Cookie Banner Generator
Back to all articles
GDPR
Cookie Consent
Privacy Law
Europe
Compliance
GDPR 2026
Cookie Compliance
Essential Cookies
30 min read

GDPR Cookie Consent Requirements: 2026 Guide

Master GDPR cookie consent in 2026. The 6 legal requirements, which cookies need consent, fines up to €20M, and how to build a compliant cookie banner.

GDPR Cookie Consent Requirements: The Complete 2026 Guide

What is GDPR cookie consent? GDPR cookie consent is the legal requirement for websites to obtain explicit, informed permission from visitors before placing non-essential cookies on their devices. Under the General Data Protection Regulation, you must block all analytics, marketing, and tracking cookies until users actively opt in. Consent must be freely given, specific to each cookie category, and easy to withdraw. Non-compliance penalties reach up to 20 million euros or 4% of global annual revenue.

Scan your site for cookie compliance issues with our free tool

If your website has visitors from the European Union, GDPR cookie compliance is not optional. Whether you run a personal blog, a SaaS product, a healthcare platform, or an enterprise e-commerce site, the rules apply to you.

This guide covers every GDPR cookie consent requirement you need to know in 2026, including the six legal requirements, which cookies need consent, how to design a compliant banner, common mistakes that trigger enforcement, and a step-by-step implementation checklist.

Table of Contents

What Is GDPR and Why Does It Matter for Cookies?

The General Data Protection Regulation (GDPR) is the European Union's comprehensive data protection law, enforceable since May 25, 2018. It governs how organizations collect, process, and store personal data of individuals within the EU and the European Economic Area (EEA).

GDPR matters for cookies because cookies are one of the most common ways websites collect personal data. Every time a tracking pixel fires, an analytics script loads, or an advertising cookie drops onto a user's browser, personal data is being processed. Under GDPR, that processing requires a legal basis, and for most non-essential cookies, that legal basis is consent.

Key facts about GDPR and cookies:

  • GDPR applies to any website that processes data from EU residents, regardless of where the business is located
  • It works alongside the ePrivacy Directive (sometimes called the "Cookie Law"), which specifically addresses cookie consent
  • Fines can reach 20 million euros or 4% of annual global revenue, whichever is higher
  • Enforcement has accelerated significantly since 2022, with data protection authorities across Europe issuing thousands of decisions
  • The upcoming ePrivacy Regulation will further strengthen cookie consent rules when adopted

For a comprehensive overview of GDPR's impact on your website, see our GDPR compliance guide.

GDPR cookie consent refers to the specific, informed, and unambiguous permission that a website visitor must provide before any non-essential cookies can be placed on their device. It is the mechanism through which websites satisfy GDPR's lawfulness requirement for cookie-based data processing.

Unlike older cookie laws that allowed implied consent (such as "by continuing to browse, you agree to cookies"), GDPR requires affirmative action. The user must actively click a button, toggle a switch, or check an unchecked box to grant permission.

What GDPR cookie consent is NOT:

  • It is not a simple notification that cookies exist
  • It is not implied by the user continuing to browse
  • It is not a pre-ticked checkbox the user can uncheck
  • It is not a single "Accept" button with no alternative
  • It is not a one-time blanket authorization for all cookies forever

What GDPR cookie consent IS:

  • An active, affirmative choice by the user
  • Specific to each category of cookies (analytics, marketing, functional)
  • Based on clear information about what cookies do and who receives data
  • Obtained before any non-essential cookies are set
  • Easily reversible at any time

Understanding this distinction is critical. Many websites believe they are compliant simply because they show a cookie banner, but a banner alone does not satisfy GDPR requirements. The banner must implement all six legal requirements described in the next section.

GDPR cookie consent must satisfy six specific requirements derived from Article 4(11) and Article 7 of the regulation, as interpreted by the European Data Protection Board (EDPB) in its guidelines on consent.

