Cookie Banner Generator
Back to all articles
GDPR
Cookie Consent
Privacy Law
Europe
Compliance
13 min read

What Are GDPR Cookie Consent Requirements?

GDPR requires explicit opt-in consent for cookies in Europe. Websites must block tracking cookies until users actively accept them. Penalties can reach €20 million or 4% of revenue for non-compliance.

What Are GDPR Cookie Consent Requirements?

Direct Answer: GDPR (General Data Protection Regulation) requires explicit, informed consent before setting non-essential cookies on a user's device. This means websites must block tracking cookies (analytics, advertising) until users actively opt-in by clicking an "Accept" button. Consent must be freely given, specific to each cookie category, unambiguous, and easy to withdraw. Penalties for non-compliance can reach €20 million or 4% of global annual revenue.

Learn more about GDPR from the official EU website →

Table of Contents

What Is GDPR and Why Does It Matter for Cookies?

The General Data Protection Regulation (GDPR) is Europe's comprehensive privacy law that went into effect on May 25, 2018. If your website has visitors from the EU — even if you're based elsewhere — you need to comply with GDPR.

For cookies, GDPR is clear: You must get explicit, informed consent before setting non-essential cookies on a user's device.

The stakes are high:

  • Fines up to €20 million or 4% of global annual revenue (whichever is greater)
  • Companies like Google, Amazon, and Meta have faced hundreds of millions in GDPR fines
  • Even small businesses can be fined for non-compliance

Learn more about GDPR from the European Commission.

Yes. Users must have a genuine choice to accept or reject cookies. This means:

❌ NOT Allowed:

  • Pre-ticked consent boxes
  • Consent as a condition to access content (with some exceptions)
  • Making "Accept" easy but "Reject" difficult (dark patterns)
  • Bundled consent (forcing users to accept all cookies together)

✅ Allowed:

  • Clear "Accept" and "Reject" options
  • Granular choices (accept analytics but reject marketing)
  • Easy-to-find cookie settings

Example of Freely Given Consent:

We use cookies to improve your experience.

[Accept All]  [Reject All]  [Customize]

Yes. GDPR requires granular consent for different cookie categories. You can't bundle everything together.

Cookie Categories:

  • Strictly Necessary — No consent needed (security, authentication)
  • Functional — Preferences, language settings
  • Analytics — Google Analytics, Hotjar, tracking
  • Marketing/Advertising — Facebook Pixel, Google Ads, retargeting

Users must be able to accept some categories and reject others.

❌ Bad Example:

"We use cookies. [Accept All] [Learn More]"

✅ Good Example:

"We use cookies in 4 categories:

  • ☑ Strictly Necessary (always active)
  • ☐ Functional
  • ☐ Analytics
  • ☐ Marketing

[Save Preferences] [Accept All] [Reject Non-Essential]"

Yes. Users must understand what they're consenting to. This means you need to provide:

  • Clear explanation of what cookies do
  • Purpose of each cookie category
  • Who receives the data (third parties like Google, Facebook)
  • Link to full privacy/cookie policy
  • Data retention periods (how long cookies last)

Minimum Information Required:

  1. "We use cookies"
  2. "Here's what they do" (brief explanation)
  3. "Here's who we share data with" (third parties)
  4. "[Privacy Policy]" (link to full details)

Example:

"We use cookies to analyze our traffic (Google Analytics) and show you relevant ads (Facebook, Google Ads). We share this data with our advertising partners. [Privacy Policy]"

Yes. Implied consent is NOT valid under GDPR.

❌ Invalid Consent Methods:

  • "By continuing to browse, you consent to cookies"
  • Scrolling = consent
  • Silence = consent
  • Inactivity = consent

✅ Valid Consent Methods:

  • Clicking an "Accept" button
  • Checking an unchecked box
  • Toggling a switch to "on"

Clear affirmative action is required.

Yes. This is one of the most commonly violated rules. Your website MUST NOT set non-essential cookies until the user consents.

The Sequence:

  1. User lands on your page
  2. Cookie banner appears
  3. User clicks "Accept" or "Reject"
  4. Cookies load (or don't) based on choice

❌ Violation:

  • Loading Google Analytics before showing the banner
  • Setting marketing cookies, then asking for consent
  • Using "consent" to just inform, not prevent

✅ Compliance:

  • Block all tracking scripts until consent
  • Only load accepted cookie categories
  • Respect "Reject" choices

How to Test:

  1. Open your site in incognito mode
  2. Open browser DevTools → Network tab
  3. Reload the page
  4. Check if tracking requests (analytics, ads) fire before you click "Accept"

If they do, you're not compliant.

