Cookie consent laws: Compliance guide for website and app builders
- Riya Thambiraj
- Build & Ship
- Last updated on
Key Takeaways
EU ePrivacy Directive and GDPR together require explicit, opt-in consent before setting any non-essential cookie - analytics and advertising cookies are non-essential
French CNIL fined Google 150 million euros and Facebook 60 million euros in January 2022 for making it harder to reject cookies than to accept them
CCPA does not require opt-in consent for cookies, but it does require an opt-out mechanism for the sale or sharing of personal data collected via cookies
UK PECR mirrors EU cookie rules post-Brexit and is enforced by the ICO - UK users need the same consent treatment as EU users
Google Consent Mode v2 is required for EU advertisers running Google Ads - without it, conversion tracking breaks when users decline cookies
In January 2022, the French data protection authority - CNIL - dropped two fines that got the attention of every privacy team in Europe.
Google: 150 million euros. Facebook: 60 million euros.
The violations weren't about data breaches or selling user data without permission. They were about cookie banners. Specifically: both companies made it easy to click "Accept all cookies" and hard to click "Reject all." Google's reject button required two extra clicks. Facebook's required navigating through a separate settings menu.
CNIL called this a dark pattern. It said the design made consent less than freely given - which means it wasn't valid consent at all under GDPR.
Two hundred and ten million euros in fines for button placement. That's the world cookie consent compliance lives in now.
The CNIL fines weren't the last of their kind. The IAPP GDPR Enforcement Tracker shows that EU data protection authorities have issued thousands of enforcement decisions since GDPR took effect in 2018 - with cookie consent dark patterns a recurring target. In 2023, the Irish DPC issued a 1.2 billion euro fine against Meta for EU data transfer violations, the largest single GDPR penalty on record.
TL;DR
EU ePrivacy Directive + GDPR require opt-in consent before setting any non-essential cookie. Consent must be freely given, specific, informed, and unambiguous - reject must be as easy as accept. CCPA requires opt-out for the sale or sharing of data collected via cookies. UK PECR mirrors EU rules post-Brexit. Google Consent Mode v2 is required for EU advertisers. Cookie walls are invalid in the EU. The CNIL fined Google 150M euros and Facebook 60M euros in 2022 for dark pattern banners alone.
Who does this apply to?
Cookie consent laws don't care where your company is registered. They care about who visits your site.
EU ePrivacy Directive and GDPR apply if:
You have visitors from EU member states - even occasionally
You use any cookies that aren't strictly required for the site to function (analytics, advertising, A/B testing, chat widgets, embedded video, social sharing buttons)
You use third-party scripts that set their own cookies (Google Analytics, Meta Pixel, Hotjar, Intercom, Stripe.js)
UK PECR applies if:
You have UK visitors, even post-Brexit
The UK ICO enforces the same rules as the EU on cookie consent - opt-in required for non-essential cookies
CCPA/CPRA applies if:
You have California residents as users
Your business meets at least one threshold: $25M+ annual gross revenue, personal data on 100,000+ California consumers, or 50%+ of annual revenue from selling consumer data
The practical answer: if your site uses Google Analytics, a Meta Pixel, a chat widget, or any third-party script, you need a cookie consent system. That covers most websites.
The law behind cookie consent
EU eprivacy directive - where cookie law started
The EU ePrivacy Directive (2002/58/EC, updated 2009) is the original cookie law. Article 5(3) says: before storing or accessing information on a user's device, you need the user's informed consent.
"Unless it's strictly necessary for delivering a service the user explicitly requested" is the only exemption. That's a narrow carve-out. Session management, shopping cart persistence, login state - those qualify. Google Analytics does not.
The Directive is enforced by national data protection authorities. France has CNIL. Germany has the DSK. Italy has the Garante. Each country has its own enforcement style, but the underlying rule is the same.
GDPR's consent standard
The ePrivacy Directive says you need consent. GDPR defines what valid consent looks like.
Under GDPR Article 7 and Recital 32, consent must be:
Freely given - No coercion, no pre-ticked boxes, no cookie walls
Specific - Separate consent for each distinct purpose (analytics vs. advertising vs. personalization)
Informed - The user must know what they're consenting to and who's processing their data
Unambiguous - A clear affirmative action. Silence, inactivity, and pre-ticked boxes don't count.
Consent must also be withdrawable. Users must be able to change their mind as easily as they gave consent.
