EU Cookie Consent Requirements: A Complete Guide for Website Compliance
Comprehensive breakdown of EU cookie consent requirements under GDPR and the ePrivacy Directive. Covers the four pillars of valid consent (freely given, specific, informed, unambiguous), technical implementation requirements including prior blocking and equal prominence buttons, prohibited dark patterns with real enforcement examples, cookie categories, and documentation requirements. Essential reference for any website with EU visitors.
GDPR fines for cookie violations reached €1.7 billion in 2025 alone. Google was hit with €150 million. Meta paid €60 million. Amazon's bill? €746 million.
And these aren't just tech giants getting caught. Small businesses across the EU are receiving enforcement notices for cookie banners that look compliant but technically aren't.
The uncomfortable truth: having a cookie banner isn't enough. The regulations are specific, technical, and—thanks to the EDPB's 2023 Cookie Banner Taskforce report—strictly enforced. Most implementations we audit fail on at least one requirement.
This guide breaks down exactly what EU law requires from your cookie consent implementation. Not vague principles. Specific, actionable requirements you can verify today.
TL;DR
- Two laws govern cookies: The ePrivacy Directive ("Cookie Law") + GDPR working together
- Four consent requirements: Freely given, specific, informed, and unambiguous—fail one, consent is invalid
- Non-essential cookies must be blocked until users actively consent (displaying a banner isn't enough)
- "Accept" and "Reject" must have equal prominence—hiding reject behind "Manage Preferences" violates EDPB guidance
- You must prove consent was obtained—timestamps, versions, and audit trails required
What You'll Learn
- Which EU regulations apply to your cookie consent (and how they work together)
- The four pillars of valid consent and how each gets violated
- Technical requirements your cookie banner must implement
- Dark patterns that will get you fined
- Cookie categories and which actually need consent
- Documentation requirements for proving compliance
The Legal Framework: Two Regulations Working Together
Cookie consent in the EU isn't governed by a single law. It's a combination of two pieces of legislation that work together—and understanding both is crucial for compliance.
The ePrivacy Directive (2002/58/EC) — The "Cookie Law"
Article 5(3) establishes the foundational consent requirement:
"The storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information."
This applies beyond just cookies:
- Tracking pixels and web beacons
- Device fingerprinting techniques
- Local storage and session storage
- Tracking URLs and links
- IoT device reporting
If it stores or reads data from a user's device, it's covered.
GDPR: Defining What "Consent" Actually Means
The GDPR complements the ePrivacy Directive by defining what constitutes valid consent:
- Article 4(11): Consent must be a "freely given, specific, informed and unambiguous indication" expressed through a "clear affirmative action"
- Article 7: Sets conditions for valid consent, including proof requirements and withdrawal rights
- Recital 32: Explicitly prohibits silence, pre-ticked boxes, and inactivity as valid consent
The EDPB (European Data Protection Board) has issued detailed guidance clarifying these requirements:
- Guidelines 05/2020 on Consent
- Cookie Banner Taskforce Report (January 2023)
- Guidelines 2/2023 on Article 5(3)
- Guidelines 03/2022 on Dark Patterns
These aren't suggestions. National regulators cite them directly in enforcement decisions.
The Four Pillars of Valid Consent
For consent to be legally valid under GDPR Article 4(11), it must meet four criteria. Fail any single one, and the entire consent is invalid.
1. Freely Given
Users must have genuine, free choice without any form of coercion or detriment for refusing.
What this requires:
- Users can access the website even if they refuse non-essential cookies
- No negative consequences for refusing consent
- Consent isn't bundled with terms of service acceptance
- No power imbalance exploited to pressure users
Common violations:
- Cookie walls that block access until cookies are accepted
- Degraded service quality for users who refuse
- Making rejection more difficult than acceptance (more clicks, smaller buttons)
A user who has to accept cookies to read your content hasn't freely consented—they've been coerced. Courts and regulators consistently reject this.
2. Specific
Consent must be given for each distinct purpose. Bundling different purposes into a single consent request is prohibited.
What this requires:
- Separate consent options for different cookie categories (analytics, marketing, functional)
- Granular control allowing users to accept some categories while rejecting others
- Clear purpose stated for each cookie category
Common violations:
- "All or nothing" consent with no granular options
- Bundling marketing and analytics cookies together
- Vague purposes like "to improve your experience"
If your banner only offers "Accept All" or "Manage Settings" (with no reject option), you're forcing users to either accept everything or spend extra effort customizing—that's not specific consent.
3. Informed
Users must receive clear information before giving consent. This information must be in plain language that average users can understand.
