TermsBox
PricingBlog
LoginGet Started
PricingBlogLogin
Get Started
  1. Home
  2. Blog
  3. GDPR Cookie Popup: Requirements, Rules, and Best Practices
Cookie Policy

GDPR Cookie Popup: Requirements, Rules, and Best Practices

Learn what the GDPR requires for cookie popups, how to make them compliant, and avoid fines up to 20M EUR with proper implementation.

TermsBox Team|April 4, 202614 min read

A GDPR cookie popup is the consent mechanism that websites must display before placing non-essential cookies on a visitor's device. Getting this popup wrong is one of the most common and heavily penalised compliance failures in European data protection law, with fines reaching into the hundreds of millions of euros for major violations.

This guide explains what the GDPR actually requires from cookie popups, what makes a popup compliant or non-compliant, how enforcement has shaped current standards, and how to implement one correctly. This is educational content, not legal advice. Consult a qualified attorney for guidance specific to your circumstances.

What the GDPR Requires for Cookie Popups

The legal requirement for cookie popups does not come from the GDPR alone. It results from two pieces of EU legislation working together: the ePrivacy Directive (Directive 2002/58/EC, as amended by Directive 2009/136/EC) and the General Data Protection Regulation (Regulation (EU) 2016/679).

Article 5(3) of the ePrivacy Directive establishes the core rule: storing information on a user's terminal equipment, or accessing information already stored, requires the user's prior consent. This is the provision that applies directly to cookies, local storage, device fingerprinting, and similar tracking technologies.

The GDPR then defines what valid consent means through Article 4(11) and sets out the conditions for consent in Article 7. Together, these provisions require that consent be:

  • Prior: No non-essential cookies may load before the visitor has made an active choice
  • Freely given: The visitor must have a genuine, unpressured choice to accept or refuse
  • Specific: Consent must be granular, covering distinct purposes rather than a blanket approval
  • Informed: Clear, plain-language information about what each cookie category does and who receives the data
  • Unambiguous: An active, affirmative action such as clicking a button or toggling a switch

The only cookies exempt from the consent requirement are those that are strictly necessary for providing a service the user explicitly requested. Session cookies, authentication tokens, shopping cart cookies, load balancing cookies, and the cookie that stores the visitor's consent preferences all fall under this exemption. Analytics, advertising, social media, and personalisation cookies do not.

What Makes a GDPR Cookie Popup Compliant

Enforcement actions, court rulings, and regulatory guidance have established clear standards for what a compliant GDPR cookie popup must include and how it must behave. The following elements are required, not optional best practices.

No cookies before consent

The most fundamental requirement is that non-essential cookies and tracking scripts must not execute until the visitor has actively opted in. A popup that appears while analytics, advertising, or social media scripts are already running in the background does not collect valid consent. The consent must be prior.

This means your cookie popup implementation must block all non-essential scripts by default and only load them after the visitor has made an affirmative choice for each relevant category.

Equal prominence for accept and reject

Refusing cookies must be as easy as accepting them. This principle has been the basis for some of the largest cookie-related fines in EU history. The CNIL fined Google 150 million EUR and Facebook 60 million EUR in January 2022 specifically because their cookie interfaces required multiple clicks to refuse cookies but only one click to accept.

A compliant popup must present a "Reject" or "Decline" button with the same visual weight, size, and accessibility as the "Accept" button. Hiding the reject option behind a secondary settings page, using muted colours or smaller text for the rejection option, or requiring extra navigation steps to refuse all violates the freely given requirement.

Granular category selection

Users must be able to accept or reject cookies by category rather than facing an all-or-nothing choice. Common categories include:

  • Strictly necessary (always active, no consent needed)
  • Analytics and performance (traffic measurement, usage patterns)
  • Marketing and advertising (remarketing, ad targeting, conversion tracking)
  • Functional (preferences, personalisation beyond strict necessity)
  • Social media (share buttons, embedded content, social login)

Each category must be presented with a clear description of its purpose and the types of cookies it includes. Pre-selected toggles or checkboxes for non-essential categories are not permitted. The Court of Justice of the European Union confirmed this in the Planet49 ruling (Case C-673/17, October 2019), holding that pre-ticked checkboxes do not constitute valid consent.

