A cookie compliance complaint lands in your inbox. Maybe it came from a website visitor who noticed tracking cookies firing before consent. Maybe a privacy advocacy group flagged your banner. Or maybe a data protection authority (DPA) sent a formal letter asking pointed questions about your cookie practices. Whatever the source, the clock is ticking.
How you respond in the first few days matters more than most website owners realise. Regulators across Europe have made cookie enforcement a frontline priority - the French CNIL fined SHEIN EUR 150 million in September 2025 for placing advertising cookies before users could interact with the consent banner, and the UK ICO reviewed all top 1,000 UK websites in 2025, issuing warnings to 134 of the first 200 it assessed. Complaints are no longer filed and forgotten. They get investigated.
Where Cookie Compliance Complaints Come From
Complaints generally arrive through three channels, and each carries a different level of urgency.
The most common source is an individual - a site visitor who submitted a complaint directly to you or to their national DPA under GDPR Article 77. Under this provision, any person who believes their personal data has been processed in breach of the regulation can lodge a complaint with a supervisory authority in their home country, their workplace country, or the country where the alleged infringement occurred. The DPA must then investigate the complaint and inform the complainant of progress and outcome.
Advocacy organisations like noyb (None of Your Business) have automated complaint generation at scale - their systems scan websites for non-compliant banners and file complaints directly with supervisory authorities.
The third source is a regulator-initiated review. The ICO's 2025 online tracking strategy proactively tested the UK's top 1,000 websites and sent compliance letters to those that failed. Denmark's Datatilsynet made cookie consent a 2026 enforcement priority, coordinating with the Danish Agency for Digital Government.
Immediate Steps After Receiving a Complaint
Do not ignore it, and do not panic. Both reactions lead to worse outcomes. Instead, follow a structured process.
Log the complaint formally. Record the date received, the source (individual, organisation, or DPA), the specific allegations, and any deadlines mentioned. If a DPA sent the letter, there will typically be a response window - the ICO gave organisations roughly 30 days to demonstrate fixes during its 2025 review.
Preserve evidence of your current setup. Before changing anything, capture screenshots of your cookie banner, export consent logs, and run a cookie scan. This baseline proves what the complainant experienced and what you changed afterwards.
Identify the specific issue. Complaints tend to cluster around a handful of problems. Determine which category yours falls into so you can prioritise the fix.
| Complaint Type | What It Means | Typical Cause |
|---|---|---|
| Cookies set before consent | Non-essential cookies fire on page load | Missing script blocking or tag manager misconfiguration |
| No reject option | Banner only shows "Accept" or hides rejection behind extra clicks | Dark pattern design or outdated banner template |
| Reject does not work | Clicking "Reject All" still leaves tracking cookies active | Consent signal not passed to tags, or third-party scripts ignoring consent |
| Insufficient information | Banner or policy lacks details on cookie purposes, durations, or third parties | Incomplete cookie policy or missing second-layer information |
| No withdrawal mechanism | Users cannot change their consent after initial choice | Missing preference centre or revisit-consent button |
Conducting a Technical Assessment
Once you know the complaint category, run a technical audit. Open your site in a fresh browser session with cookies cleared.
Use browser developer tools (the Application tab in Chrome DevTools) to see which cookies are present before interacting with the banner. If you see anything beyond strictly necessary cookies - session identifiers, load-balancing tokens, or security cookies - you have a problem. Analytics cookies like _ga or _gid, marketing cookies like _fbp or _gcl_au, and any advertising-related trackers must not appear until the user gives explicit consent.
Click "Reject All" (if the option exists) and check again. Are cookies still present? Are new ones being set? The CNIL's SHEIN investigation found that cookies continued to be placed even after users clicked the reject button - a violation that contributed to the EUR 150 million fine.
Test the withdrawal flow. Can a user who accepted cookies later revoke consent through a preference centre? GDPR Article 7(3) requires that withdrawing consent be as easy as giving it.
Check Your Consent Signal Chain
A common technical failure is the gap between the banner and the tags. Your consent management platform might correctly record that a user rejected non-essential cookies, but if that signal never reaches Google Tag Manager or your ad scripts, those tools fire regardless. Verify that Google Consent Mode v2 is properly configured and that consent states propagate to all third-party scripts.
Check for third-party scripts that load independently of your tag manager. A chat widget, embedded video player, or social media plugin might drop cookies outside your consent flow entirely.
How to Respond to the Complaint
Your response should be factual, specific, and documented. Avoid defensive language or blanket assurances.
If the complaint came from an individual, acknowledge it promptly. Explain what you found, what steps you are taking, and provide a realistic timeline. Under the UK's Data (Use and Access) Act 2025, organisations must establish formal complaints-handling processes by June 2026, acknowledging complaints within 30 days.
