The General Data Protection Regulation (GDPR) requires websites to obtain explicit, informed consent from users before placing non-essential cookies on their devices. This applies to any website that collects data from individuals in the European Union, regardless of where the website is based. Combined with the ePrivacy Directive, these rules form the legal foundation for cookie consent banners across the web.
What the GDPR actually says about cookies
Cookies are mentioned only once in the GDPR itself, in Recital 30, which states that online identifiers such as cookies, IP addresses, and device fingerprints can be used to identify individuals and therefore qualify as personal data.
This is significant because once cookies are classified as personal data, all of the GDPR's rules for processing personal data apply. That means cookies need a lawful basis for processing (Article 6), and when that basis is consent, it must meet the GDPR's strict definition of valid consent (Article 7).
What counts as valid cookie consent under the GDPR?
The GDPR sets a high bar for consent. Under Article 4(11) and the European Data Protection Board (EDPB) guidelines, valid consent must be:
- Freely given: Users cannot be forced or manipulated into consenting. Cookie walls that block access unless all cookies are accepted are generally not compliant.
- Specific: Consent must be requested for each distinct purpose (analytics, marketing, etc.), not bundled into a single "accept all" with no alternatives.
- Informed: Users must be told what data is collected, why, by whom, and for how long before they make a choice.
- Unambiguous: Consent requires a clear affirmative action (clicking "Accept", toggling a switch). Pre-ticked checkboxes and continued browsing do not count.
- Withdrawable: Users must be able to withdraw consent as easily as they gave it, at any time.
What about "legitimate interest" for cookies?
Some websites attempt to use "legitimate interest" (Article 6(1)(f)) instead of consent for analytics or marketing cookies. While technically a valid legal basis under the GDPR, the ePrivacy Directive (Article 5(3)) specifically requires consent for storing information on a user's device, and that includes cookies. In practice, most data protection authorities require consent for non-essential cookies regardless of the GDPR legal basis claimed.
The ePrivacy Directive (the "EU Cookie Law")
The GDPR isn't the only law governing cookies in Europe. The ePrivacy Directive (2002/58/EC), often called the "Cookie Law," specifically addresses the storage of and access to information on a user's device.
Article 5(3) of the ePrivacy Directive states that storing information (like cookies) on a user's device requires: (a) clear and comprehensive information about the purpose, and (b) the right to refuse. The only exception is cookies that are "strictly necessary" for providing a service explicitly requested by the user.
While the ePrivacy Directive is technically separate from the GDPR, they work together. The GDPR defines what counts as valid consent; the ePrivacy Directive applies that consent requirement specifically to cookies and similar technologies.
What about the ePrivacy Regulation?
The EU has been working on an ePrivacy Regulation to replace the Directive since 2017. As of 2026, it has not been finalized. Until it is, the ePrivacy Directive remains in effect, and each EU member state has its own national implementation.
What are the penalties for GDPR cookie violations?
GDPR violations can result in fines of up to €20 million or 4% of global annual turnover, whichever is higher (Article 83). Cookie-specific enforcement has increased significantly since 2020.
Notable cookie consent fines
| Company | Fine | Authority | Year | Reason |
|---|---|---|---|---|
| €150 million | CNIL (France) | 2022 | Making cookie rejection harder than acceptance | |
| Amazon | €746 million | CNPD (Luxembourg) | 2021 | Processing personal data without proper consent |
| Meta (Facebook) | €60 million | CNIL (France) | 2022 | No easy way to refuse cookies |
| TikTok | €5 million | CNIL (France) | 2023 | Cookie consent mechanism non-compliant |
| Criteo | €40 million | CNIL (France) | 2023 | Processing data without valid consent |
Enforcement isn't limited to tech giants. Small and mid-size businesses have also received fines, particularly in France, Germany, Spain, and Italy. The trend is clear: regulators are actively enforcing cookie consent rules.
How to make your website GDPR cookie-compliant
Achieving GDPR cookie compliance involves a few key steps:
1. Audit your cookies
Scan your website to identify every cookie and tracker. Categorize each one as strictly necessary, analytics, functional, or marketing. You can't get consent for cookies you don't know about.
2. Implement a consent banner
Display a clear, accessible cookie banner that loads before any non-essential cookies are placed. The banner must offer granular choices (not just "accept all") and make rejecting cookies as easy as accepting them.
3. Block scripts until consent
Non-essential scripts (analytics, marketing pixels, social embeds) must not execute until the user has given consent for that specific category. This is called "prior blocking" or "script blocking."
4. Store consent records
You need to store proof of consent: who consented, when, to what, and how. This is your audit trail if a data protection authority asks for evidence of compliance.
5. Enable consent withdrawal
Provide a persistent way for users to change their cookie preferences after their initial choice. A common approach is a small icon or link in the footer that reopens the preference center.
6. Set up geo-targeting
If your site serves users globally, you may want different consent experiences for different regions. EU visitors need full GDPR-compliant banners. US visitors may need CCPA-style opt-out notices. Users in regions without cookie laws may not need a banner at all.
Frequently asked questions
Do I need cookie consent if my website is based outside the EU?
Yes, if your website collects data from individuals located in the EU. The GDPR has extraterritorial scope (Article 3(2)), meaning it applies regardless of where your company is based.
Are analytics cookies considered personal data under the GDPR?
In most cases, yes. Cookies like Google Analytics assign a unique client ID to each visitor, which can be used to single them out, making it personal data under Recital 26. Even with IP anonymization, the unique identifier still constitutes personal data according to most DPAs.
Can I use a cookie wall?
Generally, no. The EDPB has stated that cookie walls (which block access to a website unless all cookies are accepted) do not meet the GDPR's requirement for freely given consent. Some national DPAs allow exceptions for paid alternatives (the "pay or consent" model), but this is contested and varies by jurisdiction.
How often should I renew cookie consent?
The GDPR doesn't specify an exact renewal period. Most DPAs recommend at least every 12 months. France's CNIL recommends 6 months. Check your local DPA's guidance for the applicable recommendation.
What about Google Consent Mode?
Google Consent Mode v2 is Google's framework for adjusting how Google tags behave based on user consent. Since March 2024, it's required for websites using Google Ads or GA4 that serve EU users. It works alongside your cookie consent banner, not as a replacement. See our complete Google Consent Mode v2 guide.
Sources & References
- General Data Protection Regulation (EU) 2016/679, Recital 26, 30, Articles 3, 4(11), 6, 7, 83
- ePrivacy Directive 2002/58/EC, Article 5(3)
- EDPB Guidelines 05/2020 on consent under Regulation 2016/679
- CJEU Case C-673/17 (Planet49), October 1, 2019
This guide is for informational purposes only and does not constitute legal advice. Consult a qualified attorney for advice specific to your situation.