Most cookie consent violations follow a pattern. The same handful of mistakes appear in enforcement action after enforcement action, whether the regulator is the French CNIL, the UK's ICO, or Sweden's IMY. The good news: every one of these mistakes is fixable, usually in less than a day.
The CNIL issued fines totalling nearly 487 million euros in 2025, with cookie violations among its top priorities. The ICO audited the UK's top 1,000 websites and found 134 of the first 200 reviewed were non-compliant. If your site has not been checked recently, the list below is a good starting point.
1. Loading Cookies Before Consent
This is the single most common violation. A visitor lands on a page and - before they have touched the cookie banner - analytics, advertising, and social media cookies are already active. Under Article 5(3) of the ePrivacy Directive, non-essential cookies may not be stored or read on a user's device until that user has given informed consent.
The CNIL fined SHEIN 150 million euros in September 2025 partly because advertising cookies fired the moment a visitor opened the homepage, before the banner even appeared. American Express received a 1.5 million euro CNIL fine in November 2025 for the same issue. It does not matter how quickly the banner appears; if scripts execute before the user clicks, the site is non-compliant.
How to fix it: Use a tag-blocking mechanism that prevents non-essential cookies from loading until consent is recorded. If you use Google Tag Manager, configure triggers to fire tags only after consent. Test in an incognito window using the Application tab in DevTools before touching the banner.
2. Making Rejection Harder than Acceptance
A large, brightly coloured "Accept All" button paired with a faint text link reading "Manage Preferences" is one of the most commonly flagged dark patterns in cookie consent. Regulators consider this a form of manipulation because it steers users toward accepting cookies rather than offering a genuine choice.
Sweden's IMY issued formal warnings in 2025 to ATG and Warner Music Sweden for this design. The ICO's cookie audit focused on whether both buttons were equally prominent. The CNIL has repeatedly stated that the refusal option must carry the same visual weight as acceptance.
| Design element | Non-compliant | Compliant |
|---|---|---|
| Reject button | Hidden on a second screen or styled as a text link | Same size, colour, and position as Accept |
| Button labels | "Accept All" vs. "Manage settings" | "Accept All" vs. "Reject All" |
| Clicks to reject | Two or more clicks | One click on the first layer |
| Pre-ticked toggles | Analytics and marketing enabled by default | All non-essential categories off by default |
How to fix it: Place a clear "Reject All" button on the first layer of the banner. Give it the same styling as "Accept All". The one-click reject approach is now effectively required across the EU and UK.
3. Using Pre-ticked Consent Boxes
The Court of Justice of the European Union settled this question in its 2019 Planet49 ruling: pre-ticked checkboxes do not constitute valid GDPR consent. Consent must be given by a clear affirmative act, and a box that is already ticked requires the user to opt out rather than opt in.
Enforcement actions in 2025 still cited pre-enabled toggles as a violation. Some consent management platforms default to having analytics categories toggled on. If your CMP does this, you are collecting invalid consent from every visitor who does not manually switch those toggles off.
How to fix it: Audit the default state of every toggle in your consent interface. Only the strictly necessary category should be active by default. All other categories must start in the "off" position.
4. Ignoring Consent Withdrawal
Giving users a way to accept cookies is only half the requirement. GDPR Article 7(3) states that withdrawing consent must be as easy as giving it. Many websites let visitors accept cookies on their first visit but provide no obvious way to change that decision later.
The American Express CNIL fine highlighted this: even after a user withdrew consent, previously placed cookies continued to be read. Withdrawal must stop the reading of cookies, not just record a preference change.
How to fix it: Add a persistent link or small floating icon that lets visitors reopen the consent interface at any time. When a user withdraws consent, your CMP should delete or block the relevant cookies immediately - not on the next page load, not on the next visit.
5. Vague or Missing Cookie Information
A banner that says "This site uses cookies to improve your experience" without specifying which cookies, what they do, and who sets them fails the GDPR's transparency requirements. Consent is only valid if it is informed, and that means giving visitors enough detail to make a real decision.
Regulators expect the first layer of a cookie banner to identify the main purposes (analytics, advertising, functional) at minimum. A second layer should list individual cookies, their provider, purpose, and duration. The CNIL requires that purposes, retention periods, and third-party involvement be signposted on the first layer.
How to fix it: Write a proper cookie policy that lists each cookie by name, purpose, provider, and duration. Link to it from the banner. Use clear language, not legal jargon. Running a cookie scanner regularly helps keep this information accurate as your site changes.
6. Failing to Re-scan for New Cookies
Websites are not static. Every plugin update, analytics tool addition, or new marketing script can introduce cookies that were not present during the original audit. A site that was compliant six months ago might now set cookies it has not disclosed or categorised.
