GDPR Cookie Consent: Complete Implementation Guide
Quick Answer
GDPR and the ePrivacy Directive require websites to obtain informed, specific consent before setting non-essential cookies. This means no pre-ticked boxes, no cookie walls, and giving users a genuine choice to accept or reject each cookie category.
Cookie Consent Requirements
Cookie consent under GDPR is actually governed by two regulations: the GDPR (which governs the personal data collected via cookies) and the ePrivacy Directive (which specifically requires consent for storing information on a user's device). Together, they require informed, specific consent before any non-essential cookies are set.
Key Takeaways
- Consent required for ALL non-essential cookies (analytics, marketing, social media, etc.)
- Essential cookies (login, shopping cart, security) do NOT need consent
- No pre-ticked boxes, no cookie walls, no "browsing = consent"
- Users must be able to reject cookies as easily as they accept them
- Cookie consent must be granular — separate choices for different cookie categories
Essential vs Non-Essential Cookies
| Category | Examples | Consent Required? |
|---|---|---|
| Strictly Necessary | Session cookies, authentication, security, CSRF tokens, load balancing | No — exempt from consent |
| Functional/Preference | Language preferences, accessibility settings, user preferences | Yes (though some argue exemption) |
| Analytics/Performance | Google Analytics, Mixpanel, Hotjar, heatmaps | Yes |
| Marketing/Advertising | Google Ads, Facebook Pixel, retargeting, ad tracking | Yes |
| Social Media | Share buttons, embedded content (YouTube, Twitter) | Yes (if they set tracking cookies) |
Cookie Consent Implementation
Implementing GDPR Cookie Consent
Audit your cookies
Scan your website to identify all cookies and similar tracking technologies. Most CMPs include automated scanning tools. Categorize each cookie (necessary, analytics, marketing, etc.).
Choose a Consent Management Platform
Select a CMP that supports GDPR and the ePrivacy Directive. Popular options: Cookiebot, Osano, CookieYes, Usercentrics. Ensure it supports granular consent by category.
Configure your consent banner
Set up a consent banner that loads before any non-essential cookies fire. Users must see: what cookies are used, why, and have the option to accept all, reject all, or customize by category.
Block cookies until consent
Critical: non-essential cookies must NOT fire until the user gives consent. This requires either script blocking (CMP blocks scripts) or tag manager configuration (GTM consent mode).
Implement consent preferences
Provide a persistent way for users to change their cookie preferences (e.g., a "Cookie Settings" link in the footer that reopens the consent dialog).
Record consent
Log consent records: who consented, when, what they consented to, and the version of the consent text shown. CMPs handle this automatically.
Common Cookie Consent Mistakes
- Cookie walls: Blocking content access unless the user accepts all cookies. The EDPB considers this non-compliant because consent isn't freely given.
- Pre-selected non-essential cookies: Analytics or marketing toggles that are on by default. Users must actively opt in.
- No reject option: Only showing an "Accept" button without an equally prominent "Reject" or "Necessary only" button.
- Dark patterns: Making "Accept All" a large colored button while hiding "Reject" in a small text link. Several DPAs have fined for this (Google France, EUR 150M).
- Firing cookies before consent: Loading Google Analytics or Facebook Pixel before the user interacts with the consent banner.
- No way to change preferences: Not providing a mechanism to withdraw consent or change cookie preferences after initial interaction.
- Ignoring legitimate interest for analytics: Some argue legitimate interest can be used for basic analytics, but most EU supervisory authorities require consent for analytics cookies.
⚠️ Google Consent Mode v2
Since March 2024, Google requires websites serving EU users to implement Consent Mode v2 for Google Analytics and Google Ads. This means your CMP must communicate consent signals to Google's tags. Most major CMPs (Cookiebot, Osano, CookieYes) support Consent Mode v2 — verify this before choosing a CMP.
What a Compliant Cookie Banner Looks Like
Compliant Cookie Banner Checklist
- Appears before any non-essential cookies fire
- Clear, plain language explaining cookie usage
- "Accept All" and "Reject All" buttons equally prominent
- Option to customize cookie preferences by category
- List of cookies in each category with descriptions
- Link to full cookie/privacy policy
- Persistent "Cookie Settings" link for changing preferences later
- Non-essential cookies blocked until affirmative consent given
- Consent recorded with timestamp and version
EUR 150M
Google France Fine (2022)
For making cookie rejection difficult
EUR 60M
Facebook France Fine (2022)
Same violation — hard-to-reject cookies
90%+
Sites Non-Compliant
Estimated percentage of sites with flawed consent
$0-$50/mo
CMP Cost
Free tiers available for small sites
Do I need a cookie banner if I only use essential cookies?
If you genuinely only use strictly necessary cookies (session, authentication, security), you don't need a consent banner for those cookies. However, you should still inform users about cookies in your privacy policy. Be careful — many third-party scripts (fonts, embedded videos, analytics) set cookies you may not be aware of.
Can I use Google Analytics without consent in the EU?
Most EU supervisory authorities require consent for Google Analytics because it sets cookies that track user behavior. Some DPAs have specifically ruled that Google Analytics requires consent. Google's Consent Mode v2 provides a reduced-data alternative when consent is not given, but this is still a developing area.
How often should consent be refreshed?
GDPR doesn't specify a frequency, but best practice is to re-present the consent banner every 6-12 months. Most CMPs allow you to configure the consent refresh interval. Always re-present consent when you add new cookie categories or change processing purposes.
What about mobile apps?
Mobile apps have similar consent requirements under GDPR and ePrivacy for tracking technologies (SDKs, advertising IDs, etc.). App tracking transparency (especially on iOS with ATT) intersects with GDPR requirements. Use an app-specific consent SDK from your CMP or implement custom consent flows.
Implement GDPR Cookie Consent
Compare consent management platforms with automated cookie scanning and GDPR-compliant banners.
Browse Consent Tools