CCPA cookie requirements
The California Consumer Privacy Act takes a different approach. It doesn't require opt-in consent for cookies by default. Instead, it requires:
A "Do Not Sell or Share My Personal Information" link on your homepage
Opt-out mechanisms for the sale or sharing of personal data collected via cookies
Disclosure of what data you collect and how you use it (in your privacy policy)
If your site uses a Meta Pixel or Google Ads with remarketing, you're likely sharing personal data with third parties - which triggers the "sharing" definition under CCPA even without a formal sale.
CPRA (the 2023 update) expanded this to include "sharing" for cross-context behavioral advertising. A functional ad pixel now likely qualifies.
UK PECR
The Privacy and Electronic Communications Regulations mirror the EU ePrivacy Directive in UK law. Post-Brexit, the UK didn't change the cookie consent rules. The ICO enforces PECR and has made clear it expects the same opt-in standard as the EU.
UK users visiting your site need to be treated the same as EU users for cookie consent purposes.
What counts as a cookie (and what doesn't)
Consent rules apply to all storage mechanisms on a user's device - not just traditional HTTP cookies. This includes:
HTTP cookies (session and persistent)
localStorage and sessionStorage
IndexedDB
Service worker storage
Browser fingerprinting (no storage required - but ePrivacy still applies)
Pixel tracking and web beacons
Strictly necessary vs. non-essential
| Cookie Category | Examples | Needs Consent? |
|---|---|---|
| Strictly necessary | Session ID, shopping cart, login state, CSRF tokens, cookie consent choice itself | No - exempt under ePrivacy |
| Functional | Language preference, region selection, video player settings | Debated - some regulators say yes if not strictly necessary for core service |
| Analytics | Google Analytics, Mixpanel, Hotjar, Plausible (with cookies) | Yes - required in EU/UK |
| Marketing/Advertising | Meta Pixel, Google Ads remarketing, LinkedIn Insight Tag, TikTok Pixel | Yes - required in EU/UK |
| Third-party social | Facebook Like buttons, Twitter share buttons, YouTube embeds | Yes - required in EU/UK |
| A/B testing | Optimizely, LaunchDarkly (with cookies), Google Optimize | Yes - required in EU/UK |
The strictly necessary exemption is intentionally narrow. If you can run your service without a cookie, it's probably not strictly necessary.
What a valid cookie banner requires
A cookie banner isn't just a legal checkbox. It's an interface that communicates something specific to users and records their choices. Here's what valid banners need:
Required elements:
Clear description of what cookies you use and why
Distinct categories for different cookie types (functional, analytics, marketing)
An "Accept" option that enables non-essential cookies
A "Reject" or "Decline" option that's equally prominent and easy to find
A way to customize consent by category
A way to access and withdraw consent later (usually via a persistent icon or link in the footer)
A link to your full cookie policy and privacy policy
What makes a banner invalid:
Pre-ticked boxes for optional categories
"Reject" button that's smaller, grayed out, or harder to find than "Accept"
Requiring extra clicks or steps to reject that aren't required to accept
Bundling cookie consent with terms of service acceptance
Cookie walls - blocking access unless the user accepts non-essential cookies
No way to withdraw consent later
The CNIL decisions against Google and Facebook are the clearest enforcement examples. Both companies' banners made acceptance the path of least resistance. That's not valid consent - it's manufactured consent.
Cookie consent requirements table
| Requirement | What It Means for Your App | Penalty |
|---|---|---|
| Prior consent for non-essential cookies (EU/UK) | No analytics or marketing scripts load until user opts in | Up to 4% of global annual turnover or 20M euros under GDPR |
| Freely given consent (EU/UK) | No pre-ticked boxes, no cookie walls, reject as easy as accept | Fines - CNIL fined Google 150M euros for this specific pattern |
| Specific consent by purpose (EU/UK) | Separate on/off for analytics, marketing, personalization | Invalid consent = same as no consent |
| Withdrawable consent (EU/UK) | Easy way to change cookie preferences at any time | Must be honored immediately, not at next session |
| Do Not Sell/Share link (California) | Prominent homepage link for opt-out of data sharing | CPRA fines up to $7,500 per intentional violation |
| Consent records (EU/UK) | Proof you collected valid consent, with timestamps | Required for GDPR accountability - no records = no defense |
| Cookie policy disclosure (all) | What cookies, what purpose, who sets them, retention period | Required in privacy policy for GDPR and CCPA |
"The most common mistake we see is teams loading Google Analytics and the Meta Pixel unconditionally in the
<head>, then adding a consent banner as a UI layer on top. By the time the banner renders, both scripts have already fired and set cookies. That's a GDPR violation on every single page load. The consent logic has to block script execution, not just show a notification."
