Most cookie banners are decorative. They create the appearance of compliance without meeting the legal standard. A 2022 CNIL audit found that over 60% of inspected websites had non-compliant cookie banners – consistent with academic studies placing the failure rate closer to 90% across the EU.
This article breaks down what cookie banner compliance actually requires, which common patterns are illegal, and how to verify your implementation.
What Does the Law Actually Require?
Cookie banner compliance in Europe is governed by two overlapping instruments: Article 5(3) of the ePrivacy Directive 2002/58/EC and the General Data Protection Regulation (GDPR). Together, they establish five non-negotiable conditions for valid consent before non-essential cookies fire.
Prior consent before non-essential cookies. Article 5(3) ePrivacy Directive requires consent before storing or accessing information on a user’s device, unless the cookie is strictly necessary. Tag managers, analytics scripts, and advertising pixels must be blocked by default. A 2021 Ruhr University Bochum study found 58% of sites using CMPs still set tracking cookies before any user interaction.
Freely given – no cookie walls. The EDPB Guidelines 05/2020 are explicit: making site access conditional on accepting cookies is not free consent. Cookie walls violate this principle. The CNIL, Dutch DPA, and Austrian DSB have all enforced against them. See our guide to valid GDPR consent.
Specific and granular by purpose. Users must be able to consent to analytics separately from advertising. Bundling purposes into one checkbox is not valid consent under GDPR requirements.
Informed in plain language. The banner must state who sets cookies, what categories exist, what purposes they serve, and how long they persist. “We use cookies to improve your experience” does not meet the threshold.
As easy to reject as to accept. This is where most banners fail. If “Accept All” is one click but rejecting requires navigating settings and toggling switches, consent is not valid. The CNIL formalized this in January 2022: the reject option must have the same prominence as accept. See our cookie consent compliance guide for details.
Which Dark Patterns Are Illegal?
Supervisory authorities and courts have identified specific design patterns that invalidate consent. These are not gray areas – they have been the subject of formal decisions.
Pre-Checked Boxes and Missing Reject Buttons
The CJEU settled pre-checked boxes in Planet49 (Case C-673/17, 2019): they do not constitute valid consent. Any CMP that loads with non-essential toggles on by default is non-compliant.
CNIL fined Google EUR 150 million and Facebook EUR 60 million in January 2022 because their banners offered “Accept” prominently but required multiple clicks to reject. Asymmetric effort vitiates consent. See our examples of GDPR consent.
Manipulative Design and Deceptive Scrolling
Color contrast that makes the reject button subordinate, confusing double negatives, and burying reject in a sub-menu all undermine the standard. The EDPB’s 2023 dark patterns guidelines apply by analogy to cookie banners.
Treating continued scrolling as implied consent is also illegal. The EDPB rejected this in Guidelines 05/2020: scrolling does not constitute a clear affirmative act.
What Are the Cookie Categories?
Cookie banner compliance requires correct categorization. Miscategorizing a marketing cookie as “functional” is a compliance failure. The standard taxonomy recognized by the EDPB, CNIL, and ICO divides cookies into four groups:
- Strictly necessary – no consent required. Session authentication, shopping cart, CSRF tokens, load balancing. The exemption is narrow: the cookie must be essential for a service the user explicitly requested.
- Functional – consent required. Language preferences, font size settings, video player preferences.
- Analytics – consent required. Google Analytics, Matomo (when not configured for exemption), heatmap tools, A/B testing. A 2023 CNIL report noted analytics cookies were the most common category deployed without valid consent.
- Marketing and advertising – consent required, highest enforcement risk. Retargeting pixels, cross-site tracking identifiers, ad network cookies. Our GDPR compliance checklist covers the full set of obligations around these activities.
How Should the Technical Implementation Work?
The legal requirements translate into specific technical behaviors. A compliant cookie banner is not just a UI element – it is a consent gate that controls script execution.
Before any user interaction, only strictly necessary cookies may be set. No Google Analytics, no Facebook Pixel, no ad network scripts. The CMP may set a cookie to record the banner was shown, but must not record a consent choice not yet made.