Clear information and transparency

The popup or an immediately accessible layer behind it must provide enough information for the visitor to make an informed decision. This includes:

  • The identity of the website operator (data controller)
  • The purposes of each cookie category
  • The types of cookies used and their duration
  • Which third parties receive data through cookies
  • How to withdraw consent after it has been given
  • A link to the full cookie policy

The information must be written in plain, accessible language. Legal jargon and vague descriptions like "to improve your experience" do not satisfy the informed consent standard.

Consent storage and proof

Article 7(1) of the GDPR requires the controller to be able to demonstrate that consent was given. Your cookie popup system must record and store proof of each consent decision, including what was consented to, when, and by whom (typically through an anonymous identifier rather than personal data).

Consent records should capture the timestamp, the version of the consent notice presented, the categories accepted and rejected, and how the consent was given. These records must be available for inspection if a supervisory authority requests them.

Common GDPR Cookie Popup Mistakes

Despite years of enforcement and guidance, many websites continue to use cookie popups that fail to meet GDPR requirements. The following patterns are non-compliant.

Cookie walls

A cookie wall blocks access to website content unless the visitor accepts all cookies. The European Data Protection Board stated in Guidelines 05/2020 that cookie walls generally do not provide freely given consent because the user has no genuine choice. Some limited exceptions exist for websites offering a paid, cookie-free subscription alternative, but the general rule is that conditioning access on cookie acceptance violates the GDPR.

Implied consent through scrolling or browsing

Some cookie popups display a notice stating that "by continuing to browse this site, you consent to cookies." This does not constitute valid consent. The EDPB has explicitly stated that scrolling, swiping, or continuing to browse does not meet the GDPR's requirement for a clear affirmative action. The visitor must take a deliberate, specific action directed at indicating agreement.

Dark patterns and manipulative design

Regulators have increasingly targeted cookie popups that use design tactics to push visitors toward accepting cookies. Non-compliant patterns include:

  • A large, coloured "Accept All" button paired with a small, grey "Manage Settings" link
  • Requiring three or more clicks to reject all cookies while accepting requires one click
  • Using confusing toggle labels where "on" means different things for different categories
  • Displaying the popup repeatedly or in increasingly intrusive ways after a visitor declines
  • Using guilt-tripping language like "Are you sure? You might miss personalised content"

The CNIL's December 2022 fine against Microsoft (60 million EUR) and its enforcement against TikTok (5 million EUR in 2023) both involved dark pattern complaints alongside substantive consent failures.

Ignoring consent choices

A cookie popup that records the visitor's rejection but loads tracking scripts anyway is worse than having no popup at all. It creates a false impression of compliance while actively violating the regulation. Technical implementation must ensure that consent choices are respected at the script level, not just displayed in the interface.

GDPR Cookie Popup Enforcement Actions

Enforcement of cookie popup requirements has been active and consistent across multiple EU member states. Examining key cases illustrates the standards regulators apply.

CNIL (France)

The CNIL has been the most active enforcer of cookie popup rules in Europe. Notable actions include:

  • Google (150 million EUR, January 2022): The cookie banner on google.fr did not offer a way to refuse cookies as easily as accepting them.
  • Facebook (60 million EUR, January 2022): Same issue on facebook.com for French users.
  • Microsoft (60 million EUR, December 2022): Bing deposited advertising cookies without valid prior consent.
  • TikTok (5 million EUR, January 2023): The reject mechanism required more steps than accepting, and information provided was insufficient.

Other EU authorities

  • Garante (Italy): Fined several companies for cookie popups that lacked a reject option on the first layer.
  • AEPD (Spain): Issued fines for websites that loaded tracking cookies before any consent interaction.
  • CJEU Planet49 ruling (2019): Established that pre-ticked checkboxes are invalid for cookie consent across the entire EU.

These cases demonstrate that enforcement is not limited to large technology companies. Small and medium businesses have received fines in the tens of thousands of euros for the same types of violations.

Cookie Policy Generator

Create a cookie policy for GDPR compliance. Create yours in minutes with TermsBox.

Generate Now

How to Implement a Compliant GDPR Cookie Popup

Building or selecting a cookie popup that meets all GDPR requirements involves both technical implementation and content considerations.

Step 1: Audit your cookies

Before configuring a cookie popup, identify every cookie and tracking technology on your website. Categorise each one as strictly necessary, analytics, marketing, functional, or social media. Document the purpose, provider, duration, and type (first-party or third-party) for each cookie. This audit forms the basis for your consent categories and your cookie policy.

