TermsBox
PricingBlog
LoginGet Started
PricingBlogLogin
Get Started
  1. Home
  2. Blog
  3. GDPR and Cookies: What Website Owners Must Know in 2026
Cookie Policy

GDPR and Cookies: What Website Owners Must Know in 2026

Learn how GDPR and cookies intersect. Understand consent rules, cookie categories, enforcement penalties, and how to achieve compliance.

TermsBox Team|April 3, 202614 min read

The relationship between GDPR and cookies is one of the most misunderstood areas of European data protection law. GDPR and cookies intersect because the regulation governs how personal data is collected and processed, and most cookies either contain personal data or enable tracking that qualifies as personal data processing.

Since the GDPR took effect in May 2018, data protection authorities across Europe have issued hundreds of enforcement actions related to cookie compliance. This guide breaks down the legal framework, explains which cookies require consent, details the penalties for non-compliance, and walks through the steps to get your website compliant. This is educational content and does not constitute legal advice. Consult a qualified attorney for guidance specific to your situation.

How GDPR and Cookies Interact Legally

The rules governing cookies and GDPR come from two distinct but interconnected pieces of European legislation. Understanding which law applies to what is essential for compliance.

The General Data Protection Regulation (GDPR) governs the processing of personal data. It defines consent standards, data subject rights, and enforcement penalties. It does not mention cookies specifically.

The ePrivacy Directive (Directive 2002/58/EC, amended by Directive 2009/136/EC) specifically addresses cookies. Article 5(3) requires that storing or accessing information on a user's terminal equipment requires the user's prior consent, unless the cookie is strictly necessary for a service the user explicitly requested.

These two laws work together in the following way:

  • The ePrivacy Directive requires consent before placing non-essential cookies (regardless of whether they process personal data)
  • The GDPR defines what valid consent means through Article 4(11) and Article 7
  • The GDPR governs how any personal data collected via cookies must be processed, stored, and protected
  • The GDPR provides the enforcement mechanism, with fines of up to 20 million EUR or 4% of annual global turnover

When a website sets a cookie that tracks user behavior, both laws apply simultaneously. The ePrivacy Directive governs the act of placing the cookie, and the GDPR governs the subsequent processing of the personal data that cookie collects or enables.

Cookie Categories Under GDPR

Cookie GDPR compliance starts with classifying every cookie your website uses into the correct category. Each category carries different consent requirements.

Strictly necessary cookies (no consent required)

These cookies are essential for basic website functionality that the user explicitly requested. They are the only category exempt from consent under Article 5(3) of the ePrivacy Directive. Examples include:

  • Session cookies that maintain login state
  • Shopping cart cookies during an active purchase
  • Load balancing cookies
  • CSRF protection tokens
  • Cookies that store the user's own consent preferences

The exemption is narrow. A cookie is not "strictly necessary" simply because the website owner finds it useful. The European Data Protection Board (EDPB) has clarified in its Guidelines 2/2023 that the assessment must be from the user's perspective: is this cookie essential for a service the user asked for?

Analytics cookies (consent required)

Any cookie that measures, tracks, or reports on visitor behavior requires consent. This includes:

  • Google Analytics (_ga, _gid, _gat cookies)
  • Hotjar session recordings
  • Mixpanel event tracking
  • Matomo when configured with cookies enabled
  • A/B testing tools like Optimizely or VWO

Even privacy-focused analytics tools that anonymize IP addresses still require consent if they use cookies, because the consent obligation under the ePrivacy Directive is triggered by the act of placing a cookie, not by whether the data qualifies as personal data.

Marketing and advertising cookies (consent required)

Advertising cookies track users across websites to build profiles and deliver targeted ads. They almost always involve third-party data sharing and require explicit consent. Common examples:

  • Google Ads remarketing cookies
  • Facebook Pixel (Meta Pixel)
  • LinkedIn Insight Tag
  • Programmatic advertising trackers
  • Affiliate tracking cookies

Social media and functionality cookies (consent required)

Embedded social media widgets, share buttons, and third-party integrations typically set their own cookies. These require consent because they enable tracking by external parties, even if the user never interacts with the widget.

GDPR Cookie Consent Requirements

Cookies GDPR compliance hinges on obtaining consent that meets the standard defined in Article 4(11) and elaborated in Article 7 of the GDPR. Regulators have been explicit about what qualifies.

