What Personalisation Cookies Actually Do
Every time a visitor browses an online store, product recommendation engines track behaviour - pages viewed, items added to a basket, search queries, time spent on product listings. That data feeds algorithms that generate personalised suggestions such as "customers also bought" or "recommended for you" sections.
The tracking relies on cookies. Common examples include _dy_ses_load_seq (Dynamic Yield), _recs, _user_pref, and retailer-specific identifiers that store browsing history and preference profiles. Some engines also rely on _fbp or _ga to enrich their recommendation models with cross-session data.
These cookies fall squarely into the non-essential cookies category. They are not required for the website to function, nor do they serve a purpose the visitor explicitly requested.
The Legal Framework: ePrivacy Directive Article 5(3)
Cookie consent in the EU does not stem from the GDPR alone. Article 5(3) of the ePrivacy Directive is the primary rule. It states that storing or accessing information on a user's device requires the user's prior consent, unless the cookie is strictly necessary to provide a service the user has explicitly requested.
Personalisation does not meet the "strictly necessary" threshold. A website can display products, process orders, and function fully without tracking individual browsing patterns for recommendations. The European Data Protection Board (EDPB) has confirmed this interpretation repeatedly.
The GDPR then governs how the personal data collected through those cookies is processed. The two instruments work in tandem - ePrivacy controls device access, GDPR controls what happens with the data afterwards.
Why Legitimate Interest Does Not Work for Personalisation Cookies
Some retailers argue that personalisation cookies serve a legitimate interest under GDPR Article 6(1)(f). The reasoning typically goes: better recommendations improve user experience, reduce bounce rates, and increase conversion. Surely that qualifies as a legitimate interest?
The EDPB has been clear that this argument fails at the first hurdle. Legitimate interest is a lawful basis under the GDPR for processing personal data, but it cannot override the separate consent requirement in Article 5(3) of the ePrivacy Directive. Cookie placement and data processing are two distinct legal questions.
Even if legitimate interest could apply to the processing itself, the EDPB's 2024 Guidelines on Legitimate Interest (Guidelines 1/2024) indicate that creating personalised content profiles or selecting personalised advertisements cannot rely on an overriding legitimate interest. The individual's right to privacy outweighs the commercial benefit to the data controller.
Put simply: you cannot bypass consent for placing the cookie by arguing legitimate interest for using the data the cookie collects.
EDPB Cookie Banner Taskforce Findings
The EDPB's Cookie Banner Taskforce report, published in January 2023, addressed several common compliance failures. One finding is directly relevant to personalisation: cookie banners must not refer to data collection based on legitimate interest as a basis for cookie placement.
The Taskforce found that some websites were presenting personalisation cookies under a "legitimate interest" toggle in their consent interface, separate from the standard consent mechanism. This practice is non-compliant. Article 5(3) of the ePrivacy Directive requires consent - not a balancing test, not an opt-out mechanism, and not a separate legal basis toggle.
What the Taskforce Report Means in Practice
If your cookie banner or consent management platform lists personalisation cookies under a "legitimate interest" category, that configuration is wrong. All personalisation cookies must sit under a consent-based category that defaults to off and requires an affirmative action from the visitor to activate.
Enforcement Actions on Personalisation and Tracking
Regulators have moved from guidance to enforcement. The CNIL issued 87 sanctions in 2024, totalling over 55 million euros. Eleven of those specifically targeted organisations that failed to make cookie refusal as easy as acceptance.
In 2025, CNIL enforcement escalated dramatically. Total fines reached approximately 487 million euros across 83 sanctions. The CNIL fined Google 325 million euros for placing cookies without valid consent when users created Google accounts, and for displaying advertisements between Gmail emails without consent. SHEIN's Irish subsidiary received a 150 million euro fine for multiple Article 82 violations, including failure to obtain consent before placing cookies.
| Enforcement Action | Year | Fine | Key Violation |
|---|---|---|---|
| Google (CNIL) | 2025 | 325 million euros | Cookies placed without valid consent |
| SHEIN (CNIL) | 2025 | 150 million euros | Failure to obtain consent before cookie placement |
| CNIL combined cookie fines (Dec 2022 - Dec 2024) | 2022-2024 | Over 139 million euros | Various ePrivacy Article 5(3) breaches |
These figures make one thing clear: the financial risk of treating personalisation cookies as something other than consent-dependent is substantial and growing.
