Cookie consent remains one of the most visible and most frequently misimplemented obligations in European data protection law. Studies indicate that roughly 90% of cookie banners deployed across the EU still fail to meet the legal standard for valid consent. Supervisory authorities have responded with escalating fines – CNIL imposed EUR 150 million on Google in January 2022, and the Luxembourg CNPD fined Amazon EUR 746 million in a case where consent practices formed part of the complaint.
This guide covers the legal framework governing cookie consent GDPR obligations, technical requirements, and a practical implementation checklist.
What Is the Legal Framework for Cookie Consent?
Cookie consent in Europe rests on two intersecting instruments: the ePrivacy Directive 2002/58/EC and the GDPR. They govern different aspects of the same user interaction.
The ePrivacy Directive (2002/58/EC)
Article 5(3) of the ePrivacy Directive requires prior informed consent before any information is stored on or accessed from a user’s terminal equipment – regardless of whether it constitutes personal data. Even anonymous analytics cookies require consent under ePrivacy.
The Directive was amended in 2009 by Directive 2009/136/EC, replacing the original opt-out regime with opt-in. Each member state has transposed this into national law, creating local variations.
How Does the GDPR Apply to Cookies?
The GDPR applies whenever cookies involve personal data – which is nearly always. User IDs, IP addresses, and device fingerprints constitute personal data under Article 4(1). The GDPR requirements for consent apply in full: freely given, specific, informed, and unambiguous.
The ePrivacy Directive governs placing or reading the cookie; the GDPR governs processing the personal data collected through it. Cookie consent must satisfy both simultaneously. See our guide to valid GDPR consent.
Which Cookies Require Consent?
Article 5(3) includes an exemption for cookies strictly necessary for providing a service explicitly requested by the user.
Strictly Necessary Cookies (No Consent Required)
These cookies are exempt because the service cannot function without them:
- Session authentication cookies – maintaining a logged-in state
- Shopping cart cookies – retaining items during a session
- Load-balancing cookies – distributing traffic across servers
- Security cookies – CSRF tokens and similar protections
The EDPB and CNIL have confirmed that the exemption is narrow. A cookie is strictly necessary only if the service cannot be provided without it and the user has explicitly requested the service.
Cookies That Always Require Consent
Every other category requires prior consent before being placed on the user’s device:
- Analytics cookies – Google Analytics, Matomo, Hotjar. CNIL has noted a limited exemption may apply under specific conditions (first-party only, aggregated data, limited retention), but the default is that consent is required.
- Marketing and advertising cookies – retargeting pixels, ad network trackers, cross-site identifiers. These account for the majority of enforcement actions.
- Social media cookies – embedded content from Facebook, Twitter/X, LinkedIn, YouTube that sets trackers on page load.
- Functional cookies serving the provider’s interests – A/B testing, recommendation engines, browsing-history personalisation.
For more examples of how consent works across different processing activities, see our practical examples of GDPR consent.
What Are the Technical Requirements for Valid Cookie Consent?
Authorities have converged on a consistent standard. The EDPB Guidelines 05/2020 and CNIL cookie guidelines provide the authoritative references.
No Pre-Ticked Boxes
The CJEU settled this in Planet49 (Case C-673/17, October 2019): pre-ticked checkboxes do not constitute valid consent. The user must take an affirmative action. Continuing to browse, scrolling, or navigating to another page also does not constitute consent.
Equal Prominence for Accept and Refuse
Users must be able to refuse cookies as easily as they accept them. CNIL’s enforcement actions against Google (EUR 150 million) and Facebook (EUR 60 million) in January 2022 centred specifically on this point: the “Accept” button was prominent while refusing required multiple clicks through settings menus. A “Refuse All” button must be presented at the same level and with equivalent visual prominence as “Accept All”.
Granular Choice by Purpose
Consent must be specific to each purpose. A single “Accept All” option without the ability to consent to individual categories does not meet the granularity requirement. Users must be able to accept analytics cookies while refusing marketing cookies, or vice versa.
No consent walls. Making site access conditional on accepting all cookies is generally non-compliant. The EDPB has stated that conditional consent is not freely given. A narrow exception may apply where a genuine equivalent alternative is offered, but this remains contested.
Documented and withdrawable. Organisations must demonstrate that consent was obtained (Article 7(1) GDPR) and provide a mechanism for withdrawal at any time, as easily as it was given (Article 7(3) GDPR). A persistent footer link allowing users to revisit preferences is the standard approach.
How Have Authorities Enforced Cookie Consent Rules?