Scheduled cookie scans catch these additions before a regulator does.
How to fix it: Schedule automated scans at least monthly. Review scan results against your cookie policy and banner categories. Any new cookie should be classified and disclosed before it goes live.
7. Treating All Jurisdictions the Same
A single banner configuration does not satisfy every privacy law. The GDPR requires opt-in consent. The CCPA/CPRA requires an opt-out mechanism and a "Do Not Sell or Share" link. Brazil's LGPD follows an opt-in model but also recognises legitimate interest. Canada's PIPEDA permits implied consent only for low-risk, well-explained purposes.
By 2026, more than twenty US states have privacy laws with different rules around sensitive data and Global Privacy Control recognition. A banner built for the GDPR will not satisfy California, and one built for the CCPA will fall short in the EU.
How to fix it: Use geo-detection to serve the correct consent model based on visitor location. Show opt-in banners to EU and UK visitors, opt-out mechanisms to US visitors, and tailor the experience for Brazil, Canada, and other regions as needed. Kukie.io's geo-detection feature handles this automatically based on the visitor's IP address.
8. Not Honouring Browser Privacy Signals
Several US state laws now require websites to honour the Global Privacy Control (GPC) signal. California's CPRA treats a GPC signal as a valid opt-out request. Colorado and Connecticut have similar requirements. Ignoring the signal is the equivalent of ignoring a written opt-out request from a consumer.
Browser-based signals are gaining traction beyond the US. The European Commission's proposed changes to cookie consent rules include provisions for machine-readable consent signals that could let browsers communicate preferences automatically.
How to fix it: Check whether your CMP detects and respects GPC signals. If a visitor's browser sends a GPC signal, your site should treat it as an opt-out of sale or sharing of personal information. Test using a browser extension that sends GPC headers and verify that your site responds correctly.
A Quick Compliance Audit Checklist
Open your website in an incognito window and use Chrome DevTools to inspect what happens before, during, and after consent.
| Check | What to look for | Pass/Fail |
|---|---|---|
| Pre-consent cookies | No non-essential cookies set before banner interaction | |
| Reject option | One-click "Reject All" on the first layer, same styling as Accept | |
| Default toggles | All non-essential categories off by default | |
| Withdrawal | Easy way to reopen banner and change choices | |
| Cookie policy | Every cookie listed with name, purpose, provider, duration | |
| Geo-detection | Different consent models for EU, UK, US, Brazil, Canada | |
| GPC signal | Site respects Global Privacy Control where required | |
| Scan recency | Last automated scan within the past 30 days |
Frequently Asked Questions
What is the most common cookie compliance mistake websites make?
Loading non-essential cookies before the user has given consent. Analytics tags, advertising pixels, and social media widgets often fire on page load, before the visitor interacts with the consent banner. This violates Article 5(3) of the ePrivacy Directive and has been the basis for some of the largest cookie-related fines in Europe.
Can I use a cookie wall that blocks content until the user accepts cookies?
Most European regulators consider cookie walls non-compliant because they do not allow consent to be freely given. If the only way to access content is to accept all cookies, the user has no genuine choice. Some regulators permit "consent or pay" models under strict conditions, but a blanket cookie wall that forces acceptance is unlikely to pass scrutiny.
How often should I scan my website for new cookies?
At least once a month, and immediately after any significant site change such as adding a new plugin, updating a tracking tool, or integrating a new payment provider. Automated scheduled scans catch new cookies before they become a compliance problem.
Do I need separate cookie banners for different countries?
Not separate banners, but different consent configurations. EU and UK visitors need opt-in consent before non-essential cookies load. US visitors in states like California need a "Do Not Sell or Share" link and GPC signal recognition. A consent management platform with geo-detection can serve the correct configuration based on visitor location.
Are analytics cookies considered essential under the GDPR?
No. Under the GDPR and ePrivacy Directive, analytics cookies are classified as non-essential and require prior consent. Some national regulators, including France's CNIL, offer a limited exemption for certain audience measurement tools that meet strict anonymisation criteria, but standard Google Analytics or similar tracking requires consent.
What happens if a regulator audits my website and finds cookie violations?
The response depends on the jurisdiction and severity. The ICO typically issues a warning letter first, giving time to fix the issue. The CNIL can impose fines immediately - up to 4% of global annual turnover under the GDPR. Repeated violations or wilful non-compliance attract larger penalties. Regulators also publish decisions publicly, which creates reputational risk.
Stay Ahead of Cookie Compliance Audits
If any of the mistakes above look familiar, start with a free cookie scan. Kukie.io detects every cookie, categorises it, and flags anything loading before consent - so you can fix problems before a regulator finds them.
