Cookie consent laws: Compliance guide for website and app builders

In January 2022, the French data protection authority - CNIL - dropped two fines that got the attention of every privacy team in Europe.

Google: 150 million euros. Facebook: 60 million euros.

The violations weren't about data breaches or selling user data without permission. They were about cookie banners. Specifically: both companies made it easy to click "Accept all cookies" and hard to click "Reject all." Google's reject button required two extra clicks. Facebook's required navigating through a separate settings menu.

CNIL called this a dark pattern. It said the design made consent less than freely given - which means it wasn't valid consent at all under GDPR.

Two hundred and ten million euros in fines for button placement. That's the world cookie consent compliance lives in now.

The CNIL fines weren't the last of their kind. The IAPP GDPR Enforcement Tracker shows that EU data protection authorities have issued thousands of enforcement decisions since GDPR took effect in 2018 - with cookie consent dark patterns a recurring target. In 2023, the Irish DPC issued a 1.2 billion euro fine against Meta for EU data transfer violations, the largest single GDPR penalty on record.

Who does this apply to?

Cookie consent laws don't care where your company is registered. They care about who visits your site.

EU ePrivacy Directive and GDPR apply if:

• You have visitors from EU member states - even occasionally
• You use any cookies that aren't strictly required for the site to function (analytics, advertising, A/B testing, chat widgets, embedded video, social sharing buttons)
• You use third-party scripts that set their own cookies (Google Analytics, Meta Pixel, Hotjar, Intercom, Stripe.js)

UK PECR applies if:

• You have UK visitors, even post-Brexit
• The UK ICO enforces the same rules as the EU on cookie consent - opt-in required for non-essential cookies

CCPA/CPRA applies if:

• You have California residents as users
• Your business meets at least one threshold: $25M+ annual gross revenue, personal data on 100,000+ California consumers, or 50%+ of annual revenue from selling consumer data

The practical answer: if your site uses Google Analytics, a Meta Pixel, a chat widget, or any third-party script, you need a cookie consent system. That covers most websites.

The law behind cookie consent

EU eprivacy directive - where cookie law started

The EU ePrivacy Directive (2002/58/EC, updated 2009) is the original cookie law. Article 5(3) says: before storing or accessing information on a user's device, you need the user's informed consent.

"Unless it's strictly necessary for delivering a service the user explicitly requested" is the only exemption. That's a narrow carve-out. Session management, shopping cart persistence, login state - those qualify. Google Analytics does not.

The Directive is enforced by national data protection authorities. France has CNIL. Germany has the DSK. Italy has the Garante. Each country has its own enforcement style, but the underlying rule is the same.

GDPR's consent standard

The ePrivacy Directive says you need consent. GDPR defines what valid consent looks like.

Under GDPR Article 7 and Recital 32, consent must be:

• Freely given - No coercion, no pre-ticked boxes, no cookie walls
• Specific - Separate consent for each distinct purpose (analytics vs. advertising vs. personalization)
• Informed - The user must know what they're consenting to and who's processing their data
• Unambiguous - A clear affirmative action. Silence, inactivity, and pre-ticked boxes don't count.

Consent must also be withdrawable. Users must be able to change their mind as easily as they gave consent.

CCPA cookie requirements

The California Consumer Privacy Act takes a different approach. It doesn't require opt-in consent for cookies by default. Instead, it requires:

• A "Do Not Sell or Share My Personal Information" link on your homepage
• Opt-out mechanisms for the sale or sharing of personal data collected via cookies
• Disclosure of what data you collect and how you use it (in your privacy policy)

If your site uses a Meta Pixel or Google Ads with remarketing, you're likely sharing personal data with third parties - which triggers the "sharing" definition under CCPA even without a formal sale.

CPRA (the 2023 update) expanded this to include "sharing" for cross-context behavioral advertising. A functional ad pixel now likely qualifies.

UK PECR

The Privacy and Electronic Communications Regulations mirror the EU ePrivacy Directive in UK law. Post-Brexit, the UK didn't change the cookie consent rules. The ICO enforces PECR and has made clear it expects the same opt-in standard as the EU.