Users must have a genuine, real choice to accept or reject cookies without any negative consequences. If refusing cookies results in degraded service, blocked content, or other penalties, consent is not freely given.

What violates this requirement:

  • Pre-ticked consent checkboxes
  • Cookie walls that block content access (with limited exceptions)
  • Making "Accept" easy and prominent while hiding "Reject"
  • Bundling all cookie consent into a single take-it-or-leave-it choice
  • Conditioning a service on cookie acceptance when cookies are not necessary for that service

What satisfies this requirement:

  • Clear, equally prominent "Accept All" and "Reject All" buttons
  • Granular choices allowing users to accept analytics but reject marketing
  • No penalty for declining non-essential cookies
  • The core website functionality remains accessible regardless of cookie choice

Example of compliant consent:

We use cookies to improve your experience and analyze traffic.

[Accept All]  [Reject All]  [Customize Preferences]

GDPR requires granular consent for different purposes. You cannot ask users to accept all cookies with a single consent action.

The standard cookie categories under GDPR:

| Category | Examples | Consent Required? | |----------|----------|-------------------| | Strictly Necessary | Authentication, security, shopping cart | No | | Functional | Language preferences, theme settings | Yes | | Analytics | Google Analytics, Hotjar, Mixpanel | Yes | | Marketing/Advertising | Facebook Pixel, Google Ads, retargeting | Yes |

Users must be able to opt into some categories while rejecting others. A compliant cookie banner provides individual toggles or checkboxes for each category, with strictly necessary cookies always active and clearly labeled as such.

Non-compliant approach:

"We use cookies. [OK]"

Compliant approach:

"We use cookies in these categories:

  • Strictly Necessary (always active)
  • [ ] Functional
  • [ ] Analytics
  • [ ] Marketing

[Save Preferences] [Accept All] [Reject All]"

Users must understand what they are consenting to. This means your cookie banner must provide, or link to, specific information about your cookie usage.

Minimum information required in or accessible from the banner:

  1. Who is collecting data (your organization name)
  2. What cookies are used and their purposes
  3. Which third parties receive data (Google, Facebook, advertising networks)
  4. How long cookies persist (session vs. persistent, with specific durations)
  5. Link to full cookie policy or privacy policy with complete details

Practical implementation:

The first layer of your banner provides a brief summary. A "Cookie Details" or "Learn More" link expands to show the full list of cookies, their purposes, durations, and the third parties involved.

Example of informed consent:

"We use analytics cookies (Google Analytics) to understand how visitors use our site, and marketing cookies (Facebook, Google Ads) to show relevant advertisements. These third parties may process your data outside the EU. [Read our cookie policy for full details.]"

Consent must be given through a clear affirmative action. There must be no ambiguity about whether the user has agreed.

Actions that do NOT constitute valid consent:

  • Continuing to browse the website (implied consent)
  • Scrolling down the page
  • Silence or inactivity
  • Pre-selected options that the user does not change
  • Closing the cookie banner without making a choice

Actions that DO constitute valid consent:

  • Clicking an "Accept" button
  • Checking a previously unchecked checkbox
  • Toggling a switch from off to on
  • Selecting specific categories and clicking "Save Preferences"

The Planet49 ruling (CJEU, Case C-673/17, October 2019) definitively established that pre-ticked checkboxes do not satisfy the consent requirement, even under the ePrivacy Directive.

This is one of the most frequently violated requirements. Your website must not set any non-essential cookies until the user has given consent. Cookies must be blocked by default and only activated after a valid consent action.

The correct sequence:

  1. User visits your website
  2. Only strictly necessary cookies are set
  3. Cookie consent banner appears
  4. User makes their choice (accept, reject, or customize)
  5. Non-essential cookies load only for accepted categories
  6. Rejected categories remain blocked

The incorrect (and illegal) sequence:

  1. User visits your website
  2. Google Analytics, Facebook Pixel, and other tracking scripts load immediately
  3. Cookie banner appears
  4. User clicks "Reject"
  5. Cookies have already been set -- too late

How to verify your site is compliant:

  1. Open your site in an incognito/private browser window
  2. Open DevTools (F12) and go to the Network tab
  3. Reload the page without interacting with the cookie banner
  4. Check whether requests to analytics or advertising domains fire before you click "Accept"
  5. Also check the Application tab > Cookies for non-essential cookies

Use our free cookie scanner to automatically detect cookies that load before consent.