RaftLabs Engineering Team
Architecture implications
Cookie consent isn't a banner you bolt on at the end. It needs to be wired into how your application loads scripts.
Consent-first script loading
The wrong approach: load all third-party scripts in <head>, show a banner, and hope users accept.
This is a GDPR violation. The scripts fire before consent is given. Google Analytics, Meta Pixel, and most ad scripts set cookies immediately on load - before any user interaction.
The right approach: block all non-essential scripts until consent is recorded. Your tag management layer (Google Tag Manager, for example) should be configured so that each tag fires only when the corresponding consent signal is present.
Implementation pattern:
- Load only strictly necessary scripts on page load
- Load the cookie consent platform (OneTrust, Cookiebot, Osano) - these are necessary to collect consent
- When the user makes a choice, fire an event with their consent categories
- Your tag manager listens for that event and enables the corresponding tags
Google consent mode v2
Google Consent Mode v2 became required for EU advertisers in March 2024. Here's what it does:
When a user declines cookies, Consent Mode allows Google's tags to fire in a limited "cookieless" mode. No individual tracking happens - instead, Google receives anonymized signals it uses to model conversions across users who declined.
Without Consent Mode v2:
User declines cookies
Google Ads tag is blocked
Conversion event is lost entirely
Your campaign optimization data degrades
With Consent Mode v2:
User declines cookies
Google tag fires in cookieless mode
Conversion is modeled (not tracked individually)
Campaign optimization continues with modeled data
If you run Google Ads and have EU traffic, you need Consent Mode v2 integrated with your consent platform. The two signals it uses are ad_storage (for ad cookies) and analytics_storage (for analytics cookies).
Server-side tracking
Server-side tracking is becoming a practical alternative to browser-based cookie consent for some use cases.
Instead of loading client-side pixels (Meta Pixel, Google Analytics) that set cookies in the browser, server-side tracking sends event data from your server directly to the advertising platform's API.
What this changes for consent:
Fewer cookies in the browser = simpler consent UI
Better data quality (ad blockers can't block server-side events)
More control over what data is sent to third parties
What it doesn't change:
GDPR still applies to processing personal data - server-side tracking is processing
You still need a lawful basis (consent or legitimate interest, depending on the use case)
You still need to disclose it in your privacy policy
Server-side tracking reduces your cookie surface area but doesn't eliminate compliance obligations.
Consent platform options
You don't need to build cookie consent from scratch. Several platforms handle the banner UI, consent storage, and tag manager integration:
| Platform | Best For | Consent Mode v2 | Pricing |
|---|---|---|---|
| OneTrust | Enterprise, complex multi-region requirements | Yes | $5,000+/year |
| Cookiebot | Mid-market, auto-scans for cookies | Yes | $10-$30/month |
| Osano | Startups, simple setup | Yes | $199/month |
| Axeptio | EU-focused, strong CNIL compliance | Yes | $50-$100/month |
All four support Consent Mode v2 integration with Google Tag Manager. OneTrust is overkill for most small-to-mid businesses. Cookiebot and Osano cover 90% of use cases at a fraction of the cost.
Questions to ask your development partner
-
How do you block non-essential scripts before consent is given? The answer should describe a tag management setup where scripts fire based on consent signals - not a banner that appears after scripts have already loaded.
-
Have you implemented Google Consent Mode v2? If they haven't heard of it, that's a red flag for any team working on EU-facing sites that run Google Ads. It became a hard requirement in March 2024.
-
How do you handle consent for server-rendered pages vs. SPAs? Server-rendered pages and single-page apps handle cookie consent differently. SSR pages need to read the consent cookie server-side to avoid loading blocked scripts during render. SPAs need to handle consent state reactively. Ask how they approach both.
-
How do you store and log consent records? GDPR requires you to prove you collected valid consent. That means timestamps, what the user was shown, what they chose, and which version of your cookie policy was in force. Ask how they record this.
-
How do you handle consent for third-party embeds? YouTube videos, Google Maps, Calendly widgets - all of these load third-party scripts and set cookies. Some teams miss these because they focus on the explicit tracking scripts and forget about embedded content.
-
Can you scan our site and list every cookie currently being set? Any competent team should be able to run a cookie audit before building the consent system. You can't get consent for cookies you don't know exist.
-
How do you handle consent for returning users who haven't been prompted yet? Your existing users never saw a consent banner. How you handle the first-time prompt for returning users (without clearing their session) is an implementation detail that trips many teams.