Yes. Users must be able to:

  • Change their cookie preferences anytime
  • Withdraw consent as easily as they gave it
  • Find cookie settings without hassle

Best Practices:

  • Add a "Cookie Settings" link in your footer
  • Make it one click to reopen preferences
  • Allow users to toggle categories on/off
  • Respect withdrawal immediately

Example Footer Link:

Footer:
About | Privacy Policy | [Cookie Settings] | Contact

No. These cookies are essential for your website to function and are exempt from GDPR consent requirements:

Examples:

  • Session management
  • User authentication (login status)
  • Security features (CSRF tokens)
  • Load balancing
  • Shopping cart functionality

Key point: If the cookie is truly necessary for the service the user requested, no consent is needed. But you must still disclose them in your privacy policy.

Yes, technically. These enhance user experience but aren't strictly necessary:

Examples:

  • Language preferences
  • Theme selection (dark mode)
  • Volume settings for media players
  • Recently viewed products

GDPR requirement: Technically requires consent, but less strictly enforced if genuinely functional.

Yes. These track user behavior and absolutely require consent:

Examples:

  • Google Analytics
  • Google Tag Manager
  • Hotjar
  • Microsoft Clarity
  • Mixpanel
  • Custom analytics

Exception: Some argue anonymized analytics with proper safeguards might not require consent, but this is risky. Best practice: Always get consent for analytics. See Google's guidance on consent mode.

Yes. These are used for targeting and retargeting and always require consent:

Examples:

  • Facebook Pixel
  • Google Ads conversion tracking
  • LinkedIn Insight Tag
  • Twitter Pixel
  • Retargeting pixels
  • Affiliate tracking cookies

No exceptions: These always require explicit consent.

Your cookie banner must include:

  1. Clear headline ("We use cookies")
  2. Brief explanation of cookie purposes
  3. Accept button (e.g., "Accept All")
  4. Reject button (e.g., "Reject All" or "Reject Non-Essential")
  5. Preferences/Customize button (e.g., "Cookie Settings")
  6. Link to privacy/cookie policy
  7. Information about third parties (if applicable)

What Are Visual Design Best Practices?

✅ Do:

  • Make "Accept" and "Reject" buttons equally prominent
  • Use clear, readable fonts (minimum 14px)
  • Ensure good color contrast (WCAG AA minimum)
  • Make it mobile-responsive
  • Ensure touch targets are at least 44x44px
  • Position it so it doesn't block critical content

❌ Don't:

  • Hide the "Reject" button or make it tiny
  • Use confusing language or double negatives
  • Make users scroll to find the reject option
  • Use pre-ticked boxes
  • Block access to the site completely (unless justified)

Generally no. Cookie walls block access to your website unless users accept cookies.

Example:

"You must accept cookies to access this site. [Accept] [Leave]"

GDPR says: Generally not allowed, unless:

  • You have a legitimate business model that requires consent
  • You offer an alternative way to access content (e.g., paid subscription)

Most cookie walls are non-compliant.

Can I Use "Accept or Leave" Patterns?

No. Only offering "Accept Cookies" or "Leave Site" options violates GDPR.

Why it's wrong: Consent must be freely given. If the only option is to accept or leave, that's not a real choice.

Fix: Add a "Reject All" or "Only Essential" button.

Can I Use Pre-Ticked Boxes?

No. Cookie consent checkboxes that are checked by default are not valid.

GDPR says: Consent must be an active opt-in, not opt-out. Boxes must be unchecked by default.

No. Setting Google Analytics, Facebook Pixel, or other tracking cookies before the user accepts them violates GDPR.

Why it's wrong: GDPR requires consent BEFORE cookies are set.

How to test: Open DevTools → Network tab. If you see tracking requests before clicking "Accept," you're violating GDPR.

Can I Bundle All Consents Together?

No. Forcing users to accept all cookies together violates GDPR.

GDPR says: Users must be able to accept specific categories and reject others. Granular consent is required.

No. Assuming continued browsing = consent is not valid.

GDPR says: This is NOT valid consent. Users must actively opt-in.

Can I Make Rejection Difficult?

No. Hiding the "Reject" button, requiring multiple clicks, or using confusing language violates GDPR.

GDPR says: Withdrawing consent must be as easy as giving it.

How Do I Audit My Cookies?

List all cookies your website uses:

  1. Open DevTools → Application → Cookies
  2. Visit your site and note every cookie
  3. Categorize each one (necessary, functional, analytics, marketing)
  4. Document the purpose, duration, and third parties involved

Option 1: Cookie Consent Platform

  • Use a tool like Cookie Banner Generator
  • Pros: Fast setup, guaranteed compliance, customizable
  • Cons: May require a small code snippet

Option 2: Build Custom

  • Write your own cookie banner
  • Pros: Full control
  • Cons: Requires legal + technical expertise

Option 3: WordPress/Shopify Plugin

  • Use platform-specific plugins
  • Pros: Easy installation
  • Cons: Often limited in free versions

Your consent solution must:

  1. Block non-essential cookies by default
  2. Only load accepted categories after consent
  3. Respect "Reject" choices

Example (JavaScript):

// Check if user has consented to analytics
if (getCookieConsent('analytics') === true) {
  loadGoogleAnalytics();
}

What Should I Include in My Privacy Policy?

