Cookie Consent Under GDPR: What Counts as Valid Consent (Article 7)

Most cookie banners fail the test. A January 2025 audit by the UK Information Commissioner's Office found that 134 out of 200 top UK websites were running non-compliant consent mechanisms. The French CNIL imposed over EUR 486 million in cumulative privacy fines in 2025 alone, with cookie violations ranking among the most frequently penalised breaches. These are not abstract legal risks. Regulators are scanning websites, issuing formal notices, and following through with penalties when consent does not meet the standard set by GDPR Article 7.

The four paragraphs of Article 7 look deceptively simple. But their practical application - shaped by court rulings, DPA guidance, and eight years of enforcement - has created a detailed framework that trips up even experienced website operators. Understanding what each paragraph demands, and where the common pitfalls lie, is the difference between a compliant cookie banner and a six-figure fine.

What GDPR Article 7 Actually Says

Article 7 of Regulation (EU) 2016/679 is titled "Conditions for consent" and contains four paragraphs. Each adds a distinct obligation for data controllers who rely on consent as their legal basis for processing - which, in the context of cookies, means almost every website that uses analytics, advertising, or social media trackers.

Article 7(1) states that where processing is based on consent, the controller must be able to demonstrate that the data subject consented. This is the burden-of-proof rule. It falls on you, the website operator, to show that consent was obtained - not on the regulator to prove it was not.

Article 7(2) addresses bundled consent. If consent is requested alongside other matters in a written declaration, the consent request must be clearly distinguishable, presented in intelligible and accessible form, using plain language. Any part of that declaration that infringes the GDPR is not binding.

Article 7(3) establishes the right to withdraw consent at any time. Withdrawal must not affect the lawfulness of processing carried out before withdrawal. Critically, the data subject must be informed of this right before giving consent. And withdrawal must be as easy as giving consent - a requirement that has driven much of the recent enforcement around dark patterns in cookie banners.

Article 7(4) addresses the "freely given" element. When assessing whether consent was freely given, utmost account must be taken of whether the performance of a contract or service is conditional on consent to processing that is not necessary for that contract or service. This is the anti-bundling, anti-coercion clause.

The Four Pillars: Freely Given, Specific, Informed, Unambiguous

Article 7 does not exist in isolation. It works in tandem with the definition of consent in Article 4(11) GDPR, which requires consent to be freely given, specific, informed, and an unambiguous indication of wishes by statement or clear affirmative action. Recital 32 adds that silence, pre-ticked boxes, or inactivity do not constitute consent. Each pillar has been tested and refined through enforcement.

Freely Given

Consent is not freely given if the user has no genuine choice or faces negative consequences for refusing. Cookie walls - where a website blocks access entirely unless the visitor accepts all cookies - are the most obvious violation. The European Data Protection Board has consistently held that conditioning access to a service on cookie acceptance undermines free choice.

The EDPB's Opinion 08/2024, adopted in April 2024, sharpened this position further in the context of "consent or pay" models used by large online platforms. The Board concluded that in most cases, presenting users with only a binary choice between consenting to behavioural advertising or paying a subscription fee will not satisfy the "freely given" requirement. The EDPB pointed to power imbalances, potential detriment from exclusion, and the risk that fees effectively compel consent.

For cookie consent specifically, this means your banner must offer a genuine reject option that does not degrade the core website experience. A visitor who declines marketing and analytics cookies should still be able to browse your site, read your content, and complete essential transactions.

Specific

Consent must relate to a defined purpose. Bundling all cookie categories into a single "Accept All" button without offering granular choices does not satisfy this requirement. Users should be able to consent to functional cookies while declining analytics, or accept analytics while rejecting advertising trackers.

The CJEU confirmed this principle in its landmark Planet49 ruling (Case C-673/17, October 2019). The Court found that a user clicking a "participate" button for a lottery could not be taken as consent to the storage of advertising cookies - because the consent was not specific to the cookie processing in question. Consent must be tied directly to each distinct processing purpose.

Informed

Before consenting, users must know what they are consenting to. Article 7(2) requires clear and plain language. In the cookie context, this means your banner and cookie policy must explain which cookies you set, what data they collect, for what purpose, for how long they persist, and whether third parties can access them. The CJEU explicitly confirmed in Planet49 that cookie duration and third-party access are mandatory pieces of information.

