalization
  • Map your consent tool's categories to Google's consent types
  • Update consent state to "granted" only after the visitor explicitly accepts the relevant category
  • Verify implementation using Google Tag Assistant

Without Consent Mode, Google Ads campaigns targeting EEA visitors lose access to conversion modeling, audience building, and remarketing. This makes it both a compliance necessity and a business requirement for advertisers.

GDPR Cookie Consent for Different Website Types

The core GDPR cookie consent requirements apply to all websites, but implementation details vary by site type.

E-commerce sites

Online stores face additional complexity because they use payment processor cookies, conversion tracking, retargeting pixels, and product recommendation engines. Shopping cart and checkout session cookies are strictly necessary, but all marketing and analytics tracking requires consent. Ensure your consent tool does not block payment or cart functionality.

Content and media sites

Blogs, news sites, and content platforms often rely heavily on advertising revenue. Programmatic advertising requires TCF 2.2 (Transparency and Consent Framework) support in your consent tool to pass valid consent signals through the advertising supply chain. Without TCF integration, ad networks may not serve personalized ads to your EU visitors.

SaaS applications

Software applications must distinguish between cookies needed for the application to function (authentication, session state, security) and cookies used for analytics and marketing. Application functionality cookies are typically strictly necessary, but usage analytics and feature-adoption measurement require consent.

Single-page applications

SPAs built with React, Vue, or Angular need cookie consent solutions that handle dynamic route changes without resetting consent state. JavaScript-based consent management platforms that integrate at the script level are better suited to these architectures than traditional CMS plugins.

Frequently Asked Questions

Is cookie consent required under the GDPR?

Yes. The GDPR, combined with Article 5(3) of the ePrivacy Directive, requires websites to obtain informed, freely given, specific, and unambiguous consent before placing non-essential cookies on a visitor's device. The only exception is for strictly necessary cookies that are essential for the service the user explicitly requested, such as session cookies or shopping cart cookies.

What happens if my website does not comply with GDPR cookie consent rules?

Non-compliance with GDPR cookie consent requirements can result in fines up to 20 million EUR or 4% of annual global turnover, whichever is higher. Enforcement is active across EU member states. The French authority CNIL fined Google 150 million EUR and Facebook 60 million EUR in 2022 specifically for cookie consent failures. Smaller companies also face penalties, though fines are typically proportionate to the violation and the organization's size.

Can I use a cookie wall to force visitors to accept cookies?

No. The European Data Protection Board (EDPB) stated in Guidelines 05/2020 that cookie walls, which block access to content unless cookies are accepted, do not provide freely given consent. Consent is not free if the user has no genuine choice. Some limited exceptions may apply for paid content sites offering a cookie-free subscription alternative, but the general rule is that cookie walls violate GDPR consent requirements.

Do I need cookie consent for Google Analytics under the GDPR?

Yes. Google Analytics sets cookies that track visitor behavior and collect personal data such as IP addresses and browsing patterns. This requires explicit opt-in consent under the GDPR and ePrivacy Directive. Loading the Google Analytics script before consent is given is a violation, even if IP anonymization is enabled, because the cookies themselves require consent under the ePrivacy Directive regardless of whether the data qualifies as personal data under the GDPR.

Related Tools

Cookie Policy Generator

Create a cookie policy for GDPR compliance

Related Articles

Cookie Policy

CMP Cookie Guide: What It Is and Why You Need One

Learn what a CMP cookie is, how consent management platforms work, and how to implement cookie CMP compliance for GDPR and ePrivacy.

April 4, 202610 min read
Cookie Policy

Cookie Consent Banner: Complete Implementation Guide (2026)

Learn how to implement a cookie consent banner that meets GDPR, ePrivacy, and CCPA requirements. Covers design, script blocking, and compliance.

April 4, 202612 min read
Cookie Policy

Cookie Policy Banner: Setup Guide for Website Compliance

Learn how to set up a cookie policy banner that meets GDPR and ePrivacy requirements. Covers consent flows, design, and legal obligations.

April 4, 202610 min read

Ready to Create Your Legal Documents?

Generate professional privacy policies, terms of service, and more in minutes. Free to start, no credit card required.

View All Generators

On This Page

  • What GDPR Cookie Consent Actually Requires
  • Which Cookies Require GDPR Consent
  • Cookies that require consent
  • Cookies exempt from consent
  • What Valid GDPR Cookie Consent Looks Like
  • Requirements for valid consent
  • Practices that invalidate consent
  • GDPR Cookie Consent Penalties and Enforcement
  • Notable enforcement actions
  • How regulators detect violations
  • How to Implement GDPR Cookie Consent Correctly
  • Step 1: Audit every cookie on your site
  • Step 2: Categorize cookies
  • Step 3: Implement prior blocking
  • Step 4: Design the consent interface
  • Step 5: Store and manage consent records
  • Step 6: Create a cookie policy
  • GDPR Cookie Consent and Google Consent Mode
  • GDPR Cookie Consent for Different Website Types
  • E-commerce sites
  • Content and media sites
  • SaaS applications
  • Single-page applications
  • Frequently Asked Questions
TermsBox

Scan your website, auto-generate legal documents, add a consent banner, and stay compliant. One platform for everything.

Product

  • Cookie Scanner
  • Consent Banner
  • Cookie Policy Generator
  • Pricing

Generators

  • Privacy Policy Generator
  • Terms and Conditions Generator
  • EULA Generator
  • Disclaimer Generator
  • Return and Refund Policy Generator

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service
  • Cookie Policy
GDPR
ePrivacy
CCPA
LGPD
Google Consent Mode v2
IAB TCF 2.2
© 2026 TermsBox. All rights reserved.