If a DPA sent the letter, respond within the stated deadline with evidence: before-and-after screenshots, consent logs, scan results, and a description of changes made. The ICO's 2025 review issued 17 preliminary enforcement notices, but nearly all organisations avoided formal enforcement by demonstrating genuine fixes.
Fixing the Most Common Issues
Cookies Firing Before Consent
This is the single most frequent violation. The fix involves blocking scripts from loading until the user makes a choice. Your CMP should prevent non-essential tags from executing on page load. If you use Google Tag Manager, configure it to check consent state before firing any triggers. Test thoroughly - a misconfigured GTM container is one of the most common causes of pre-consent cookie drops.
Missing or Broken Reject Option
Every DPA in Europe expects the reject option to be equally prominent to the accept button. The one-click reject principle means users should be able to refuse all non-essential cookies with a single action, not by navigating through a preference centre. Audit your banner design to ensure both buttons are the same size, colour contrast, and position.
Incomplete Cookie Information
Your banner's first layer should identify who you are and the broad categories of cookies used. A second layer should list specific cookies by name, provider, purpose, and expiration. Keep your cookie policy current - a new analytics tool added last month without a policy update is exactly the gap regulators look for.
Documenting Your Remediation
Every change you make should be documented with dates, descriptions, and evidence. This serves two purposes: it demonstrates good faith to regulators, and it creates an audit trail for future reference.
Maintain a remediation log covering the complaint details, issues found, changes made (with dates), and before-and-after scan results. Store consent logs showing when users consented, what they consented to, and how they were informed - GDPR Article 7(1) requires the controller to demonstrate that consent was obtained.
Run scheduled scans after remediation to confirm the fix holds. Third-party scripts update frequently, and a tag that respected consent last month might not do so after a vendor pushes a new version.
What Happens If You Do Not Respond
Ignoring a complaint is the worst possible strategy. Under GDPR, DPAs have the power to investigate, audit, and impose administrative fines of up to EUR 20 million or 4% of global annual turnover - whichever is higher. For cookie-specific violations under the ePrivacy Directive, fines are set by national law, and several countries have aligned these with GDPR-level penalties.
In the UK, the DUAA raised the maximum PECR fine to GBP 17.5 million or 4% of global turnover - the same level as UK GDPR sanctions.
Preventing Future Complaints
A resolved complaint is good. Never receiving one in the first place is better. Build a recurring compliance routine.
Schedule monthly cookie audits that scan your site for new or changed cookies, verify that consent signals reach all tags, and confirm your policy reflects current practices. Test your banner in multiple browsers and devices - a banner that works in Chrome might break in Safari due to Intelligent Tracking Prevention.
Train anyone who touches the website - developers, content managers, designers - on the basics of cookie consent. A marketing pixel added without checking the consent flow is how most repeat complaints start.
Frequently Asked Questions
How long do I have to respond to a cookie compliance complaint from a DPA?
Response deadlines vary by authority. The UK ICO typically allows around 30 days. Some EU DPAs set stricter timelines under national law, ranging from a few weeks to three months. Always check the specific deadline stated in the letter and respond before it expires.
Can a single website visitor trigger a formal DPA investigation?
Yes. Under GDPR Article 77, any data subject can lodge a complaint with a supervisory authority. The DPA is legally required to investigate the complaint and inform the complainant of its progress and outcome. A single complaint can lead to a full audit of your cookie practices.
Do I need a lawyer to respond to a cookie compliance complaint?
Not always. Straightforward issues like a missing reject button or pre-consent cookie firing can often be fixed and documented internally. For complex cases - particularly those involving formal DPA enforcement notices or cross-border complaints - engaging a privacy lawyer or data protection consultant is advisable.
What evidence should I keep after fixing a cookie compliance issue?
Keep before-and-after screenshots of your cookie banner, scan results showing which cookies were active pre- and post-fix, consent log exports, a written description of the changes made with dates, and confirmation testing results. Store these records for at least three years.
Can privacy organisations like noyb file complaints on behalf of individuals?
Yes. Under GDPR Article 80, data subjects can mandate certain organisations to lodge complaints on their behalf. noyb has filed thousands of automated complaints across Europe targeting non-compliant cookie banners and has a track record of escalating unresolved cases to DPAs.
Get Ahead of Your Next Cookie Audit
If a complaint has already arrived, act fast - assess, fix, document, and respond. If one has not, now is the time to check your setup. Kukie.io scans your site for cookies, flags consent gaps, and keeps your banner configuration aligned with current enforcement standards.
