Every website sets cookies. Some keep a shopping cart alive between pages. Others track visitors across the web for advertising networks. The difference between those two scenarios is the difference between a cookie that can load freely and one that needs explicit permission from the visitor first. Getting this wrong can trigger fines running into the hundreds of millions of euros.
Two Laws, One Rule: GDPR and the ePrivacy Directive
Cookie consent sits at the intersection of two pieces of EU legislation. The General Data Protection Regulation (GDPR) governs how personal data is collected, stored, and processed. Article 6 requires a lawful basis for processing, and for most cookie-related tracking, that basis is consent as defined in Article 7. The ePrivacy Directive (Directive 2002/58/EC, as amended) is the more specific law. Article 5(3) states that storing information on - or reading information from - a user's device requires prior consent, unless a narrow exemption applies.
The ePrivacy Directive is sometimes called the "cookie law," but its scope extends beyond cookies to any storage or access technology on a user's device - including tracking pixels, local storage, and browser fingerprinting techniques. The EDPB confirmed this broad reading in its Guidelines 2/2023 on the technical scope of Article 5(3).
A proposed ePrivacy Regulation was meant to replace the Directive and modernise these rules. The European Commission formally withdrew that proposal in February 2025 after eight years of deadlock, citing "no foreseeable agreement." The 2002 Directive therefore remains in force, transposed into national law by each member state.
Which Cookies Need Consent and Which Do Not
Article 5(3) of the ePrivacy Directive provides two exemptions from the consent requirement. A cookie is exempt if its sole purpose is carrying out a communication over a network, or if it is strictly necessary to provide a service the user explicitly requested. Everything else needs consent before it touches the browser.
| Cookie type | Example | Consent needed? |
|---|---|---|
| Session / authentication | PHPSESSID, login tokens | No - strictly necessary |
| Load balancing | Server routing identifiers | No - network transmission |
| Shopping cart | Cart session cookies | No - user-requested service |
| Language preference | pll_language | Usually yes, unless set by direct user action |
| Analytics | _ga, _gid | Yes |
| Marketing / advertising | _fbp, IDE | Yes |
| Social media embeds | fr (Facebook), YouTube cookies | Yes |
The critical distinction is intent. A cookie that serves the visitor's explicit request (adding items to a basket, staying logged in) is exempt. A cookie that serves the site operator's interests (measuring traffic, targeting adverts) is not, even if the operator considers it important for running the business.
What Valid Consent Actually Looks Like
GDPR Article 4(11) defines consent as a freely given, specific, informed, and unambiguous indication of wishes, expressed through a clear affirmative action. Applied to cookies, this means several concrete things.
Pre-ticked boxes are not valid consent. The Court of Justice of the EU confirmed this in the Planet49 case (C-673/17, October 2019). Scrolling or continuing to browse does not count either. Consent must be an active, deliberate choice - clicking "Accept" or toggling individual cookie categories on.
Granularity is required. Bundling analytics and advertising cookies into a single "Accept all non-essential cookies" toggle is increasingly risky. Regulators expect users to see distinct cookie categories and control each one independently.
Rejecting cookies must be as easy as accepting them. The French data protection authority (CNIL) has made this a central enforcement focus. A banner with a large, colourful "Accept All" button and a faint grey "Manage preferences" link buried in small text does not meet the standard. Both options need equal visual prominence - same size, same contrast, same number of clicks.
Withdrawal must be straightforward. If a visitor changes their mind, revoking consent should take no more effort than giving it. A persistent link or icon in the site footer that reopens the consent preferences panel is the standard approach.
The Enforcement Landscape: Fines Are Growing Fast
European regulators have moved well beyond warning letters. The CNIL issued 83 sanctions in 2025, totalling approximately 487 million euros in fines - nearly nine times the 55 million euros imposed across 87 sanctions in 2024. Cookie violations were among the primary themes.
Two CNIL fines from September 2025 stand out. Google received a 325 million euro penalty for displaying adverts in Gmail inboxes without consent and for placing advertising cookies during account creation without valid user agreement. Shein was fined 150 million euros after investigators found advertising cookies being dropped the moment a user landed on the site, before any interaction with the cookie banner had taken place.
These are not isolated actions. Between December 2022 and December 2024, the CNIL alone issued combined cookie-related fines exceeding 139 million euros. The Swedish DPA targeted companies for manipulative cookie banner designs, and the ICO expanded its enforcement to cover the top 1,000 UK websites.
Smaller organisations are not immune. Fines for SMBs have ranged from 5,000 to 100,000 euros across various EU member states for straightforward cookie consent failures.
Common Mistakes That Trigger Regulatory Action
Most enforcement actions target a handful of recurring errors. Avoiding them removes the bulk of regulatory risk.
Firing cookies before consent. Non-essential scripts load the moment the page renders, before the visitor has seen the banner, let alone clicked anything. This is exactly what got Shein fined 150 million euros. Every analytics tag, pixel, and ad script must be blocked until consent is recorded.