UK users visiting your site need to be treated the same as EU users for cookie consent purposes.

What counts as a cookie (and what doesn't)

Consent rules apply to all storage mechanisms on a user's device - not just traditional HTTP cookies. This includes:

• HTTP cookies (session and persistent)
• localStorage and sessionStorage
• IndexedDB
• Service worker storage
• Browser fingerprinting (no storage required - but ePrivacy still applies)
• Pixel tracking and web beacons

Strictly necessary vs. non-essential

The strictly necessary exemption is intentionally narrow. If you can run your service without a cookie, it's probably not strictly necessary.

What a valid cookie banner requires

A cookie banner isn't just a legal checkbox. It's an interface that communicates something specific to users and records their choices. Here's what valid banners need:

Required elements:

• Clear description of what cookies you use and why
• Distinct categories for different cookie types (functional, analytics, marketing)
• An "Accept" option that enables non-essential cookies
• A "Reject" or "Decline" option that's equally prominent and easy to find
• A way to customize consent by category
• A way to access and withdraw consent later (usually via a persistent icon or link in the footer)
• A link to your full cookie policy and privacy policy

What makes a banner invalid:

• Pre-ticked boxes for optional categories
• "Reject" button that's smaller, grayed out, or harder to find than "Accept"
• Requiring extra clicks or steps to reject that aren't required to accept
• Bundling cookie consent with terms of service acceptance
• Cookie walls - blocking access unless the user accepts non-essential cookies
• No way to withdraw consent later

The CNIL decisions against Google and Facebook are the clearest enforcement examples. Both companies' banners made acceptance the path of least resistance. That's not valid consent - it's manufactured consent.

Cookie consent requirements table

"The most common mistake we see is teams loading Google Analytics and the Meta Pixel unconditionally in the <head>, then adding a consent banner as a UI layer on top. By the time the banner renders, both scripts have already fired and set cookies. That's a GDPR violation on every single page load. The consent logic has to block script execution, not just show a notification."

• 1Raft Engineering Team

Architecture implications

Cookie consent isn't a banner you bolt on at the end. It needs to be wired into how your application loads scripts.

Consent-first script loading

The wrong approach: load all third-party scripts in <head>, show a banner, and hope users accept.

This is a GDPR violation. The scripts fire before consent is given. Google Analytics, Meta Pixel, and most ad scripts set cookies immediately on load - before any user interaction.

The right approach: block all non-essential scripts until consent is recorded. Your tag management layer (Google Tag Manager, for example) should be configured so that each tag fires only when the corresponding consent signal is present.

Implementation pattern:

1. Load only strictly necessary scripts on page load
2. Load the cookie consent platform (OneTrust, Cookiebot, Osano) - these are necessary to collect consent
3. When the user makes a choice, fire an event with their consent categories
4. Your tag manager listens for that event and enables the corresponding tags

Google consent mode v2

Google Consent Mode v2 became required for EU advertisers in March 2024. Here's what it does:

When a user declines cookies, Consent Mode allows Google's tags to fire in a limited "cookieless" mode. No individual tracking happens - instead, Google receives anonymized signals it uses to model conversions across users who declined.

Without Consent Mode v2:

• User declines cookies
• Google Ads tag is blocked
• Conversion event is lost entirely
• Your campaign optimization data degrades

With Consent Mode v2:

• User declines cookies
• Google tag fires in cookieless mode
• Conversion is modeled (not tracked individually)
• Campaign optimization continues with modeled data

If you run Google Ads and have EU traffic, you need Consent Mode v2 integrated with your consent platform. The two signals it uses are ad_storage (for ad cookies) and analytics_storage (for analytics cookies).

Server-side tracking

Server-side tracking is becoming a practical alternative to browser-based cookie consent for some use cases.

Instead of loading client-side pixels (Meta Pixel, Google Analytics) that set cookies in the browser, server-side tracking sends event data from your server directly to the advertising platform's API.