Vague labels do not meet this standard. The CNIL has repeatedly found that descriptions such as "improve your experience" or "help improve our services" fail to inform users about actual processing activities. Your categories need specifics: "These cookies allow Google Analytics to collect anonymised data about page views, session duration, and traffic sources" gives a user something to evaluate. "Performance cookies" alone does not.

Unambiguous - The Clear Affirmative Action Requirement

This is where pre-ticked boxes, implied consent, and "continued browsing" mechanisms all fail. Recital 32 GDPR lists ticking a box when visiting a website as an example of how valid consent can be obtained. It explicitly states that silence, pre-ticked boxes, or inactivity cannot constitute consent.

The Planet49 judgment turned this recital into binding precedent. The CJEU ruled that a pre-ticked checkbox for cookies was invalid because it was "practically impossible to objectively ascertain" whether the user had actually read the information or noticed the checkbox. Only active behaviour on the part of the data subject can satisfy the requirement for unambiguous consent.

Scrolling, hovering, or continuing to browse a page are equally insufficient. The EDPB's 2020 Guidelines on Consent made this explicit. If your cookie banner states "By continuing to browse, you accept cookies," that mechanism is non-compliant.

The Burden of Proof: Article 7(1) in Practice

Article 7(1) flips the usual assumption. You cannot simply claim that users consented; you must prove it. In a regulatory investigation or data subject complaint, the DPA will ask you to demonstrate when consent was given, what information was displayed at the time, and what specific choices the user made.

This requires consent logs. Your consent management platform (CMP) should record, at minimum, a timestamp of each consent action, the version of the banner and cookie policy shown to the user, which categories the user accepted or rejected, and the user's IP address or a pseudonymised identifier for record-matching. These logs need to be retained for as long as you rely on the consent - and ideally for a reasonable period after, to respond to any subsequent complaint or investigation.

Without immutable consent records, a regulatory investigation becomes very difficult to defend. The CNIL has specifically cited the absence of adequate consent documentation as an aggravating factor in several enforcement decisions.

Withdrawal: As Easy to Leave as to Enter

Article 7(3) states that it must be as easy to withdraw consent as to give it. This single sentence has reshaped how cookie banners are built. If accepting cookies requires one click on a clearly visible button, then withdrawing consent cannot require navigating to a buried settings page, scrolling through a multi-layered privacy centre, or finding an obscure link in the footer.

A persistent, accessible mechanism for changing cookie preferences - such as a small icon or link visible on every page - is the most practical approach. When a user withdraws consent, previously set cookies for that category must be deleted or expired. The CNIL specified in its 2024 decision SAN-2024-019 that effective withdrawal may require modifying cookie lifetimes to force expiry (by returning a Set-Cookie header with a past expiry date) or using browser cookie APIs to delete them via a locally executed script.

Consent renewal is another consideration that varies by jurisdiction. The CNIL recommends refreshing consent every six months. Germany's guidance suggests six to twelve months. Spain's AEPD allows up to 24 months. Where your visitors are located should inform your renewal schedule - and when in doubt, err on the shorter side.

Dark Patterns: The Fastest Route to a Fine

Dark patterns in cookie banners have become the single highest-risk compliance violation. Regulators across Europe are explicitly targeting designs that manipulate users into accepting cookies. Sweden's IMY issued enforcement actions in April 2025 against companies for pre-selecting non-essential categories and hiding privacy controls behind additional navigation layers.

The CNIL's September 2025 fines against Google (EUR 325 million) and Shein (EUR 150 million) centred on cookie consent violations including the deployment of advertising cookies before consent was obtained and banner designs that made rejection materially harder than acceptance. Google's cookie-related fines from the CNIL alone have escalated from EUR 100 million in 2020, to EUR 150 million in 2021, to EUR 325 million in 2025.

Common dark patterns that regulators penalise include asymmetric button design (a bold, colourful "Accept All" next to a faint, greyed-out "Reject" link), requiring multiple clicks to reject while accepting takes one click, default toggles set to "on" for non-essential categories, and consent walls that block content entirely without a lawful justification.

The fix is straightforward: button parity. If you offer "Accept All," you must also offer "Reject All" with equal visual prominence - same size, same colour weight, same position. Granular options should be accessible from the first layer without additional clicks. Neutral language and design prevent any accusation of steering.