Create a dedicated page that explains:

  • What cookies you use (by name and category)
  • Purpose of each cookie
  • Duration of each cookie
  • Third parties involved
  • How to manage/delete cookies
  • User rights under GDPR

How Do I Test My Implementation?

Test checklist:

  • [ ] Banner appears on first visit
  • [ ] No tracking cookies load before consent
  • [ ] "Accept All" loads all cookies
  • [ ] "Reject All" only loads essential cookies
  • [ ] Granular choices work correctly
  • [ ] Consent is remembered (cookie/localStorage)
  • [ ] Footer link reopens settings
  • [ ] Mobile responsive
  • [ ] Accessible (keyboard navigation, screen readers)

Don't risk GDPR fines. Use a proven, compliant cookie consent solution.

Cookie Banner Generator is designed specifically for GDPR compliance:

✅ Blocks cookies until consent ✅ Granular user choices ✅ Easy withdrawal of consent ✅ Fully customizable to match your brand ✅ Works on any website ✅ First 1,000 accounts free forever

Create your compliant cookie banner →

Conclusion / TL;DR

Key Takeaways:

  • GDPR requires explicit opt-in consent before setting non-essential cookies
  • Consent must be freely given, specific, informed, unambiguous, and easy to withdraw
  • Cookies must be blocked until consent is given — this is critical
  • Penalties can be severe — up to €20 million or 4% of revenue
  • Most businesses should use a specialized tool rather than building their own

Next Steps:

  1. Audit your current cookie setup
  2. Choose a GDPR-compliant cookie consent solution
  3. Block all tracking cookies until consent
  4. Update your privacy policy with detailed cookie information
  5. Test thoroughly to ensure compliance

Frequently Asked Questions

Do I need GDPR compliance if I'm not in Europe?

Yes, if you:

  • Have visitors from the EU
  • Target or monitor EU citizens
  • Offer goods/services to EU residents

GDPR applies based on where your users are, not where you're located.

What's the difference between GDPR and CCPA?

GDPR (Europe):

  • Requires opt-in consent before setting cookies
  • Applies to all EU visitors

CCPA (California):

  • Requires opt-out option (less strict)
  • Applies to California residents

GDPR is stricter. If you comply with GDPR, you'll generally be fine for CCPA.

No (with rare exceptions). Google Analytics collects personal data and requires consent under GDPR.

Exception: Google Analytics 4 with IP anonymization and strict settings might not require consent, but this is a gray area. Best practice: Get consent.

What if I only use strictly necessary cookies?

If you only use cookies that are essential for your site to function (authentication, security, shopping cart), you don't need a consent banner under GDPR.

But: You still need to disclose these cookies in your privacy policy.

GDPR doesn't specify an exact timeframe, but:

  • Common practice: 12 months
  • Recommended: Re-ask for consent if your cookie usage changes
  • Maximum: 24 months (conservative estimate)

After this period, ask for consent again.

No, if they're strictly necessary for the service the user requested (e.g., keeping them logged in, maintaining their shopping cart).

Yes, if they're used for analytics or tracking.

What's the penalty for non-compliance?

GDPR fines can be:

  • Up to €20 million
  • OR 4% of annual global revenue (whichever is greater)

Real examples:

  • Google: €50 million (2019)
  • Amazon: €746 million (2021)
  • Meta (Facebook): €265 million (2022)

Even small businesses have been fined tens of thousands of euros.

Generally no, unless:

  • You offer an alternative way to access content
  • Your business model genuinely requires tracking

Most cookie walls violate GDPR's "freely given consent" requirement.

Ready to make your website GDPR compliant? Get your free cookie banner →

Read more

What Is the PIPEDA Compliance Checklist for Canadian Websites?

PIPEDA compliance checklist for Canadian websites includes cookie consent, privacy policy, user rights, and security measures. Essential requirements for any business collecting personal data in Canada.

What Is Cookie Consent in Canada?

Cookie consent in Canada is required under PIPEDA, CASL, and Quebec's Law 25. Websites must obtain explicit opt-in consent before using tracking cookies for analytics or advertising. Penalties can reach $25 million for non-compliance.

How Do I Add a Cookie Banner to WordPress?

Add a GDPR and PIPEDA compliant cookie banner to WordPress in 10 minutes. Step-by-step guide with no coding required. Works with any WordPress theme.