Cookie Consent

Cookie consent requirements are among the most visible — and most widely misunderstood — aspects of EU digital privacy law. This guide explains what the law actually requires, what valid consent looks like in practice, and how enforcement actions define the line between compliant and unlawful.

The Legal Framework: Two Overlapping Laws

Cookie consent requirements stem from two pieces of EU law that operate together:

The ePrivacy Directive (2002/58/EC, as amended by 2009/136/EC) — commonly called the Cookie Directive — requires prior informed consent before accessing or storing information on a user's terminal device. "Terminal device" includes computers, smartphones, tablets and other devices. This directive is implemented through national law in each EU member state, which is why the exact wording of national cookie laws varies across Europe.

GDPR does not itself create the obligation to obtain consent for cookies. It defines what valid consent means — a definition that applies to any consent collected under any EU law. The practical result: cookie consent must meet GDPR's high standard for valid consent to be enforceable.

Together, these rules require that cookies used for non-essential purposes are set only after obtaining consent that is freely given, specific, informed and unambiguous — and only before those cookies fire, not after.

What Counts as a Cookie (and What Does Not)

The ePrivacy Directive applies not just to HTTP cookies but to any technology that stores information on or accesses information from a user's device. This includes:

• HTTP cookies (first-party and third-party)
• Pixel trackers and tracking beacons
• Local storage and session storage (HTML5 Web Storage)
• Fingerprinting technologies that read device characteristics
• Mobile advertising identifiers (IDFA, GAID)

Strictly Necessary Cookies: The Consent Exemption

Not all cookies require consent. The ePrivacy Directive exempts cookies that are "strictly necessary" for a service that the user has explicitly requested. This exemption is narrow. It covers only cookies without which the requested service literally cannot function:

• Session authentication cookies (keeping you logged in)
• Shopping basket / cart cookies on e-commerce sites
• Security cookies that prevent cross-site request forgery
• Load-balancing cookies (transparent to users, no personal data)
• Cookies that store the user's cookie consent decision

The following are not strictly necessary and therefore require consent:

• Analytics cookies (Google Analytics, Matomo, Adobe Analytics) — even self-hosted
• Advertising and retargeting cookies
• Social media tracking pixels (Meta Pixel, LinkedIn Insight Tag, TikTok Pixel)
• A/B testing and personalisation cookies that persist across sessions
• Performance and heatmap tools (Hotjar, Microsoft Clarity) that record individual behaviour
• Affiliate tracking cookies

The EDPB has clarified that first-party analytics can receive a more lenient approach under some national implementations, but this does not constitute a formal exemption — consent remains the safest legal basis for any analytics that track individuals across sessions.

Valid Consent: The GDPR Standard

GDPR Article 4(11) defines consent as "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement."

Applied to cookie consent, this means:

Freely given: Consent cannot be a condition of accessing the service, unless the user is offered a genuine alternative (such as a paid subscription without tracking). A "consent wall" that blocks all content until all cookies are accepted is not freely given consent in consumer contexts.

Specific: Consent must be given for specific purposes, not bundled. Users must be able to consent to analytics while declining advertising cookies — blanket "accept all categories" as the only option is not specific consent.

Informed: Users must know what they are consenting to before consenting. This includes: the categories of cookies; the purposes; the specific controllers and processors who will receive data (not just "our partners"); and the fact that they can withdraw consent at any time.

Unambiguous: Consent requires a clear affirmative action. Continuing to browse a website, scrolling, or clicking anywhere on the page does not constitute consent. Pre-ticked checkboxes do not constitute consent.