The ePrivacy Directive: The Other Law That Applies to Cookies

Article 7 GDPR governs the conditions for valid consent, but the requirement to obtain consent for cookies comes from a different instrument: Article 5(3) of the ePrivacy Directive (2002/58/EC). This provision requires prior consent before storing or accessing information on a user's device - regardless of whether that information constitutes personal data. The CJEU confirmed this in Planet49: the cookie consent rule applies to any information placed on or read from a device, personal or otherwise.

The ePrivacy Directive was supposed to be replaced by a directly applicable ePrivacy Regulation, first proposed by the European Commission in 2017. That proposal stalled in legislative negotiations for eight years. In February 2025, the Commission formally withdrew it from its work programme, citing "no foreseeable agreement" and stating the proposal had become outdated. The Commission approved the formal withdrawal in July 2025, and it was published in the Official Journal in October 2025.

The practical consequence is that the 2002 Directive - and its varying national transpositions across EU member states - remains the legal basis for cookie consent rules. Regulators have responded by enforcing the existing framework more aggressively. The CNIL's EUR 486 million in total fines for 2025, nearly nine times the EUR 55 million levied in 2024, illustrates this shift from educational warnings to capital-intensive deterrence.

What Regulators Are Actually Checking

The ICO's 2025 online tracking strategy identified four categories of non-compliance it looks for when auditing websites: deceptive or missing choice (failure to provide options, or preset selections), uninformed choice (failure to give fair or clear information), undermined choice (failure to honour the user's decision), and irrevocable choice (failure to provide a way to withdraw consent).

These four categories map directly onto the Article 7 requirements. Deceptive choice violates "freely given" and "unambiguous." Uninformed choice violates "informed." Undermined choice - where cookies load despite a user declining - violates the consent obligation entirely. And irrevocable choice violates Article 7(3)'s withdrawal requirement.

DPAs are increasingly using automated scanning tools to detect violations at scale. The ICO plans to review the UK's top 1,000 websites. NOYB, the privacy rights organisation, has deployed an automated mass-scanning system that detects non-compliant banners and generates complaints directly to supervisory authorities. Being small does not mean being invisible.

Google Consent Mode v2 and Article 7

Since March 2024, Google has required websites serving European Economic Area traffic to implement Consent Mode v2 as part of its EU User Consent Policy. This technical framework transmits consent signals to Google services via four parameters: analytics_storage, ad_storage, ad_user_data, and ad_personalization.

Consent Mode does not replace your obligation to obtain valid consent under Article 7. It is a signal-passing mechanism, not a consent-collection mechanism. You still need a compliant banner that meets all four pillars - freely given, specific, informed, unambiguous - and your CMP must correctly map user choices to the corresponding Consent Mode parameters. If your banner is non-compliant, the signals you pass to Google are legally meaningless regardless of their technical accuracy.

In "Advanced" mode, Google tags send minimal cookieless pings even when users deny consent. These pings contain no persistent identifiers, but the distinction matters: your cookie policy should disclose this behaviour if you use it, and you should assess whether your visitors' DPA considers such pings to fall within the scope of Article 5(3) ePrivacy Directive.

Practical Steps to Comply with Article 7

Compliance is not a one-time setup. Cookies change as you add scripts, update plugins, or integrate new third-party services. A banner that was compliant six months ago may not be compliant today. Here is a practical framework:

Scan your website regularly. Use a cookie scanner to identify every cookie and tracker your site sets, including those injected by third-party scripts. Categorise each one accurately - strictly necessary, functional, analytics, or advertising. Miscategorisation is a common enforcement trigger. Kukie.io's scanner detects both first-party and third-party cookies and categorises them automatically.

Block before consent. Non-essential cookies must not load until a user has actively opted in. This means implementing script blocking that prevents analytics and advertising tags from firing on page load. Simply displaying a banner while cookies are already running is the single most common violation the CNIL targets.

Design for equal choice. Your banner's first layer should present "Accept All" and "Reject All" with identical visual weight. A second layer should offer granular, per-category toggles, all set to "off" by default. Use neutral colours and typography. Avoid language that frames rejection negatively.

Provide clear information. Each cookie category should have a plain-language description of its purpose, the data it collects, retention period, and whether third parties access it. Link to a detailed cookie policy from the banner.