Users must be able to revoke their cookie consent as easily as they granted it. If accepting cookies takes one click, withdrawing consent should also take one click.

Requirements for withdrawal:

  • A persistent "Cookie Settings" or "Cookie Preferences" link must be available, typically in the website footer
  • Clicking this link should reopen the consent interface
  • Users can modify their choices (turn categories on or off)
  • Changes take effect immediately; withdrawn categories must stop setting cookies
  • Previously set cookies for withdrawn categories should be deleted

Best practice implementation:

Website Footer:
Privacy Policy | Cookie Settings | Terms of Service | Contact

The "Cookie Settings" link reopens the full preference panel, allowing users to adjust their choices at any time without having to clear their browser cookies or navigate through multiple pages.

Understanding which cookies need consent is fundamental to GDPR cookie compliance. The answer depends on the cookie's purpose, not its technical characteristics.

Analytics cookies track user behavior across your website and always require explicit consent under GDPR.

Common analytics cookies that need consent:

  • Google Analytics (_ga, _gid, _gat)
  • Google Tag Manager (when used to load tracking scripts)
  • Hotjar (_hj* cookies)
  • Microsoft Clarity (_clck, _clsk)
  • Mixpanel (mp_* cookies)
  • Matomo/Piwik (unless self-hosted with specific privacy settings)
  • Amplitude, Heap, and similar behavioral analytics tools

Even "privacy-friendly" analytics tools that claim to be cookieless may still require consent if they process personal data such as IP addresses or generate unique identifiers.

Marketing cookies are used for ad targeting, retargeting, and conversion tracking. These always require consent with no exceptions.

Common marketing cookies that need consent:

  • Facebook/Meta Pixel (_fbp, _fbc, fr)
  • Google Ads (IDE, DSID, 1P_JAR)
  • LinkedIn Insight Tag (li_fat_id, UserMatchHistory)
  • TikTok Pixel (_ttp)
  • Twitter/X Pixel (personalization_id, muc_ads)
  • Affiliate tracking cookies from networks like CJ, ShareASale, Impact
  • Programmatic advertising cookies from DSPs and SSPs

Functional cookies enhance the user experience but are not strictly necessary. GDPR technically requires consent for these, though enforcement tends to focus on analytics and marketing.

Examples:

  • Language or locale preferences
  • Theme settings (dark mode/light mode)
  • Font size preferences
  • Recently viewed products
  • Video player volume settings

Best practice: Include functional cookies in your consent mechanism but consider setting them to accepted by default in your preference panel, clearly labeled so users can opt out.

Essential Cookies Under GDPR: What Qualifies?

Essential cookies (also called strictly necessary cookies) are the only category exempt from GDPR consent requirements. However, the bar for what qualifies as "essential" is high.

A cookie is strictly necessary only if:

  1. It is essential for a service explicitly requested by the user (not by the website operator)
  2. The service cannot function without it
  3. Its sole purpose is to enable that specific service

Cookies That Qualify as Essential

  • Session identifiers that maintain a user's login state
  • Shopping cart cookies that remember items during an active session
  • CSRF tokens that prevent cross-site request forgery attacks
  • Load balancing cookies that distribute traffic across servers
  • Cookie consent preference cookies that store the user's consent choice
  • Authentication cookies that keep users logged in
  • Security cookies that detect authentication abuse

Cookies That Do NOT Qualify as Essential

Even if they seem important to your business, these are NOT essential:

  • Analytics cookies (even basic page view tracking)
  • Social media widgets (Facebook Like buttons, Twitter embeds)
  • A/B testing cookies (unless strictly for functionality)
  • Performance monitoring cookies that track user experience metrics
  • First-party advertising cookies
  • User preference cookies that are not critical to site function

Documenting Essential Cookies

Even though essential cookies do not require consent, GDPR still requires you to:

  • Disclose them in your cookie policy or privacy policy
  • Explain their purpose and duration
  • Justify why each one is strictly necessary
  • Review regularly to ensure the classification remains accurate

Organizations in regulated industries like healthcare should be particularly careful with essential cookie classifications, as health data processing carries additional requirements under GDPR Article 9.

