EU Cookie Banner Requirements Explained — Privacy Tech EU

Cookie banners have become ubiquitous across the web — but many fail to meet the legal requirements they purport to satisfy. Understanding what EU law actually demands helps both website operators build compliant consent mechanisms and users recognise when their rights are being respected.

The Legal Basis: ePrivacy Directive and GDPR

Cookie consent requirements stem from two overlapping legal frameworks:

The ePrivacy Directive (2002/58/EC, as amended) — also called the “Cookie Directive” — requires prior informed consent before storing or accessing information on a user’s device. This directive is implemented differently in each EU member state’s national law.

GDPR sets the standard that any consent collected must meet to be valid. The ePrivacy Directive requires consent; GDPR defines what valid consent looks like.

Together, these mean that cookies and similar tracking technologies used for non-essential purposes require consent that is freely given, specific, informed and unambiguous — before those cookies are set.

What “Essential” Cookies Are (and Why They Are Exempt)

Not all cookies require consent. Cookies that are “strictly necessary” for the service explicitly requested by the user are exempt. These include:

• Session cookies that keep you logged in while browsing a website
• Shopping basket cookies on e-commerce sites
• Load-balancing cookies that distribute traffic between servers
• Cookies that remember your cookie consent preference

What is NOT strictly necessary — and therefore requires consent:

• Analytics cookies (Google Analytics, Adobe Analytics, etc.)
• Advertising and retargeting cookies
• Social media tracking pixels (Facebook Pixel, LinkedIn Insight Tag)
• A/B testing cookies that persist across sessions
• Performance monitoring cookies that track individual user behaviour

What a Valid Consent Mechanism Must Do

Based on GDPR requirements and enforcement decisions from EU data protection authorities, a valid cookie consent mechanism must:

Provide genuine choice before consent is given. Cookies must not be set before the user makes a choice. Pre-loaded cookies that fire on page load before consent is obtained are unlawful.

Offer an equally prominent “Reject” option. “Accept all” and “Reject all” must be presented with equal visual prominence. A large green “Accept” button paired with a small, grey hyperlinked “manage preferences” option does not constitute genuine choice.

Not use dark patterns. Deceptive designs that nudge users towards consent — including pre-ticked checkboxes, confusing double-negatives in options, and “consent walls” that block access to content unless users accept all cookies — have been ruled unlawful by multiple DPAs.

Identify each purpose and controller. Users must know what they are consenting to — including which specific companies will receive their data for advertising purposes, not just vague “marketing partners.”

Allow withdrawal of consent as easily as it was given. Users must be able to withdraw consent at any time, and the mechanism to do so must be as accessible as the original consent interface. A banner that allows one-click acceptance but requires multiple menus to withdraw fails this requirement.

Record consent. Controllers must be able to demonstrate that valid consent was obtained, including when, what the user consented to, and the version of the consent interface they saw.

Enforcement: What Non-Compliant Looks Like

Several major GDPR enforcement actions clarify where the line sits:

France (CNIL, 2022): Google and Facebook were each fined €150 million and €60 million respectively for cookie consent banners that made opting out more difficult than accepting. The specific violation was the absence of a button to reject all cookies with the same ease as accepting all.

Italy (Garante, 2022): The Italian DPA found that cookie banners presenting a single “Accept” button without an equivalent “Reject” button or clear mechanism to continue without consent were unlawful, issuing orders to correct practices across multiple major websites.

Belgium (APD, 2022): The Belgian DPA issued a decision against IAB Europe’s Transparency and Consent Framework (TCF), the industry standard used by most advertising-supported websites in Europe, finding that it did not produce valid GDPR consent. This ruling affected the majority of programmatic advertising banners across the EU.

Common Violations to Avoid

Consent walls — refusing to allow access to content unless the user accepts non-essential cookies — are generally unlawful in consumer contexts, though exceptions exist where the user is offered a genuine paid alternative.

Nudge design — presenting “Accept” in a large, bold, coloured button while “Manage preferences” appears as a small grey link — has been ruled unlawful across multiple jurisdictions.

Cookie consent via scrolling or continued browsing — continuing to use the site does not constitute consent under GDPR. An affirmative action is required.

No withdrawal mechanism — failing to provide users with an accessible method to change or withdraw consent after the initial banner is dismissed.

Vendor list opacity — referencing “our advertising partners” without identifying them by name fails the specificity requirement.

For a broader overview of GDPR compliance, including legal bases and data subject rights, see our GDPR compliance guide and cookie consent page.