What this changes for consent:

• Fewer cookies in the browser = simpler consent UI
• Better data quality (ad blockers can't block server-side events)
• More control over what data is sent to third parties

What it doesn't change:

• GDPR still applies to processing personal data - server-side tracking is processing
• You still need a lawful basis (consent or legitimate interest, depending on the use case)
• You still need to disclose it in your privacy policy

Server-side tracking reduces your cookie surface area but doesn't eliminate compliance obligations.

Consent platform options

You don't need to build cookie consent from scratch. Several platforms handle the banner UI, consent storage, and tag manager integration:

All four support Consent Mode v2 integration with Google Tag Manager. OneTrust is overkill for most small-to-mid businesses. Cookiebot and Osano cover 90% of use cases at a fraction of the cost.

Questions to ask your development partner

1. How do you block non-essential scripts before consent is given? The answer should describe a tag management setup where scripts fire based on consent signals - not a banner that appears after scripts have already loaded.

2. Have you implemented Google Consent Mode v2? If they haven't heard of it, that's a red flag for any team working on EU-facing sites that run Google Ads. It became a hard requirement in March 2024.

3. How do you handle consent for server-rendered pages vs. SPAs? Server-rendered pages and single-page apps handle cookie consent differently. SSR pages need to read the consent cookie server-side to avoid loading blocked scripts during render. SPAs need to handle consent state reactively. Ask how they approach both.

4. How do you store and log consent records? GDPR requires you to prove you collected valid consent. That means timestamps, what the user was shown, what they chose, and which version of your cookie policy was in force. Ask how they record this.

5. How do you handle consent for third-party embeds? YouTube videos, Google Maps, Calendly widgets - all of these load third-party scripts and set cookies. Some teams miss these because they focus on the explicit tracking scripts and forget about embedded content.

6. Can you scan our site and list every cookie currently being set? Any competent team should be able to run a cookie audit before building the consent system. You can't get consent for cookies you don't know exist.

7. How do you handle consent for returning users who haven't been prompted yet? Your existing users never saw a consent banner. How you handle the first-time prompt for returning users (without clearing their session) is an implementation detail that trips many teams.

Cookie consent compliance checklist

Consent collection:

• Consent is collected before any non-essential script fires
• Consent banner has equal prominence for "Accept" and "Reject" options
• No pre-ticked boxes for optional cookie categories
• Consent is collected by category (analytics separate from marketing)
• Cookie policy link is accessible from the banner
• No cookie wall blocking access to content

Consent management:

• Users can withdraw or change consent at any time via a persistent link or icon
• Withdrawing consent stops the relevant cookies immediately
• Consent records are stored with timestamps and version of policy shown
• Consent records are retained for as long as necessary to demonstrate compliance

Technical implementation:

• Tag manager is configured so tags fire only with corresponding consent signals
• Google Consent Mode v2 is implemented for Google Ads and Analytics (if running EU campaigns)
• Cookie audit has been run - all cookies on the site are identified and categorized
• Third-party embeds (YouTube, Maps, widgets) are covered by the consent system
• Cookie policy lists all cookies, their purpose, who sets them, and retention periods

CCPA (California):

• "Do Not Sell or Share My Personal Information" link is on the homepage
• Opt-out mechanism works and is honored promptly
• Privacy policy discloses what data is collected and shared
• No financial incentive for accepting data collection without CCPA-compliant disclosure

Ongoing:

• Cookie audit is repeated when new tools or scripts are added
• Consent banner is updated when cookie practices change
• Consent is re-requested when material changes are made to cookie use
• Banner design is reviewed against current regulator guidance annually

The CNIL fines are the most visible example, but they're not the last. Regulators across the EU are running cookie consent enforcement campaigns. The Irish DPC, German DSK, and Italian Garante have all issued enforcement actions in the past 24 months. If your banner looks like it was designed to maximize acceptance rather than enable free choice, you've already built something that won't survive scrutiny.

The engineering cost to do this right is low. An afternoon to configure a consent platform properly, another day to wire up Consent Mode v2 and test script blocking. The fine for getting it wrong is not low at all.