A legally compliant cookie banner must balance usability with regulatory requirements. Design choices that make rejection harder than acceptance are considered dark patterns and violate GDPR.

Required Elements

Every GDPR-compliant cookie banner must include:

  1. A clear title or introduction indicating cookies are used
  2. A brief purpose statement explaining why cookies are used
  3. An "Accept All" button for users who want to consent to everything
  4. A "Reject All" button that is equally prominent as Accept
  5. A "Customize" or "Manage Preferences" option for granular control
  6. A link to your privacy/cookie policy with full details
  7. Third-party disclosure identifying who receives cookie data

Visual Design Rules

Button Equality: The "Accept All" and "Reject All" buttons must be visually equal. Same size, same prominence, same number of clicks to complete the action. The French DPA (CNIL) has fined companies specifically for making the reject option less prominent.

Color and Contrast: Both consent and rejection buttons must meet WCAG AA contrast ratios (4.5:1 minimum). Do not use a bright, attention-grabbing color for "Accept" and a subtle, low-contrast color for "Reject."

Font Size: All text must be legible. Minimum recommended is 14px for body text and 16px for button text.

Mobile Responsiveness: The banner must work on all screen sizes. Touch targets should be at least 44x44 pixels per WCAG guidelines.

Positioning: The banner should not completely block the website content. Users should be able to see what the website offers before making a cookie decision.

Dark Patterns to Avoid

Data protection authorities have specifically identified these dark patterns as non-compliant:

  • Confirm-shaming: Using guilt-inducing language like "No thanks, I don't want a better experience"
  • Hidden reject: Placing the reject option behind a secondary "Manage Preferences" screen while "Accept All" is on the first screen
  • Asymmetric design: Making "Accept" a large green button and "Reject" a small gray text link
  • Forced action maze: Requiring 5+ clicks to reject but only 1 click to accept
  • Repeated prompts: Showing the banner again after the user rejects, hoping they give in

Even well-intentioned websites frequently make errors that violate GDPR cookie consent requirements. These are the most common issues identified by enforcement authorities.

The most common violation. Many websites load Google Analytics, Facebook Pixel, and other scripts in the page head, which fires before the user even sees the cookie banner.

Why it happens: Developers add tracking scripts during development and forget to gate them behind consent. Or the cookie management platform is misconfigured.

How to fix: Implement script blocking that prevents non-essential scripts from executing until consent is received. Test by checking network requests in an incognito browser before clicking Accept.

Mistake 2: Using "Accept or Leave" Patterns

Offering only "Accept Cookies" or "Leave the Site" options is not valid consent. GDPR requires a genuine choice, and leaving the website is not an equivalent alternative to declining cookies.

How to fix: Add a "Reject All" or "Only Essential Cookies" button alongside "Accept All."

Consent checkboxes that are checked by default do not constitute valid consent. The EU Court of Justice confirmed this in the Planet49 ruling.

How to fix: All non-essential cookie categories must be unchecked (off) by default.

Blocking access to your website unless users accept cookies violates the "freely given" consent requirement in most cases.

How to fix: Allow access to your content regardless of cookie choices. If your business model requires tracking, consider offering a paid ad-free alternative.

A single "I agree to all cookies" checkbox without category-level options is insufficient. GDPR requires granular consent.

How to fix: Provide individual toggles for each cookie category (functional, analytics, marketing).