Step 2: Block scripts by default

Configure your website so that all non-essential scripts are blocked from loading until consent is received. This typically requires a tag management approach where scripts are only injected after the consent management platform confirms the visitor has opted in to the relevant category.

Step 3: Design the popup interface

Build or configure the popup with two distinct layers:

  • First layer: A concise notice explaining that the site uses cookies, with three equally prominent buttons: "Accept All," "Reject All," and "Manage Preferences." Include a brief statement of purpose and a link to your cookie policy.
  • Second layer: A detailed preferences panel accessed through "Manage Preferences" that lists each cookie category with a description, the cookies it includes, and a toggle defaulting to off for all non-essential categories. Include a "Save Preferences" button.

Step 4: Implement consent storage

Store the visitor's consent decision in a first-party cookie and in a server-side log. The consent cookie should record which categories were accepted or rejected and the timestamp. The server-side log provides the proof of consent required by Article 7(1). Consent records should be retained for as long as you can demonstrate a need for them, typically at least as long as the consent itself is relied upon.

Step 5: Respect consent withdrawal

Include a persistent mechanism, such as a small icon or footer link labelled "Cookie Settings" or "Manage Cookies," that allows visitors to change their consent choices at any time. Article 7(3) of the GDPR requires that withdrawing consent be as easy as giving it. When a visitor revokes consent for a category, the associated cookies must be deleted and scripts must stop loading immediately.

Step 6: Keep the popup updated

Cookie audits are not a one-time task. New scripts, updated analytics tools, changed advertising partners, and added integrations all affect your cookie inventory. Review and update your cookie popup configuration and your cookie policy regularly. A compliance scanner can help identify new cookies that appear on your site between manual reviews. Tools like TermsBox provide automated website scanning that detects new cookies and tracking technologies as they appear.

GDPR Cookie Popup Requirements by Cookie Type

Different types of cookies trigger different obligations within your GDPR cookie popup. Understanding these distinctions helps you configure categories correctly.

First-party analytics

Cookies set by your own domain for analytics purposes, such as a self-hosted Matomo instance, still require consent under the ePrivacy Directive. The CNIL has indicated that certain audience measurement tools may qualify for an exemption if they are strictly limited to producing anonymous aggregate statistics, but this exemption is narrow and does not apply to tools that enable individual-level tracking or cross-site measurement. Google Analytics does not qualify for any exemption.

Third-party advertising

Cookies from advertising networks like Google Ads, Meta Pixel, and programmatic ad exchanges require explicit consent and present additional transparency challenges. Your cookie popup must identify these third parties and explain what data they collect. Since the visitor's data is shared with external organisations, the standard for informed consent is higher.

Functional and preference cookies

Cookies that store user preferences such as language selection or display settings occupy a grey area. If the visitor explicitly chose the preference, the cookie may qualify as strictly necessary. If the preference is inferred or set by default, consent is required. When in doubt, include these in a "Functional" consent category.

Session and authentication cookies

Session identifiers and authentication tokens are typically classified as strictly necessary and do not require consent. However, if these cookies are combined with tracking functionality or persist beyond the session without a strict necessity justification, they may lose their exemption.

GDPR Cookie Popup and the ePrivacy Regulation

The ePrivacy Directive, which works alongside the GDPR to regulate cookies, is expected to be replaced by the ePrivacy Regulation. Originally proposed in January 2017, the regulation has been delayed repeatedly and remains in negotiation.

When adopted, the ePrivacy Regulation will become directly applicable in all EU member states, replacing the patchwork of national implementations of the current directive. Draft versions have proposed:

  • Maintaining the consent requirement for non-essential cookies
  • Introducing browser-level consent settings that websites would be required to respect
  • Clarifying rules for cookie walls
  • Addressing new tracking technologies such as device fingerprinting and ultrasonic beacons

Until the ePrivacy Regulation is finalised, the current ePrivacy Directive and GDPR framework continues to govern cookie popup requirements. Organisations should design their cookie consent systems to meet current standards while building flexibility for future regulatory changes.

For now, the practical approach is to implement a fully compliant GDPR cookie popup using a consent management platform and maintain a comprehensive cookie policy that documents all cookies on your site.

Frequently Asked Questions

Is a cookie popup legally required under the GDPR?