The five elements of valid cookie consent

  1. Prior: Non-essential cookies must not load until the visitor actively consents. Pre-checked boxes, implied consent from scrolling, and "by continuing to browse" notices are all invalid.
  2. Freely given: The user must have a genuine choice. Cookie walls that block content unless cookies are accepted generally violate this requirement (EDPB Guidelines 05/2020).
  3. Specific: Consent must be granular. A single "Accept All" button without the option to choose individual cookie categories does not meet the specificity requirement.
  4. Informed: The visitor must receive clear, plain-language information about what cookies do, who receives the data, and how long cookies persist.
  5. Unambiguous: Consent requires a clear affirmative action. Silence, pre-ticked checkboxes, or inactivity do not constitute consent. The Court of Justice of the EU confirmed this in the Planet49 case (C-673/17, October 2019).

How to present cookie choices

Data protection authorities across Europe have issued specific guidance on how cookie banners must be designed:

  • Reject must be as easy as accept. The French CNIL and Italian Garante both require that refusing cookies takes no more clicks than accepting them. A prominent "Accept All" button paired with a hidden "Reject" link buried in settings is non-compliant.
  • No dark patterns. Manipulative design that steers users toward accepting, such as using bright colors for "Accept" and grey for "Reject," or requiring users to toggle off each cookie category individually, risks enforcement action.
  • Granular categories. Users must be able to accept or reject cookies by purpose (analytics, marketing, functionality) rather than only having an all-or-nothing choice.
  • Withdraw consent easily. Article 7(3) of the GDPR states that withdrawing consent must be as easy as giving it. A persistent link in the footer or a floating icon to reopen cookie preferences satisfies this.

Penalties for GDPR Cookie Non-Compliance

Enforcement of cookies and GDPR rules has accelerated significantly. Data protection authorities have moved beyond warnings to substantial financial penalties.

Notable enforcement actions

Organization Authority Fine Year Violation
Google CNIL (France) 150 million EUR 2022 No easy way to reject cookies
Meta (Facebook) CNIL (France) 60 million EUR 2022 No easy way to reject cookies
Amazon CNIL (France) 35 million EUR 2020 Cookies placed without consent
Sephora CNIL (France) 600,000 EUR 2023 Cookie consent violations
Vueling Airlines AEPD (Spain) 30,000 EUR 2020 No cookie consent mechanism

These fines demonstrate that enforcement applies to organizations of all sizes. The CNIL alone issued 89 cookie-related enforcement actions between 2021 and 2024.

What triggers enforcement

Regulators typically investigate based on:

  • Complaints from individuals (any EU resident can file a complaint with their national authority)
  • Automated scanning of popular websites
  • Investigations triggered by other compliance failures
  • Sector-wide audits

The most common violations that lead to fines include loading tracking cookies before consent, making it harder to reject cookies than to accept them, and failing to provide granular consent options.

How to Make Your Website GDPR Cookie Compliant

Achieving cookie GDPR compliance involves a systematic process. Follow these steps in order.

Step 1: Audit every cookie on your website

Before you can disclose cookies to visitors, you need to know exactly what cookies your site sets. This means scanning every page, including those loaded by third-party scripts. A compliance scanner can automate this process and catch cookies that manual review misses.

For each cookie, document:

  • Cookie name and domain
  • Purpose (analytics, marketing, functionality, strictly necessary)
  • Duration (session or persistent, and exact expiry)
  • First-party or third-party
  • What data it collects or enables

Step 2: Classify cookies into consent categories

Group your cookies into categories that align with how you will present consent choices. The standard groupings are strictly necessary, analytics/performance, marketing/advertising, and functionality/preferences. Map every cookie to exactly one category.

Step 3: Implement a consent management platform

A consent management platform (CMP) handles the technical and legal mechanics of cookie consent. It must:

  • Block all non-essential cookies and scripts until consent is given
  • Present a banner with clear Accept, Reject, and Preferences options
  • Record consent with a timestamp, the specific choices made, and the version of the policy shown
  • Re-fire blocked scripts only for categories the user accepted
  • Provide an easy way to change or withdraw consent at any time

TermsBox provides a cookie policy generator paired with a cookie consent banner that handles script blocking, granular consent categories, and consent record storage.

Step 4: Write a comprehensive cookie policy

Your cookie policy must list every cookie, its purpose, its duration, and whether it is first-party or third-party. Article 13 of the GDPR requires that this information be provided at the time consent is requested. The policy should be linked directly from your cookie banner and accessible from your website footer, alongside your privacy policy.

Cookie Policy Generator

Create a cookie policy for GDPR compliance. Create yours in minutes with TermsBox.