What a Compliant Consent Banner Must Do

Based on GDPR requirements and enforcement decisions, a compliant cookie consent mechanism must:

• Not fire non-essential cookies before consent is given. Cookies must not load on page entry before a choice is made. This is the most common violation and is technically verifiable by supervisory authorities.
• Present "Accept" and "Reject" with equal visual prominence. A large green Accept button paired with a small grey "Manage preferences" link does not constitute genuine choice. Both options must be presented at the same level of accessibility.
• Allow granular choices. Users must be able to accept some categories while rejecting others. A binary accept/reject at top level satisfies this; a banner with only "Accept All" and "Manage Preferences" (which hides behind several menus) does not.
• Name the specific controllers and processors. "Our advertising partners" without a vendor list fails the specificity requirement. The EDPB and national DPAs have found that IAB TCF vendor lists containing hundreds of companies also fail this test in practice, because users cannot meaningfully review them.
• Provide an equally easy withdrawal mechanism. However consent is given must be how it can be withdrawn. A one-click "Accept All" banner must be matched with a one-click or similarly accessible "Withdraw All" mechanism — typically a persistent "Cookie Settings" link in the footer.
• Record consent. Controllers must be able to demonstrate that consent was obtained — when, for which purposes, and which version of the consent interface the user saw.

Dark Patterns That Constitute Violations

The EDPB's 2022 Guidelines on Dark Patterns formalised common violations. Practices that supervisory authorities consider unlawful include:

• Visual asymmetry: Accept styled as a prominent coloured button; reject styled as a low-contrast text link or hidden under extra menus
• Bundled consent: A single "Accept All" covering multiple distinct purposes, with no option to reject individual categories
• Interface interference: Using visual design to draw attention toward consent choices the controller prefers
• Confirm-shaming: Labelling the reject option with phrases designed to induce doubt ("No, I don't care about personalisation")
• Misleading language: Framing consent as a simple "OK" or "Got it" without making clear that clicking constitutes consent to data processing
• Endless settings layers: Burying the reject option behind multiple menus that require significantly more steps than accepting

Enforcement: Key Decisions

Several major enforcement actions define the current standard:

France (CNIL, 2022 — Google and Meta): Google received a €150 million fine and Meta a €60 million fine for cookie banners that made refusing cookies more difficult than accepting them. The specific violation: refusing all cookies required more clicks than accepting. The CNIL found this violated the requirement that withdrawal must be as easy as consent.

Belgium (APD, 2022 — IAB Europe TCF): The Belgian DPA ruled that the IAB's Transparency and Consent Framework — the industry standard used by most ad-supported websites — did not produce valid GDPR consent. The ruling found that TC strings (consent records) constituted personal data and that the TCF's consent mechanism failed the freely given and specific requirements. This affected the entire programmatic advertising ecosystem across Europe.

Italy (Garante, 2021-2022): The Italian DPA issued orders against multiple major publishers for banners presenting only an "Accept" button without an equivalent reject mechanism at the same level of accessibility. It found that requiring users to navigate into settings to reject cookies, when accepting required only one click, violated GDPR consent requirements.

Germany (DSK, 2021): The German supervisory authorities' joint body issued guidance stating that making access to a website conditional on accepting all cookies is generally unlawful — and that "pay or consent" models are only valid where the paid alternative is genuinely accessible and proportionate in price.

Cookie Consent Management Platforms (CMPs)

Most large websites implement cookie consent through third-party CMPs. While CMPs automate much of the technical implementation, they do not guarantee compliance — the controller remains responsible for configuring the CMP correctly. Common CMP configuration failures include:

• Pre-ticking categories beyond strictly necessary
• Enabling cookies before consent is recorded
• Not disabling third-party script loading pending consent
• Inadequate vendor lists or outdated consent records
• Banners configured with unequal styling between accept and reject

The EDPB and national DPAs have found controllers liable for CMP misconfiguration — the use of a CMP is not itself a compliance defence.

Cookie Consent and Analytics

Analytics is the area where most organisations find compliance most challenging. Google Analytics 4 — the most widely deployed analytics tool in the world — sets persistent cookies and sends data to Google's servers (including IP addresses that may constitute personal data in some interpretations). This creates a consent obligation in most EU jurisdictions.

Privacy-preserving alternatives exist that can reduce or eliminate the consent requirement: self-hosted tools like Matomo configured with IP anonymisation and without cross-session cookies, or tools designed explicitly for consent-free use like Plausible Analytics (which does not use cookies and does not collect personal data at the individual level). These tools may satisfy national implementations of the ePrivacy Directive without requiring a consent banner for analytics.

For a detailed overview of privacy tools available to EU businesses, see our guide to EU privacy tools.