Every non-essential cookie placed on a visitor's device without prior consent is a potential compliance violation under EU law. That is not a theoretical risk. France's CNIL fined SHEIN 150 million euros in September 2025 for setting advertising cookies before users gave permission. Google received a 325 million euro penalty on the same day for manipulative consent designs in Gmail. The message from European regulators is blunt: cookie consent must be real, not decorative.
Two separate pieces of legislation govern cookie consent in the EU. The ePrivacy Directive (Directive 2002/58/EC, as amended in 2009) establishes when consent is needed. The GDPR defines what that consent must look like. Confusing the two, or ignoring either, is how most websites end up on the wrong side of a regulator.
The Legal Framework: ePrivacy Directive and GDPR Working Together
Article 5(3) of the ePrivacy Directive is the rule that triggers the consent requirement. It states that storing or accessing information on a user's terminal equipment is only allowed with consent or where it is strictly necessary to deliver a service the user has explicitly requested. This applies to cookies, tracking pixels, local storage, fingerprinting scripts, and any other technology that reads from or writes to a user's device.
The GDPR then sets the bar for that consent. Under Article 4(11), consent must be freely given, specific, informed, and unambiguous. It requires a clear affirmative action - a deliberate click, toggle, or tap. Scrolling does not count. Continuing to browse does not count. Pre-ticked boxes do not count. The Court of Justice of the EU confirmed this in the Planet49 ruling (Case C-673/17), which remains the definitive precedent on cookie consent across Europe.
The European Commission formally withdrew the proposed ePrivacy Regulation in February 2025, meaning the 2002 Directive (as amended) remains the governing law for the foreseeable future.
What Counts as Valid Cookie Consent
Valid consent under GDPR Article 7 has five non-negotiable conditions. Miss any one of them and the consent is void - which means every cookie placed on that basis was placed unlawfully.
| Condition | What It Means in Practice | Common Violation |
|---|---|---|
| Freely given | Users must have a genuine choice. No cookie walls blocking access. | Hiding the reject button behind a second screen |
| Specific | Consent must be granular by purpose. Users choose per category. | Bundling all non-essential cookies into a single toggle |
| Informed | Clear information about each cookie category, purpose, and duration. | Vague descriptions like "cookies improve your experience" |
| Unambiguous | Affirmative action required. No pre-ticked checkboxes. | Pre-selected toggles set to "on" for analytics or ads |
| Withdrawable | Revoking consent must be as easy as giving it. | No visible way to change preferences after the initial choice |
Strictly Necessary Cookies: The Only Exemption
The ePrivacy Directive provides exactly two exemptions from the consent requirement. A cookie may be set without consent if its sole purpose is carrying out a data transmission over a network, or if it is strictly necessary to provide a service the user has explicitly requested. Session cookies, shopping cart cookies, load-balancing cookies, and CSRF tokens fall within these exemptions.
Non-essential cookies - analytics (_ga, _gid), advertising (_fbp, IDE), social media embeds, and personalisation tools - always require consent. Regulators interpret the exemption very narrowly. Germany's TTDSG requires consent for all analytics cookies without exception. France's CNIL and Spain's AEPD allow limited first-party analytics without consent, but only when configured to collect anonymised, aggregated data with no cross-site tracking.
Cookie Banner Design: Equal Prominence Is the Standard
Dark patterns in cookie banners have become a primary enforcement target. Sweden's IMY issued enforcement actions in April 2025 against companies using pre-selected non-essential categories and burying privacy controls. The Dutch Data Protection Authority warned over 200 organisations in 2025 after reviewing cookie banners across 10,000 websites, with roughly three-quarters fixing their banners after the initial warning.
The UK's Information Commissioner's Office launched a systematic audit of the top 1,000 UK websites in January 2025. From the first 200 sites reviewed, 134 received warnings. The ICO applies UK GDPR and PECR with the same rigour as EU authorities, though the UK's Data Use and Access Act (June 2025) introduced five narrow exemptions for low-risk cookies.
A compliant first-layer banner must include these elements:
- An "Accept All" button and a "Reject All" button with equal visual prominence - same size, same font weight, similar colour contrast.
- A "Customise" or "Manage Preferences" link leading to a second layer with category-level toggles.
- A brief description of each cookie category's purpose.
- Identity of the data controller and a link to the full cookie policy.
The CNIL specifically requires that rejecting cookies takes no more clicks than accepting them. Google's 325 million euro fine was partly based on the finding that it took six clicks to reject personalised ads but only two to accept.
Technical Blocking: Consent Before Cookies Fire
Displaying a banner is not enough if tracking scripts execute before the visitor makes a choice. Every non-essential cookie must be blocked from loading until consent is given.
Google Tag Manager does not block cookies on its own - it controls when tags fire, but third-party scripts can still execute independently. A consent management platform with automatic script blocking is necessary to prevent cookies from being set prematurely. Google Consent Mode v2 provides a signalling layer that tells Google tags whether consent has been granted, but it must be configured to default all parameters (analytics_storage, ad_storage, ad_user_data, ad_personalization) to "denied" until the user acts.