Asymmetric banner design. A bright "Accept All" button paired with a grey text link for rejection is a dark pattern. A 2024 joint study from the Karlsruhe Institute of Technology and IT University of Copenhagen found that 72% of websites use at least one dark pattern in their cookie interface. Regulators are actively targeting this.
Vague cookie descriptions. Labels like "improve your experience" or "help the site serve you better" do not count as informing the user. Each cookie category needs a clear, specific purpose statement.
No consent records. If a data protection authority asks for proof of consent, saying "they clicked the button" is not enough. Timestamped logs recording what the user saw, what they chose, and when they chose it are expected. Retain these records for a defensible period - the GDPR does not specify a timeframe, but two to three years is a common benchmark.
Missing cookie policy. A cookie policy is not optional. It should list every cookie by name, state its purpose, identify who sets it (first party or third party), and declare its lifespan. Keeping this up to date requires regular scanning.
UK Changes: The Data Use and Access Act 2025
The UK's Data Use and Access Act (DUAA), which received Royal Assent on 19 June 2025, amended PECR to introduce four new exceptions alongside the existing "strictly necessary" exemption. Key provisions took effect on 5 February 2026.
The most notable new exception allows first-party analytics cookies to operate without consent, provided the sole purpose is collecting aggregate statistics to improve the site, users are clearly informed, and a simple opt-out mechanism is available. This is narrower than it sounds - the data cannot be shared with third parties or repurposed for advertising.
The DUAA also raised PECR's maximum penalty from 500,000 pounds to the higher of 17.5 million pounds or 4% of global annual turnover, aligning it with UK GDPR levels. Cookie compliance in the UK now carries the same financial risk as any other data protection failure.
A Practical Compliance Checklist
Start with a cookie audit. Run an automated scan to identify every cookie and tracking technology on the site, then classify each as strictly necessary, functional, analytics, or marketing.
Implement a consent management platform (CMP) that blocks non-essential cookies by default and releases them only after active opt-in. The banner should offer equally prominent "Accept" and "Reject" buttons on the first layer, with granular category controls one click deeper.
Write a cookie policy listing every cookie by name, purpose, provider, and duration. Link to it from the banner. Set up scheduled scans so you catch new cookies whenever a plugin update or marketing tag introduces one.
If the site targets users in multiple regions, implement geo-detection to apply the correct consent model. EU visitors get strict opt-in. UK visitors get opt-in with the DUAA's narrow exceptions. Visitors from the United States see a flow reflecting CCPA/CPRA opt-out requirements.
Record every consent event with a timestamp, the banner version shown, and the choices made. Store these logs where they can be retrieved for a regulatory inquiry.
Frequently Asked Questions
Does the GDPR apply to my website if my business is outside the EU?
Yes. Article 3(2) of the GDPR gives it extraterritorial reach. If your site offers goods or services to people in the EU, or monitors their behaviour (through analytics or ad tracking), the GDPR applies regardless of where the business is registered.
Can I use a cookie wall that blocks content until visitors accept cookies?
This is risky. The EDPB's position is that cookie walls undermine freely given consent because the user faces a take-it-or-leave-it choice. Some national regulators, such as the French Conseil d'Etat, have allowed walls under narrow conditions, but the safest approach is not to use them.
Do I still need consent for Google Analytics under the UK DUAA?
It depends on configuration. The DUAA's analytics exception applies only when the sole purpose is aggregate statistics, the data is not shared or repurposed, users are told, and an opt-out is available. Standard Google Analytics 4 setups with advertising features enabled would not qualify.
How often should I scan my site for new cookies?
Monthly at minimum. Cookies appear when plugins update, marketing teams add tags, or third-party scripts change behaviour. Automated scheduled scans catch these changes before a regulator does.
What is the maximum fine for a GDPR cookie violation?
Under the GDPR, fines can reach 20 million euros or 4% of global annual turnover, whichever is higher. Cookie-specific fines under the ePrivacy Directive depend on national transposition, but the CNIL's 325 million euro fine against Google in 2025 shows regulators are willing to impose penalties near the top of the scale.
Are analytics cookies ever exempt from consent in the EU?
In limited cases. The CNIL in France and the AEPD in Spain offer exemptions for privacy-preserving audience measurement tools configured to operate first-party only, aggregate quickly, and avoid cross-site tracking. Standard implementations of Google Analytics do not meet these criteria.
Stay Ahead of Cookie Compliance
Cookie rules are not getting simpler. Enforcement budgets are growing, fines are reaching record levels, and regulators are scrutinising banner design, script behaviour, and consent logs with increasing technical sophistication. Running a scan, setting up a proper consent flow, and documenting everything is the minimum. Kukie.io detects, categorises, and manages cookies across jurisdictions - giving visitors a genuine choice and keeping the site on the right side of the law.