Enforcement is accelerating. Cookie consent violations accounted for approximately 18% of all GDPR-related enforcement actions between 2021 and 2025. Key cases include:
| Authority | Target | Fine | Key Issue |
|---|---|---|---|
| CNIL (France) | EUR 150M | Refusing cookies required more clicks than accepting | |
| CNIL (France) | EUR 60M | Asymmetry in accept/refuse mechanism | |
| CNPD (Luxembourg) | Amazon | EUR 746M | Consent and transparency failures including cookies |
| CNIL (France) | TikTok | EUR 5M | Cookie deposit without consent, no refuse mechanism |
| CNIL (France) | Microsoft | EUR 60M | Advertising cookies deposited without consent on Bing |
Beyond headline fines, CNIL conducted over 300 targeted cookie audits in 2023, issuing 94 formal notices. Cookie consent GDPR compliance is an active enforcement priority across every major European supervisory authority. For broader context, see our guide to GDPR fines.
Cookie Consent Implementation Checklist
Use this checklist to verify that your cookie consent mechanism meets current legal requirements. This should form part of your broader GDPR compliance checklist.
Audit and classification:
- [ ] Audit all cookies and trackers on your site, including those set by third-party scripts
- [ ] Classify each cookie: strictly necessary, functional, analytics, or marketing
- [ ] Verify that “strictly necessary” cookies genuinely meet the legal exemption
- [ ] Document purpose, provider, retention period, and data collected for each cookie
Consent mechanism design:
- [ ] Present a consent banner on first visit, before any non-essential cookies fire
- [ ] Include “Accept All” and “Refuse All” buttons at the same level with equal prominence
- [ ] Provide granular controls for each cookie category independently
- [ ] No pre-ticked boxes, implied consent, or scroll-based consent
- [ ] No cookie walls conditioning site access on acceptance
Ongoing compliance:
- [ ] Record proof of each consent choice with timestamp and scope
- [ ] Provide a persistent mechanism (footer link) for withdrawing or modifying consent
- [ ] Re-audit cookies quarterly – third-party scripts frequently add new trackers
- [ ] Update your cookie policy whenever new cookies are deployed
Managing this alongside other GDPR obligations – from data breach notification to data protection impact assessments – is where organisations fall behind. Tools like Legiscope can automate compliance workflows, but cookie classification and consent architecture require deliberate legal analysis regardless of tooling.
How Is Cookie Consent Changing?
The ePrivacy Regulation, intended to replace the 2002 Directive, remains stalled as of early 2026. Meanwhile, Chrome completed its third-party cookie phase-out in 2025, following Safari and Firefox. This does not eliminate consent requirements – first-party cookies, fingerprinting, local storage, and pixels remain in scope – but it shifts the practical focus. The Digital Markets Act adds further consent requirements for gatekeeper platforms. See our guide to GDPR requirements and our analysis of the hidden productivity cost of cookie banners.
Frequently Asked Questions
Does cookie consent apply to mobile apps?
Yes. The ePrivacy Directive covers any storage or access of information on a user’s terminal equipment, which includes mobile devices. SDKs and tracking libraries in apps are subject to the same consent requirements as cookies on websites.
Can I use legitimate interest as a legal basis for analytics cookies?
No. The ePrivacy Directive requires consent for non-essential cookies independently of the GDPR’s legal bases. Legitimate interest under Article 6(1)(f) GDPR cannot override the ePrivacy consent requirement.
How long should cookie consent last before I ask again?
No maximum duration is specified in law. CNIL recommends retaining consent choices for a maximum of 13 months. Other authorities suggest 6 to 12 months. Re-prompt at least annually.
Are cookie walls legal?
Generally no. The EDPB considers conditional access means consent is not freely given. A narrow exception may apply where a genuine equivalent alternative exists (such as a paid subscription), but this remains subject to case-by-case assessment.
Do I need a separate cookie policy?
Not legally required, but strongly recommended. The information can be included in your privacy policy, but it must cover: cookie types, purposes, retention periods, third parties involved, and how to withdraw consent. A standalone document improves transparency and simplifies audits.
Does cookie consent apply if I operate outside the EU?
Yes, if your website targets EU users by offering goods or services to them or monitoring their behaviour. Both the GDPR and national ePrivacy transpositions apply regardless of where your servers or company are located.
Automate your GDPR compliance
Save 340+ hours per year on compliance work. Legiscope provides AI-powered GDPR management trusted by compliance professionals.
Discover Legiscope
