If you operate a website that targets EU users, your cookie consent mechanism is effectively a contract between you and every visitor. Get it wrong, and you face fines under the GDPR of up to 4% of global annual revenue — and regulators are actively enforcing. Many businesses rely on third-party consent management platforms (CMPs) without understanding that the legal responsibility remains with them. A non-compliant cookie banner doesn't just risk fines — it can invalidate all the data you've collected through it.
What is a GDPR Cookie Consent Compliance?
A cookie consent agreement is the mechanism by which a website obtains legally valid consent from users before placing non-essential cookies or similar tracking technologies on their devices. In the EU, this is governed by two overlapping regulations: the ePrivacy Directive (2002/58/EC, often called the 'Cookie Directive') and the GDPR. The ePrivacy Directive requires consent for storing cookies, while the GDPR defines what constitutes valid consent. Together, they require that consent be freely given, specific, informed, and unambiguous — and that users can withdraw consent as easily as they give it.
Red flags to watch for
The CJEU ruled in Planet49 (C-673/17) that pre-ticked boxes do not constitute valid consent. Implied consent from continued browsing is equally invalid under GDPR.
The French CNIL and other regulators have ruled that refusing cookies must be as easy as accepting them. A prominent 'Accept All' button paired with a buried reject option is non-compliant.
The ePrivacy Directive requires consent for non-essential cookies regardless of GDPR legal basis. You cannot use 'legitimate interest' to bypass the consent requirement for tracking cookies.
Making website access conditional on accepting cookies is generally considered to undermine the 'freely given' requirement of GDPR consent, as confirmed by the EDPB.
GDPR Article 7(3) requires that withdrawing consent must be as easy as giving it. If your CMP has no persistent way for users to change their preferences, consent is invalid.
Your legal rights
The ePrivacy Directive (2002/58/EC) Article 5(3) requires prior consent for storing cookies or accessing information on a user's device, with exceptions only for strictly necessary cookies. The GDPR (Regulation 2016/679) defines valid consent in Article 4(11) and sets conditions in Article 7. The CJEU's Planet49 decision (2019) clarified that consent must be active (no pre-ticked boxes) and specifically informed about each purpose. Enforcement is national — the CNIL (France) has issued fines of €150 million to Google and €60 million to Facebook for non-compliant cookie banners. The EDPB has published guidelines on consent (05/2020) providing detailed guidance on what constitutes valid consent across all EU member states.
Questions to ask before you sign
- 1Does the consent banner give equal prominence to 'Accept' and 'Reject' options?
- 2Are cookies actually blocked until consent is given, or do they fire before the user interacts?
- 3Can users withdraw consent as easily as they gave it?
- 4Is the consent management platform we use actually compliant — has it been audited?
- 5Are we relying on 'legitimate interest' for any non-essential cookies?
- 6Do we have records of consent that would satisfy a regulator's audit?
Disclaimer: This guide is for educational purposes only and does not constitute legal advice. Contract law varies by jurisdiction and individual circumstances. Always consult a qualified legal professional before making decisions based on this information.