Generate Now

Step 5: Test and verify

After implementation, verify that:

  • No non-essential cookies load on a fresh visit before consent
  • Rejecting cookies actually prevents those cookies from being set
  • Accepting only analytics but not marketing loads only analytics scripts
  • Clearing cookies and revisiting the site shows the banner again
  • The consent record stores the correct timestamp and choices

Browser developer tools (Application tab in Chrome) and automated compliance scanners are both useful for verification.

GDPR Cookie Rules for Specific Technologies

Different tracking technologies raise distinct questions under cookies GDPR rules. Here are the most common scenarios.

Google Analytics

Google Analytics requires consent because it sets multiple cookies (_ga, _gid, _gat) that track visitor behavior and collect data including IP addresses, browser fingerprints, and page views. The Austrian Data Protection Authority ruled in January 2022 that using Google Analytics violates the GDPR when data is transferred to the United States without adequate safeguards, adding a data transfer concern on top of the consent requirement.

Since the EU-US Data Privacy Framework was adopted in July 2023, the data transfer issue for U.S.-based tools has been partially addressed, but the cookie consent requirement remains unchanged.

Server-side tracking

Some organizations have moved to server-side tracking to reduce client-side cookies. This does not eliminate GDPR obligations. If server-side tracking processes personal data (IP addresses, user identifiers, behavioral data), it still falls under the GDPR. The ePrivacy Directive's consent requirement for cookies does not apply to server-side processing that avoids client-side storage, but the GDPR's rules on lawful basis, transparency, and data subject rights still do.

Fingerprinting and cookieless tracking

Browser fingerprinting and other cookieless tracking methods are subject to the same ePrivacy Directive rules. Article 5(3) covers not just cookies but any "storage of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user." Fingerprinting reads information from the user's device and therefore requires consent.

Embedded content

Embedding YouTube videos, Google Maps, social media posts, or other third-party content often triggers cookie placement by those third parties. The website embedding the content is responsible for obtaining consent for these cookies, even though a third party sets them. Privacy-enhanced embed modes (such as YouTube's youtube-nocookie.com domain) can reduce but not always eliminate the need for consent.

Cookie GDPR Compliance Across EU Member States

While the GDPR applies uniformly across the EU, the ePrivacy Directive is implemented through national legislation, which creates some variation in cookie rules.

Key differences by country:

  • France (CNIL): The most active enforcer. Requires rejecting cookies to be as simple as accepting them, with equal prominence on the first layer of the banner. Conducts regular automated scanning of French websites.
  • Germany: The Telecommunications Telemedia Data Protection Act (TTDSG), effective since December 2021, codifies cookie consent in German law. Sixteen state data protection authorities may interpret requirements slightly differently.
  • Italy (Garante): Updated cookie guidelines in January 2022 requiring the reject option on the first layer with equal visibility. Prohibited "scrolling equals consent" and cookie walls.
  • Netherlands (AP): Implemented the ePrivacy Directive through the Telecommunications Act (Telecommunicatiewet). Conducts regular website audits with detailed public guidance.

If your website serves visitors from multiple EU countries, comply with the strictest interpretation. The CNIL's requirements are generally the most demanding and serve as a safe benchmark.

Common GDPR and Cookie Compliance Mistakes

Even organizations that attempt compliance frequently make errors that expose them to enforcement. Avoid these common pitfalls.

Pre-loading scripts before consent

The most frequent violation is loading analytics or marketing scripts before the visitor interacts with the consent banner. Even a fraction-of-a-second head start triggers a violation. Scripts must be completely blocked, not merely delayed, until consent is recorded.

Relying on implied consent

Statements like "by continuing to browse this site, you consent to cookies" have been explicitly rejected by European courts and regulators. The Planet49 ruling (CJEU, C-673/17) established that consent must be an active, affirmative action. Scrolling, browsing, or closing a banner without making a choice does not constitute consent.

Making rejection harder than acceptance

If accepting cookies takes one click but rejecting them requires navigating through multiple settings screens, the consent is not freely given. Data protection authorities in France, Italy, and Belgium have all fined organizations specifically for this design pattern.

Failing to update the cookie list

Cookies change whenever you add a new tool, update a plugin, or modify third-party integrations. A cookie policy generator helps maintain an accurate, up-to-date disclosure, but the underlying audit needs to happen regularly. Quarterly scans are a reasonable minimum.

Ignoring third-party cookies

Your website is responsible for all cookies set during a visit, including those placed by third-party scripts you have embedded. If a marketing tag manager loads 30 advertising cookies, you need consent for all 30, and your cookie policy must disclose each one.

Bundling consent for unrelated purposes

Asking for a single consent that covers analytics, marketing, and social media cookies violates the specificity requirement. Each purpose must be presented as a separate choice. Users have the right to accept analytics but reject marketing, or vice versa.

