Skip to content
GDPR Obligations calendar_today Updated: 7 April 2026 schedule 6 min read

Cookies and Consent: What Do You Need to Know?

Placing cookies without valid consent is one of the most common GDPR violations. This article explains which cookies require consent, how to set up a correct cookie banner, and which mistakes to avoid.

summarize Key Takeaways
  • check_circle Only strictly necessary cookies may be placed without consent
  • check_circle Analytical and marketing cookies always require prior, active consent
  • check_circle A cookie banner with only 'Accept' is a dark pattern and not GDPR-compliant
  • check_circle The French supervisory authority CNIL issued fines up to 150 million euros for cookie violations in 2022

What are cookies exactly?

Cookies are small text files that a website places on a visitor’s device. They are used for various purposes: from remembering a shopping cart to tracking browsing behaviour for advertisements. Under the GDPR and the ePrivacy Directive, strict rules apply to when you may place cookies.

The problem: many business owners place a cookie banner on their website and think that settles it. But a banner alone is not enough. What matters is that you ask for the right consent, at the right time, for the right cookies.

Three categories of cookies

Not all cookies are equal. The legislation distinguishes three main categories, and different rules apply to each.

These are cookies without which your website cannot function. Think of:

  • Session cookies for a shopping cart or login status
  • The cookie that stores the visitor’s cookie choice
  • Security cookies (e.g. CSRF tokens)

These may be placed without consent, but you must still list them in your cookie policy.

Cookies that measure visitor behaviour, such as Google Analytics, Hotjar, or Matomo (with default settings). Even if you only use the data internally, you need prior consent.

Note: some analytics tools offer a “cookieless mode”. Always verify that no cookies are actually placed, as the name can be misleading.

Cookies used for advertising, retargeting, and building visitor profiles. Examples:

  • Facebook Pixel (_fbp)
  • Google Ads remarketing
  • LinkedIn Insight Tag
  • Other advertising networks

Marketing cookies are the most strictly regulated. Consent must be specific, informed, and active.

A GDPR-compliant cookie banner meets these requirements:

No cookies loaded in advance. Non-essential cookies may only be placed after the visitor actively gives consent. That means: no Google Analytics, no Facebook Pixel, no marketing scripts until the visitor clicks “Accept”.

Offer a real choice. The visitor must be able to refuse just as easily as accept. Both buttons must be equally prominent. A large green “Accept all” button next to a small grey “More info” link is not a real choice.

Ask consent per category. The visitor must be able to choose which categories of cookies are placed. Accepting analytical cookies must be separate from marketing cookies.

Remember the choice. A visitor who refuses must not be asked again on every page visit. Store the choice (ironically, in a strictly necessary cookie).

Make consent revocable. There must be a way to change the cookie choice later, for example via a link in the footer.

The “accept all” dark pattern

One of the most common mistakes is a cookie banner that strongly steers towards “accept all”. The French supervisory authority CNIL has seriously addressed this issue.

In 2022, the CNIL fined Google (150 million euros) and Facebook (60 million euros) because their cookie banners made refusing cookies unnecessarily difficult. Accepting took one click, but refusing required multiple steps through submenus.

This does not only apply to tech giants. The CNIL and other supervisory authorities also look at smaller websites. The principle is simple: if “Refuse” is not as easy as “Accept”, the consent is not valid.

Specifically: if your banner has an “Accept all” button, there must be an equally prominent “Refuse all” button next to it. Not hidden somewhere in a submenu.

Common mistakes

  • Loading cookies before consent. Google Analytics runs before the visitor has made a choice. This is a direct violation.
  • Offering only “Accept”. No refuse option, or it is hidden behind multiple clicks.
  • Inaccurate cookie banner. The banner mentions three cookies, but a scan reveals twenty. This happens when no cookie audit has been performed.
  • Pre-ticked checkboxes. Categories that are set to “on” by default. That is not active consent.
  • No cookie policy. A banner exists, but nowhere an explanation of which cookies you place and why.
  • Cookie wall. Blocking the website until the visitor accepts cookies. This is not permitted in most EU countries.

The first step towards correct cookie compliance is knowing which cookies your website places. Open your website in an incognito window, open the developer tools (F12), and check the Application > Cookies tab. You will probably be surprised by what you find.

description

Template: Cookie Audit

Systematically map all cookies: which cookie, from whom, for what purpose, how long active, and whether consent is required.

View the template arrow_forward

What should you do now?

  1. Inventory all cookies on your website with a cookie audit
  2. Categorise them as strictly necessary, analytical, or marketing
  3. Check that your cookie banner asks for correct, active consent per category
  4. Ensure that non-essential cookies only load after consent
  5. Make refusing as easy as accepting
  6. Repeat the audit after every website change and at least annually
auto_awesome Automatic cookie scan?

GDPRWise scans your website and automatically detects which cookies, trackers, and third parties are active. So you know exactly what needs to change, without searching manually.

GW
GDPRWise Editorial

This article was written by the GDPRWise team and reviewed by our privacy experts. We regularly review our content for accuracy and legal correctness.