After consent, scripts must be gated behind category-specific checks. Consent to analytics does not authorize marketing tags. The choice must persist via cookie, and the user must be able to withdraw consent at any time per Article 7(3) GDPR, triggering suppression of the relevant tags.
Tools like Legiscope can help audit whether your implementation actually blocks tags before consent and fires them only after valid consent is recorded – a check that manual review often misses.
What Are the Enforcement Consequences?
Cookie banner compliance failures have produced some of the largest fines in European data protection enforcement:
| Organization | Authority | Fine | Year |
|---|---|---|---|
| CNIL (France) | EUR 150 million | 2022 | |
| CNIL (France) | EUR 60 million | 2022 | |
| Amazon | CNPD (Luxembourg) | EUR 35 million | 2020 |
| TikTok | Irish DPC | EUR 345 million | 2023 |
| Criteo | CNIL (France) | EUR 40 million | 2023 |
Beyond headline fines, the CNIL’s “cookie sweep” program has issued formal notices to over 100 organizations since 2021. The CNIL processed 89,000 complaints in 2023, with cookies among the top three complaint categories. For a broader view of penalty trends, see our analysis of GDPR fines.
How Do You Test Your Cookie Banner?
Compliance is verifiable. Run through this checklist before and after deployment.
Pre-consent state:
- Open the site in a fresh browser session (no existing cookies).
- Before interacting with the banner, check the browser’s cookie storage. Only strictly necessary cookies should be present.
- Inspect network requests. No calls to analytics or advertising endpoints should fire before consent.
- Verify the banner appears without blocking content access entirely (no cookie wall).
Banner design:
- Confirm a “Reject All” or equivalent button is visible on the first layer, with equal visual prominence to “Accept All.”
- Verify that a “Manage Preferences” or “Customize” option allows granular choice by category.
- Check that no toggles or checkboxes are pre-checked for non-essential categories.
- Read the text: does it clearly state who sets cookies, what categories exist, and what purposes they serve?
Post-consent behavior:
- Accept only analytics cookies. Verify that marketing/advertising scripts do not fire.
- Reject all cookies. Verify that no non-essential cookies are set and no tracking scripts execute.
- Navigate to a second page. Verify that your consent choice persists and the banner does not reappear.
- Find the mechanism to withdraw consent. Verify that using it suppresses the relevant tags.
For a comprehensive walkthrough of the broader compliance landscape, see our guide on how to comply with GDPR and the hidden productivity drain of cookie banners for the operational cost of getting this wrong.
Frequently Asked Questions
Do I need a cookie banner if I only use strictly necessary cookies?
No. If your site sets only strictly necessary cookies – session authentication, CSRF tokens – no consent is required and no banner is necessary. The exemption is narrow. If you use any analytics, functional, or advertising cookies, you need a banner.
Is Google Analytics exempt from consent requirements?
No. The Austrian DSB, French CNIL, and Italian Garante have all ruled that Google Analytics requires prior consent. GA4 does not change this – it still processes personal data through cookies and identifiers.
Can I use a cookie wall that blocks content until users consent?
In most EU jurisdictions, no. The EDPB considers cookie walls incompatible with freely-given consent unless the user has a genuine alternative means of accessing the content. The Dutch DPA allows narrow exceptions where a paid alternative exists, but the default position is that cookie walls invalidate consent.
How often should I re-obtain consent?
No fixed legal period, but the CNIL recommends re-obtaining consent every 13 months. Store the choice in a cookie with appropriate expiration. Any significant change to your cookie practices – new vendors, new purposes – requires fresh consent regardless of timing.
Does the ePrivacy Directive apply to mobile apps?
Yes. Article 5(3) covers any storage on “terminal equipment” – smartphones, tablets, any connected device. Mobile SDKs that set device identifiers or local storage are subject to the same consent requirements. Note also that controllers cannot delegate compliance to a CMP vendor. If your CMP is misconfigured, the fine falls on you. Always audit actual behavior, not vendor claims.
Automate your GDPR compliance
Save 340+ hours per year on compliance work. Legiscope provides AI-powered GDPR management trusted by compliance professionals.
Discover Legiscope