Frequently Asked Questions

Does the GDPR apply to all cookies?

No. The GDPR applies to cookies that process personal data, while the ePrivacy Directive (Article 5(3)) governs the act of placing any cookie on a user's device. In practice, nearly all non-essential cookies fall under both regulations because they either contain personal data directly or enable tracking that constitutes personal data processing. Strictly necessary cookies, such as session identifiers and shopping cart cookies, are exempt from consent requirements under the ePrivacy Directive.

What are the penalties for violating GDPR cookie rules?

Fines for GDPR cookie violations can reach up to 20 million EUR or 4% of annual global turnover, whichever is higher. The French data protection authority CNIL has been particularly active, fining Google 150 million EUR and Meta 60 million EUR in 2022 for cookie consent failures. Smaller organizations also face enforcement, though fines tend to be proportionate to the severity of the violation and the company's revenue.

Do I need a cookie banner if my website only uses strictly necessary cookies?

No. If your website exclusively uses cookies that are strictly necessary for providing a service the user explicitly requested, you are not required to display a cookie consent banner. However, you still need a cookie policy that discloses what cookies you use and why. In practice, very few websites rely solely on strictly necessary cookies, since even basic analytics or embedded content typically introduces non-essential cookies.

Can I set analytics cookies before getting consent under the GDPR?

No. Analytics cookies such as Google Analytics, Hotjar, or Mixpanel require explicit opt-in consent before they are placed on the visitor's device. Loading tracking scripts before consent is a violation of both the GDPR and Article 5(3) of the ePrivacy Directive. The scripts must be blocked entirely until the visitor affirmatively accepts analytics cookies through a compliant consent mechanism.

Related Tools

Cookie Policy Generator

Create a cookie policy for GDPR compliance

Related Articles

Cookie Policy

CMP Cookie Guide: What It Is and Why You Need One

Learn what a CMP cookie is, how consent management platforms work, and how to implement cookie CMP compliance for GDPR and ePrivacy.

April 4, 202610 min read
Cookie Policy

Cookie Consent Banner: Complete Implementation Guide (2026)

Learn how to implement a cookie consent banner that meets GDPR, ePrivacy, and CCPA requirements. Covers design, script blocking, and compliance.

April 4, 202612 min read
Cookie Policy

Cookie Policy Banner: Setup Guide for Website Compliance

Learn how to set up a cookie policy banner that meets GDPR and ePrivacy requirements. Covers consent flows, design, and legal obligations.

April 4, 202610 min read

Ready to Create Your Legal Documents?

Generate professional privacy policies, terms of service, and more in minutes. Free to start, no credit card required.

View All Generators

On This Page

  • How GDPR and Cookies Interact Legally
  • Cookie Categories Under GDPR
  • Strictly necessary cookies (no consent required)
  • Analytics cookies (consent required)
  • Marketing and advertising cookies (consent required)
  • Social media and functionality cookies (consent required)
  • GDPR Cookie Consent Requirements
  • The five elements of valid cookie consent
  • How to present cookie choices
  • Penalties for GDPR Cookie Non-Compliance
  • Notable enforcement actions
  • What triggers enforcement
  • How to Make Your Website GDPR Cookie Compliant
  • Step 1: Audit every cookie on your website
  • Step 2: Classify cookies into consent categories
  • Step 3: Implement a consent management platform
  • Step 4: Write a comprehensive cookie policy
  • Step 5: Test and verify
  • GDPR Cookie Rules for Specific Technologies
  • Google Analytics
  • Server-side tracking
  • Fingerprinting and cookieless tracking
  • Embedded content
  • Cookie GDPR Compliance Across EU Member States
  • Common GDPR and Cookie Compliance Mistakes
  • Pre-loading scripts before consent
  • Relying on implied consent
  • Making rejection harder than acceptance
  • Failing to update the cookie list
  • Ignoring third-party cookies
  • Bundling consent for unrelated purposes
  • Frequently Asked Questions
TermsBox

Scan your website, auto-generate legal documents, add a consent banner, and stay compliant. One platform for everything.

Product

  • Cookie Scanner
  • Consent Banner
  • Cookie Policy Generator
  • Pricing

Generators

  • Privacy Policy Generator
  • Terms and Conditions Generator
  • EULA Generator
  • Disclaimer Generator
  • Return and Refund Policy Generator

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service
  • Cookie Policy
GDPR
ePrivacy
CCPA
LGPD
Google Consent Mode v2
IAB TCF 2.2
© 2026 TermsBox. All rights reserved.