Server-side enforcement adds another layer of protection. Client-side blocking can fail due to race conditions or misconfigured tag managers. Server-side architectures verify consent status before any tracking event is processed, closing the gap between what the banner promises and what actually happens.
Consent Records and Proof of Compliance
Under GDPR Article 5(2), the accountability principle, the burden of proof lies with the data controller. If a regulator asks whether consent was obtained for a particular tracking cookie, the website operator must be able to demonstrate it.
Consent logs should capture the timestamp of the consent action, which version of the banner and cookie policy the visitor saw, which categories were accepted or rejected, and a session identifier that ties the record to the consent event. The EDPB has not set a specific retention period, but keeping records for at least 12 months aligns with common cookie refresh cycles.
Enforcement Across Europe: Where the Fines Are Landing
Cumulative GDPR fines reached approximately 5.88 billion euros across over 2,200 enforcement actions by late 2025. Cookie consent violations rank among the most frequently enforced categories.
| Authority | Action (2024-2025) | Key Finding |
|---|---|---|
| CNIL (France) | Fined SHEIN 150 million euros (Sept 2025) | Cookies set before consent; non-functional reject button |
| CNIL (France) | Fined Google 325 million euros (Sept 2025) | Six clicks to reject vs two to accept; ads without consent |
| Dutch DPA | Warned 200+ organisations (2025) | Misleading cookie banners; tracking without valid consent |
| ICO (UK) | 134 warnings from first 200 audited sites (2025) | Missing reject option; non-compliant banner designs |
| Swedish IMY | Enforcement actions (April 2025) | Pre-selected categories; hidden privacy controls |
Fines under GDPR can reach 20 million euros or 4% of global annual turnover, whichever is higher. Smaller businesses are not exempt - Spain's AEPD has issued over 1,000 fines, many targeting SMEs for consent and cookie violations.
Common Mistakes That Still Trigger Enforcement
Cookie walls block access to the site unless the visitor consents. The Dutch DPA ruled in 2019 that this violates the "freely given" requirement. The EDPB shares this view, though "consent or pay" models are being tested in some jurisdictions with mixed regulatory responses.
Banners that show only "Accept" and "Settings" on the first layer, with "Reject" buried in the second layer, are a textbook dark pattern. Both the CNIL and ICO require a first-layer reject option.
Implied consent through continued browsing has been invalid since the Planet49 ruling. Notices that say "By using this site, you agree to cookies" with only a "Got it" button fail every condition of valid consent.
Misclassifying non-essential cookies as "strictly necessary" to avoid the consent requirement is another frequent finding. Google Analytics cookies are not strictly necessary. Neither are social media pixels, A/B testing scripts, or heatmap tools.
Frequently Asked Questions
Do analytics cookies like Google Analytics require GDPR consent?
Yes. Google Analytics sets cookies such as _ga and _gid that track user behaviour across pages. These are classified as non-essential under the ePrivacy Directive and require prior opt-in consent. Germany requires consent for all analytics. France and Spain allow limited exemptions only for privacy-focused, first-party analytics configured to collect anonymised data.
Can I use a cookie wall that blocks access until users consent?
Most EU data protection authorities consider cookie walls non-compliant because they undermine the "freely given" condition of GDPR consent. The Dutch DPA explicitly ruled against them in 2019. Some jurisdictions are exploring "consent or pay" models, but the regulatory position is still evolving and varies by country.
How long should I keep cookie consent records?
The GDPR does not specify an exact retention period for consent logs, but the accountability principle (Article 5(2)) requires you to prove consent was obtained. Retaining records for at least 12 months - aligned with common cookie expiry cycles - is a practical minimum.
Does the GDPR apply to my website if my business is outside the EU?
Yes, if your website targets or monitors individuals in the EU. Article 3(2) of the GDPR extends its scope to any organisation offering goods or services to EU residents or tracking their behaviour, regardless of where the business is based.
Is scrolling or continuing to browse a valid form of cookie consent?
No. The CJEU's Planet49 ruling (Case C-673/17) established that consent must be an unambiguous, affirmative action. Scrolling, navigating to another page, or clicking a generic "OK" button does not meet this standard.
What is the difference between the ePrivacy Directive and the GDPR for cookies?
The ePrivacy Directive (Article 5(3)) is the law that specifically requires consent before placing cookies on a user's device. The GDPR defines what valid consent looks like - freely given, specific, informed, and unambiguous. The ePrivacy Directive tells you when to ask; the GDPR tells you how to ask.
What happens if the ePrivacy Regulation replaces the current Directive?
The proposed ePrivacy Regulation was formally withdrawn by the European Commission in February 2025 after years of legislative stalemate. The current ePrivacy Directive remains in force with no replacement on the immediate horizon. Any future regulation would likely maintain or strengthen existing consent requirements.
Stay Compliant Without the Guesswork
If you are uncertain which cookies your site sets or whether your banner meets current enforcement standards, start with a free cookie scan. Kukie.io detects first-party and third-party cookies, categorises them, and provides the script-blocking and geo-detection tools needed to match consent rules to each visitor's jurisdiction.