Mistake 6: No Withdrawal Mechanism

Many websites collect consent but provide no way for users to change their preferences later.

How to fix: Add a persistent "Cookie Settings" link in your footer that reopens the consent interface.

GDPR Article 7(1) states that controllers must be able to demonstrate that the user consented. If you cannot prove consent was given, it is treated as if it was never obtained.

How to fix: Log consent events with timestamps, user identifiers (anonymized), the specific choices made, and the version of the consent text shown.

GDPR cookie consent enforcement has intensified dramatically. Understanding real cases helps illustrate what regulators expect.

| Company | Fine | Year | Violation | |---------|------|------|-----------| | Amazon | 746M euros | 2021 | Targeted advertising without valid consent | | Meta (Facebook) | 1.2B euros | 2023 | Data transfers and consent failures | | TikTok | 345M euros | 2023 | Children's privacy and cookie consent | | Google (France) | 150M euros | 2022 | Cookie rejection not as easy as acceptance | | Microsoft (France) | 60M euros | 2022 | Cookies deposited without consent | | Sephora (Italy) | 20K euros | 2023 | Cookie banner non-compliance | | Various SMBs | 5K-100K euros | 2022-2025 | Cookie consent violations |

CNIL (France) has been the most active on cookie enforcement, issuing over 100 formal notices to companies for cookie consent violations. Their focus areas include:

  • Reject button must be on the first layer of the banner (not hidden behind "Manage Preferences")
  • Cookies must not be set before consent
  • Consent must not be inferred from browsing continuation

The Irish DPC has focused on large tech companies, resulting in record fines against Meta and TikTok.

The Italian Garante has targeted e-commerce sites and smaller businesses, showing that enforcement is not limited to big tech.

The trend is clear: Enforcement is expanding to smaller organizations, and fines are increasing. GDPR cookie compliance is no longer something only enterprise companies need to worry about.

Step 1: Audit Your Cookies

Before you can implement consent, you need to know exactly what cookies your website sets.

Manual audit process:

  1. Open your website in an incognito browser
  2. Open DevTools > Application > Cookies
  3. Note every cookie, its domain, duration, and purpose
  4. Navigate through your site to trigger all cookies
  5. Categorize each cookie as essential, functional, analytics, or marketing

Automated audit: Use our cookie scanner tool to automatically detect and categorize all cookies on your website. This catches cookies you might miss in a manual audit, including those set by third-party scripts.

Option 1: Purpose-Built Cookie Consent Platform (Recommended)

A dedicated platform like Cookie Banner handles the legal and technical complexity for you:

  • Automatic cookie detection and categorization
  • Script blocking until consent is received
  • Consent logging for compliance records
  • Customizable banner design matching your brand
  • Automatic updates when regulations change
  • React integration for modern web apps

Looking for alternatives to existing tools? See how we compare to Cookiebot.

Option 2: Custom Implementation

Building your own consent mechanism gives you full control but requires significant legal and technical expertise:

  • You must implement script blocking yourself
  • You must stay current with regulatory changes across all EU member states
  • You must maintain consent records
  • You must handle edge cases (consent migration, cookie scanning, etc.)

Option 3: Platform-Specific Plugins

WordPress, Shopify, and other platforms offer cookie consent plugins. These can work for basic compliance but often lack features like automatic script blocking or proper consent logging.

The technical core of GDPR cookie compliance is blocking non-essential cookies by default and only loading them after consent.

Implementation approaches:

Script wrapping (most common):

// Before: Script loads immediately
// <script src="https://www.googletagmanager.com/gtag/js?id=GA_ID"></script>

// After: Script loads only after consent
if (getCookieConsent('analytics')) {
  const script = document.createElement('script');
  script.src = 'https://www.googletagmanager.com/gtag/js?id=GA_ID';
  document.head.appendChild(script);
}

Tag Manager approach: Configure Google Tag Manager to use consent mode, firing tags only when the appropriate consent category has been granted.