A cookie popup is required if your website uses non-essential cookies and is accessible to visitors in the EU or EEA. The obligation comes from Article 5(3) of the ePrivacy Directive, which requires prior consent before storing or accessing information on a user's device, combined with the GDPR's definition of valid consent in Articles 4(11) and 7. Websites that use only strictly necessary cookies, such as session or authentication cookies, are exempt from the consent requirement.

Can I use pre-ticked boxes in a GDPR cookie popup?

No. The Court of Justice of the European Union ruled in Planet49 (Case C-673/17, October 2019) that pre-ticked checkboxes do not constitute valid consent under the GDPR. Consent must result from a clear affirmative action by the user. All non-essential cookie categories must be deselected by default, and the user must actively opt in by ticking boxes or clicking category-specific accept buttons.

Does my cookie popup need a reject button?

Yes. Multiple data protection authorities, including the CNIL (France), AEPD (Spain), and Garante (Italy), have ruled that refusing cookies must be as easy as accepting them. A compliant GDPR cookie popup must present a reject or decline option with equal prominence to the accept option. Burying the reject option behind a settings menu or making it visually less prominent than the accept button has been the basis for significant enforcement actions.

What fines have been issued for non-compliant cookie popups?

Regulators have imposed substantial fines specifically for cookie popup violations. The CNIL fined Google 150 million EUR and Facebook 60 million EUR in January 2022 for making it harder to refuse cookies than to accept them. Microsoft was fined 60 million EUR by the CNIL in December 2022 for depositing advertising cookies without valid consent. Smaller organisations have also received fines ranging from tens of thousands to several million euros for cookie consent failures.

Related Tools

Cookie Policy Generator

Create a cookie policy for GDPR compliance

Related Articles

Cookie Policy

CMP Cookie Guide: What It Is and Why You Need One

Learn what a CMP cookie is, how consent management platforms work, and how to implement cookie CMP compliance for GDPR and ePrivacy.

April 4, 202610 min read
Cookie Policy

Cookie Consent Banner: Complete Implementation Guide (2026)

Learn how to implement a cookie consent banner that meets GDPR, ePrivacy, and CCPA requirements. Covers design, script blocking, and compliance.

April 4, 202612 min read
Cookie Policy

Cookie Policy Banner: Setup Guide for Website Compliance

Learn how to set up a cookie policy banner that meets GDPR and ePrivacy requirements. Covers consent flows, design, and legal obligations.

April 4, 202610 min read

Ready to Create Your Legal Documents?

Generate professional privacy policies, terms of service, and more in minutes. Free to start, no credit card required.

View All Generators

On This Page

  • What the GDPR Requires for Cookie Popups
  • What Makes a GDPR Cookie Popup Compliant
  • No cookies before consent
  • Equal prominence for accept and reject
  • Granular category selection
  • Clear information and transparency
  • Consent storage and proof
  • Common GDPR Cookie Popup Mistakes
  • Cookie walls
  • Implied consent through scrolling or browsing
  • Dark patterns and manipulative design
  • Ignoring consent choices
  • GDPR Cookie Popup Enforcement Actions
  • CNIL (France)
  • Other EU authorities
  • How to Implement a Compliant GDPR Cookie Popup
  • Step 1: Audit your cookies
  • Step 2: Block scripts by default
  • Step 3: Design the popup interface
  • Step 4: Implement consent storage
  • Step 5: Respect consent withdrawal
  • Step 6: Keep the popup updated
  • GDPR Cookie Popup Requirements by Cookie Type
  • First-party analytics
  • Third-party advertising
  • Functional and preference cookies
  • Session and authentication cookies
  • GDPR Cookie Popup and the ePrivacy Regulation
  • Frequently Asked Questions
TermsBox

Scan your website, auto-generate legal documents, add a consent banner, and stay compliant. One platform for everything.

Product

  • Cookie Scanner
  • Consent Banner
  • Cookie Policy Generator
  • Pricing

Generators

  • Privacy Policy Generator
  • Terms and Conditions Generator
  • EULA Generator
  • Disclaimer Generator
  • Return and Refund Policy Generator

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service
  • Cookie Policy
GDPR
ePrivacy
CCPA
LGPD
Google Consent Mode v2
IAB TCF 2.2
© 2026 TermsBox. All rights reserved.