Cookie consent compliance checklist
Consent collection:
Consent is collected before any non-essential script fires
Consent banner has equal prominence for "Accept" and "Reject" options
No pre-ticked boxes for optional cookie categories
Consent is collected by category (analytics separate from marketing)
Cookie policy link is accessible from the banner
No cookie wall blocking access to content
Consent management:
Users can withdraw or change consent at any time via a persistent link or icon
Withdrawing consent stops the relevant cookies immediately
Consent records are stored with timestamps and version of policy shown
Consent records are retained for as long as necessary to demonstrate compliance
Technical implementation:
Tag manager is configured so tags fire only with corresponding consent signals
Google Consent Mode v2 is implemented for Google Ads and Analytics (if running EU campaigns)
Cookie audit has been run - all cookies on the site are identified and categorized
Third-party embeds (YouTube, Maps, widgets) are covered by the consent system
Cookie policy lists all cookies, their purpose, who sets them, and retention periods
CCPA (California):
"Do Not Sell or Share My Personal Information" link is on the homepage
Opt-out mechanism works and is honored promptly
Privacy policy discloses what data is collected and shared
No financial incentive for accepting data collection without CCPA-compliant disclosure
Ongoing:
Cookie audit is repeated when new tools or scripts are added
Consent banner is updated when cookie practices change
Consent is re-requested when material changes are made to cookie use
Banner design is reviewed against current regulator guidance annually
The CNIL fines are the most visible example, but they're not the last. Regulators across the EU are running cookie consent enforcement campaigns. The Irish DPC, German DSK, and Italian Garante have all issued enforcement actions in the past 24 months. If your banner looks like it was designed to maximize acceptance rather than enable free choice, you've already built something that won't survive scrutiny.
The engineering cost to do this right is low. An afternoon to configure a consent platform properly, another day to wire up Consent Mode v2 and test script blocking. The fine for getting it wrong is not low at all.
Frequently Asked Questions
It depends on who visits your site, not where your server is. If you have EU or UK visitors, GDPR and PECR apply to your processing of their data regardless of where you're incorporated. If you have California visitors, CCPA applies if you meet the thresholds (over $25M annual revenue, data on 100,000+ consumers, or 50%+ revenue from selling data). Most US businesses with international traffic need cookie consent for EU/UK users at minimum.
No. Google Analytics, Mixpanel, Hotjar, and similar analytics tools set non-essential cookies. They're not required for the website to function - the site works fine without them. This means you need consent before loading analytics scripts in the EU and UK. Many teams are surprised by this because analytics feels like an internal tool, not a user-facing feature. It still requires consent.
The most common invalid patterns are: pre-ticked boxes for optional cookie categories, making the 'reject' button harder to find or smaller than 'accept,' using a cookie wall that blocks access until the user accepts, bundling cookie consent with terms of service acceptance, and not providing a way to withdraw consent as easily as it was given. The CNIL fines against Google and Facebook were specifically for the reject-harder-than-accept pattern.
Google Consent Mode v2 is a framework that tells Google's tags how to behave based on user consent choices. When a user declines cookies, Consent Mode allows Google to fire cookieless pings and model conversions using aggregated data rather than individual tracking. Without Consent Mode v2, Google Ads conversion tracking simply stops working when EU users decline cookies. It became required for EU advertisers using Google Ads in March 2024. If you run Google Ads and have EU traffic, you need Consent Mode v2.
The ePrivacy Directive (often called the cookie law) specifically governs the storing of and access to information on a user's device - which is what cookies do. It requires consent for non-essential cookies. GDPR governs what you do with personal data after it's collected, including the data those cookies generate. Both apply to cookies. ePrivacy determines when you need consent to set a cookie. GDPR determines how you handle the personal data the cookie collects. You need to satisfy both.
No, not in the EU. The Article 29 Working Party (now the EDPB) ruled that cookie walls - blocking access to your site unless a user consents to cookies - violate the GDPR requirement that consent be freely given. If the user has no real choice (accept or leave), consent isn't valid. Some regulators have allowed cookie walls paired with a paid alternative (pay for the service or accept ads), but this is still contested and carries risk.
There's no fixed renewal period in GDPR. Best practice is to re-request consent when your cookie practices change significantly - adding new third-party tools, new cookie categories, or changing how you use the data. Most platforms re-prompt every 12 months as a default. Users can also withdraw consent at any time, and you must honor that withdrawal promptly - stopping the relevant cookies immediately, not at next visit.