Server-side approach: For applications using frameworks like Next.js, you can conditionally render tracking scripts based on cookie consent state, preventing them from ever reaching the client's browser without consent.

Your cookie policy must document:

  • Every cookie your website uses (name, purpose, duration, provider)
  • Categories of cookies and what each category does
  • Third parties that receive data through cookies
  • How to manage cookies through your banner and browser settings
  • User rights under GDPR (access, deletion, portability)
  • Contact information for your data protection officer or privacy contact
  • Date of last update so users know the information is current

Step 5: Test Your Implementation

Pre-launch testing checklist:

  • [ ] Cookie banner appears on first visit in incognito mode
  • [ ] No non-essential cookies load before consent (check DevTools Network tab)
  • [ ] "Accept All" loads cookies for all categories
  • [ ] "Reject All" sets only essential cookies
  • [ ] Individual category toggles work correctly
  • [ ] Consent is remembered across page navigations and sessions
  • [ ] "Cookie Settings" footer link reopens the banner
  • [ ] Banner is responsive on mobile devices
  • [ ] Banner is accessible (keyboard navigation, screen readers, ARIA labels)
  • [ ] Consent records are being logged with timestamps
  • [ ] Cookie policy is accurate and up to date

React and Next.js Applications

Modern JavaScript applications require careful cookie consent implementation because of client-side rendering and hydration. Third-party scripts can execute before your consent logic runs if not handled correctly.

We provide a dedicated React integration that handles:

  • Server-side rendering compatibility
  • Hydration-safe consent state management
  • Automatic script blocking at the component level
  • Consent-aware analytics hooks

WordPress Sites

WordPress sites typically load multiple plugins that set cookies. Audit all active plugins, themes, and embedded content to identify every cookie.

Single Page Applications (SPAs)

SPAs present unique challenges because traditional page-load consent checks do not apply. Consent must be checked before any tracking call, not just on initial page load but on every route change.

Healthcare and Regulated Industries

Websites in healthcare and other regulated sectors face additional requirements. Cookie data may constitute health data under GDPR Article 9 if it reveals information about a user's health condition based on the pages they visit.

See our healthcare solutions page for industry-specific guidance on cookie consent in medical and health-related contexts.

GDPR is not the only privacy law that governs cookies. Understanding how it compares to other regulations helps you build a consent solution that works globally.

GDPR vs CCPA/CPRA (California)

| Aspect | GDPR | CCPA/CPRA | |--------|------|-----------| | Consent model | Opt-in (prior consent) | Opt-out | | Scope | EU/EEA residents | California residents | | Cookie consent required | Yes, explicit | Not specifically for cookies | | Right to delete | Yes | Yes | | Fines | Up to 20M euros or 4% revenue | Up to $7,500 per violation |

GDPR vs PIPEDA (Canada)

Canada's PIPEDA is being modernized, but currently uses a less prescriptive approach to cookie consent than GDPR. However, Canadian websites targeting EU users must comply with GDPR.

GDPR vs LGPD (Brazil)

Brazil's LGPD is similar to GDPR in many respects, including requiring a legal basis for data processing. Cookie consent practices that satisfy GDPR generally satisfy LGPD.

GDPR vs UK GDPR

After Brexit, the UK adopted its own version of GDPR (UK GDPR) alongside the Privacy and Electronic Communications Regulations (PECR). The requirements for cookie consent are virtually identical to EU GDPR.

Bottom line: If you build your cookie consent for GDPR compliance, you will meet or exceed the requirements of most other privacy laws worldwide.

Use this checklist to verify your website meets all GDPR cookie consent requirements.