Practical Steps to Make Personalisation Cookies Compliant
Achieving compliance does not mean abandoning product recommendations entirely. It means restructuring how and when personalisation activates.
1. Categorise Personalisation Cookies Correctly
Run a cookie audit and classify every personalisation-related cookie as non-essential. This includes cookies set by recommendation engines, A/B testing tools used for personalisation, and any identifier that tracks individual browsing patterns for tailored content.
2. Block Before Consent
Personalisation scripts must not fire until the visitor grants consent. Use your consent management platform to conditionally load third-party scripts based on the visitor's choice. If you use Google Tag Manager, configure consent initialisation triggers to hold personalisation tags until the appropriate consent signal is received.
3. Offer a Meaningful Default Experience
Visitors who decline personalisation cookies should still see a functional website. Display generic "best sellers" or "trending products" sections instead of personalised recommendations. Some recommendation platforms support anonymous, context-based suggestions using page-level data (product category, price range) rather than individual tracking.
4. Be Transparent in Your Cookie Banner
Your cookie banner should explain what personalisation cookies do in plain language. Avoid vague labels like "functional" for cookies that actually track behaviour. If a cookie tracks browsing history to generate product recommendations, it belongs in a personalisation or marketing category - not in a "preferences" bucket designed to sound harmless.
5. Respect Refusal Without Penalty
Do not use dark patterns to pressure visitors into accepting personalisation cookies. The EDPB's position is that consent must be freely given. Cookie walls that block access unless personalisation is accepted are unlikely to produce valid consent under GDPR Article 7.
The EU Omnibus Proposal and Future Cookie Rules
The European Commission published the Digital Omnibus proposal in November 2025. It acknowledges that current cookie rules have led to consent fatigue and excessive cookie banners. The proposal aims to simplify certain aspects of digital regulation.
However, the Omnibus does not remove the consent requirement for non-essential cookies. The exemptions remain limited to a closed list of low-risk scenarios. Personalisation cookies are not on that list. Retailers hoping the regulatory environment will relax should not delay compliance work based on speculative future changes.
Consent Mode and Personalisation: A Technical Note
Google Consent Mode v2 allows websites to adjust how Google tags behave based on consent status. When a visitor declines consent, Consent Mode sends cookieless pings to Google services, enabling conversion modelling without individual tracking.
This approach does not solve the personalisation cookie problem directly. Consent Mode governs Google's own tags. Third-party recommendation engines typically operate outside the Consent Mode framework and require separate consent management. You still need to block those scripts independently until consent is granted.
Frequently Asked Questions
Are product recommendation cookies considered essential under GDPR?
No. Product recommendation cookies track individual browsing behaviour to generate personalised suggestions. This is not a service the visitor explicitly requested, so these cookies do not qualify as strictly necessary under Article 5(3) of the ePrivacy Directive.
Can I use legitimate interest instead of consent for personalisation cookies?
No. The ePrivacy Directive requires consent for storing or accessing information on a user's device. Legitimate interest is a GDPR concept that cannot override this separate consent requirement. The EDPB has confirmed this position in its Cookie Banner Taskforce report and Guidelines 1/2024.
What happens if visitors reject personalisation cookies?
Your website must still function normally. Display generic recommendations such as best sellers or trending products. Some recommendation engines support context-based suggestions that do not rely on individual tracking cookies.
How should personalisation cookies appear in my cookie banner?
Personalisation cookies should appear in a clearly labelled non-essential category (such as "personalisation" or "marketing") that defaults to off. They must not be listed under a legitimate interest toggle or hidden within a "functional" category.
Do personalisation cookies on e-commerce sites need consent in the UK?
Yes. The UK GDPR and the Privacy and Electronic Communications Regulations (PECR) mirror the EU position. Non-essential cookies, including those used for personalisation, require prior consent from the visitor.
Can I show personalised content without cookies?
Partially. You can use contextual signals such as the current page category, device type, or geographic region to tailor content without setting cookies. However, any technique that stores or accesses information on the user's device still falls under Article 5(3) of the ePrivacy Directive.
Take Control of Your Cookie Compliance
If you are not sure which cookies your recommendation engine sets, start with a free cookie scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