  • [ ] Consent is obtained before non-essential cookies are set
  • [ ] Consent is freely given with no penalty for declining
  • [ ] Consent is specific with granular category options
  • [ ] Consent is informed with clear purpose explanations
  • [ ] Consent is unambiguous through affirmative action
  • [ ] Consent is easy to withdraw via a persistent settings link

Technical Implementation

  • [ ] Non-essential scripts are blocked until consent
  • [ ] Essential cookies are correctly classified and documented
  • [ ] Cookie consent preferences persist across sessions
  • [ ] Consent records are logged with timestamps
  • [ ] Cookie banner loads on first visit
  • [ ] Rejected categories do not set any cookies
  • [ ] Previously set cookies are deleted on consent withdrawal
  • [ ] "Accept All" and "Reject All" buttons are equally prominent
  • [ ] Granular category preferences are accessible
  • [ ] Link to cookie/privacy policy is visible
  • [ ] Third-party data recipients are disclosed
  • [ ] Banner is mobile responsive
  • [ ] Banner meets WCAG AA accessibility standards
  • [ ] No dark patterns are used

Documentation

  • [ ] Cookie policy lists every cookie with name, purpose, and duration
  • [ ] Privacy policy addresses cookie usage
  • [ ] Data processing records include cookie-related processing
  • [ ] Regular cookie audits are scheduled (quarterly recommended)

Conclusion

GDPR cookie consent is a legal requirement that applies to virtually every website with EU visitors. The six core requirements -- freely given, specific, informed, unambiguous, prior, and withdrawable consent -- form the foundation of compliant cookie management.

The consequences of non-compliance are real and growing. Enforcement has expanded beyond big tech to small and medium businesses, and fines are increasing year over year. At the same time, implementing proper cookie consent has become easier with purpose-built tools that handle the legal and technical complexity.

Key takeaways:

  • Block cookies by default until explicit consent is received. This is the single most important technical requirement.
  • Provide equal options for accepting and rejecting. Dark patterns are a primary enforcement target.
  • Offer granular control at the category level, not all-or-nothing.
  • Maintain a withdrawal mechanism that is as easy as the initial consent.
  • Keep records of all consent events to demonstrate compliance.
  • Audit regularly to catch new cookies introduced by updated plugins, scripts, or third-party integrations.

Start with a free cookie scan to see where your website stands, then implement a compliant consent solution. For GDPR-ready cookie banners with automatic script blocking, consent logging, and full customization, create your free account.

Frequently Asked Questions

GDPR cookie consent is the legal requirement under the General Data Protection Regulation for websites to get explicit, informed permission from users before placing non-essential cookies on their devices. This includes analytics cookies (Google Analytics), marketing cookies (Facebook Pixel, Google Ads), and any other tracking technologies that process personal data. Unlike older "cookie notice" approaches, GDPR requires active opt-in -- not just informing users that cookies exist.

The six requirements are:

  1. Freely given -- users must have a genuine choice without negative consequences
  2. Specific -- consent must be granular, covering individual cookie categories
  3. Informed -- users must understand what they are consenting to
  4. Unambiguous -- consent requires a clear affirmative action (clicking, toggling)
  5. Prior -- consent must be obtained before non-essential cookies are set
  6. Withdrawable -- users must be able to revoke consent as easily as they gave it

Yes, if any of the following apply:

  • You have website visitors from the EU or EEA
  • You target or market to EU residents
  • You monitor the behavior of people in the EU
  • You offer goods or services (free or paid) to EU residents

GDPR applies based on where your users are, not where your business is headquartered. A company in the US, Canada, or anywhere else must comply if EU residents access their website.

What are essential cookies under GDPR?

Essential cookies (strictly necessary cookies) are those required for your website to function and for services the user explicitly requested. They are the only cookies exempt from GDPR consent requirements.

Examples of essential cookies:

  • Session cookies that maintain login state
  • Shopping cart cookies in e-commerce
  • CSRF security tokens
  • Load balancing identifiers
  • Cookie consent preference storage

Not essential (even though they feel important):

  • Analytics and performance monitoring
  • A/B testing
  • Social media widgets
  • Any form of advertising or tracking

Even essential cookies must be documented in your privacy/cookie policy.

GDPR (Europe) uses an opt-in model: cookies are blocked by default, and users must actively consent before they are set. It applies to all EU/EEA visitors and requires granular, category-level consent.

CCPA/CPRA (California) uses an opt-out model: cookies can be set by default, but users must have the ability to opt out of data selling/sharing. It applies to California residents and focuses on the right to say "Do Not Sell or Share My Personal Information."

GDPR is significantly stricter. If your website complies with GDPR, it will generally meet CCPA requirements as well, but not vice versa.

No, in almost all cases. Google Analytics (both Universal Analytics and GA4) sets cookies that track user behavior and process personal data, which requires consent under GDPR.

Limited exception: Google Analytics 4 configured with IP anonymization, restricted data processing, and consent mode may reduce your obligations, but this is a legally gray area. Several EU data protection authorities (notably Austria and France) have ruled that standard Google Analytics usage violates GDPR even with IP anonymization, because data is still transferred to Google's US servers.

Best practice: Always obtain consent before loading Google Analytics.

GDPR does not prescribe an exact duration, but the EDPB and national authorities provide guidance:

  • Industry standard: 12 months
  • Maximum recommended: 24 months
  • Re-consent triggers: Whenever your cookie usage changes materially, whenever new cookie categories are added, or when the consent text is significantly updated

After the storage period expires, you must ask for consent again.

It depends on their purpose, not their duration:

  • No consent needed: Session cookies that are strictly necessary (login sessions, shopping carts, CSRF tokens)
  • Consent required: Session cookies used for analytics, tracking, or advertising, even if they expire when the browser closes

The legal classification depends on what the cookie does, not how long it lasts.

GDPR penalties for cookie violations can reach:

  • Up to 20 million euros or 4% of annual global revenue, whichever is greater
  • Corrective orders requiring immediate changes to your cookie practices
  • Temporary or permanent bans on data processing

Recent notable fines:

  • Amazon: 746 million euros (2021)
  • Meta: 1.2 billion euros (2023)
  • TikTok: 345 million euros (2023)
  • Google France: 150 million euros (2022)
  • Microsoft France: 60 million euros (2022)

Small and medium businesses are also being fined, typically in the range of 5,000 to 100,000 euros.

Generally no. A cookie wall blocks access to a website unless users accept cookies, which violates the "freely given" consent requirement.

Limited exception: The EDPB acknowledges that cookie walls may be permissible if:

  • You offer a genuine, equivalent alternative to access content (such as a paid subscription)
  • The tracking is genuinely necessary for the content to exist (e.g., ad-supported free media)

In practice, most cookie walls are non-compliant. If you must use one, get specific legal advice for your jurisdiction.

Under GDPR, all non-essential cookies require consent before being placed on a user's device:

  • Analytics cookies -- Google Analytics, Hotjar, Mixpanel, etc.
  • Marketing/advertising cookies -- Facebook Pixel, Google Ads, LinkedIn tags, etc.
  • Functional cookies -- Language preferences, theme settings, recently viewed items
  • Third-party cookies -- Any cookies set by external services embedded on your site
  • Social media cookies -- Facebook, Twitter, Instagram widgets and share buttons

The only exception is strictly necessary cookies that are essential for the website to function as requested by the user.

Ready to make your website GDPR compliant? Start with a free cookie scan | Create your compliant cookie banner

Related guides:

Read more

Multi-Language Cookie Banners: How to Show Cookie Consent in 10 Languages Automatically

Learn how to create cookie consent banners that auto-detect visitor language and display in their native tongue. Covers 10 languages including Japanese, Arabic, German, and more.

CPRA Cookie Requirements: What Businesses Need to Know in 2026

What are CPRA cookie requirements? Complete guide to California Privacy Rights Act cookie consent, Do Not Sell or Share, sensitive data rules, and fines up to $7,500 per violation.

PIPEDA Compliance Checklist 2026: 10-Step Guide for Canadian Websites

Complete PIPEDA compliance checklist: cookie consent, privacy policy, user rights, data security. 10 actionable steps for Canadian businesses. Free downloadable checklist.