Minimum information requirements:
| Information | Why Required |
|---|---|
| Controller identity | Users must know who's collecting their data |
| Processing purposes | What each cookie category actually does |
| Cookie types | Session vs. persistent, first-party vs. third-party |
| Duration | How long cookies remain active |
| Third parties | Who else receives the data |
| Withdrawal rights | How to revoke consent later |
| International transfers | If data leaves the EU |
Common violations:
- Legal jargon that average users can't understand
- Missing or vague information about third parties
- No information about cookie duration
- Information hidden in lengthy privacy policies users never read
The test is whether a reasonable person would understand what they're consenting to. "We use cookies to enhance your experience" tells users nothing.
4. Unambiguous
Consent must be expressed through a clear affirmative action. There must be no doubt the user intended to give consent.
What this requires:
- Active opt-in (clicking a button, checking a box)
- No pre-ticked checkboxes for non-essential cookies
- Consent cannot be inferred from silence or inactivity
- Clear distinction between accepting and rejecting
GDPR Recital 32 explicitly prohibits:
- Silence as consent
- Pre-ticked boxes
- Inactivity as consent
- Scrolling or continued browsing as consent
If your implementation assumes consent when users ignore the banner and keep browsing, you don't have valid consent. Period.
Technical Requirements Your Banner Must Meet
Beyond the legal requirements for valid consent, your implementation must meet specific technical specifications. Regulators now routinely examine actual script behavior using browser developer tools.
Prior Blocking of Non-Essential Cookies
This is the most critical technical requirement: non-essential cookies must not be set until after the user gives consent.
What this means in practice:
- No analytics scripts (Google Analytics, etc.) can fire before consent
- No marketing pixels can load before consent
- No third-party cookies can be set before consent
- Embedded content (videos, social plugins) must not set cookies before consent
Simply displaying a cookie banner while your scripts run freely in the background is what we call "compliance theater." It looks compliant but isn't—and regulators know exactly how to check.
How to verify: Open your browser's DevTools (Network tab, filter by third-party requests), reload your page without interacting with the banner. If you see requests to Google Analytics, Facebook, or advertising networks before you've clicked anything, your implementation is broken.
Cookient uses DOM-level script interception with MutationObserver to ensure scripts never execute before consent. The technical details matter—defer and async attributes don't actually block execution.
Equal Prominence of Accept and Reject Options
The EDPB Cookie Banner Taskforce made this unambiguous: both "Accept" and "Reject" options must be presented with equal prominence on the first layer.
Requirements for button design:
| Element | Requirement |
|---|---|
| Size | Accept and Reject buttons must be the same size |
| Color/Contrast | Similar visual weight—one can't be highlighted while the other is faded |
| Position | Both on the same layer (first layer)—Reject cannot be hidden behind "Settings" |
| Clicks Required | Same number of clicks to accept or reject (typically one each) |
| Language | Neutral wording—no persuasive or alarming language for rejection |
A large, bright green "Accept All" button next to a tiny gray "Manage Preferences" link? That's not equal prominence—and multiple regulators have issued fines specifically for this pattern.
Easy Consent Withdrawal
GDPR Article 7(3) states: "It shall be as easy to withdraw as to give consent."
Implementation requirements:
- A persistent, visible method to access cookie preferences (footer link, floating icon)
- One-click withdrawal capability
- Immediate effect upon withdrawal (cookies must stop being used)
- No pressure or barriers when attempting to withdraw
If users can accept cookies with one click but need to navigate through three pages to change their preferences, you're not compliant.
Cookient provides a persistent preference widget that remains accessible on every page, allowing users to modify or withdraw consent with a single click at any time.
Prohibited Dark Patterns
"Dark patterns" are deceptive design practices that manipulate users into choices they didn't intend. The EDPB and national regulators have made enforcement of dark patterns a priority.
Common Dark Patterns in Cookie Banners
| Dark Pattern | Description | Why Prohibited |
|---|---|---|
| Pre-ticked boxes | Cookie categories enabled by default | Violates affirmative action requirement |
| Asymmetric buttons | Accept prominent, Reject faded/smaller | Consent not freely given |
| Hidden reject | Reject on second layer or buried in settings | More clicks to reject than accept |
| Cookie walls | Blocking access until cookies accepted | Consent not freely given |
| Deceptive colors | Red for reject, green for accept | Psychological manipulation |
| Manipulative language | "Accept" vs "Continue with limited experience" | Creates fear of consequences |
| Confirm shaming | "No, I don't want to save money" | Pressures through guilt |
| False urgency | Countdown timers, "decide now" pressure | Prevents considered decisions |
Real Enforcement Examples
These aren't theoretical risks. Regulators have issued significant fines:
- Google (€150 million, CNIL 2022): Making it difficult to reject cookies
- Facebook/Meta (€60 million, CNIL 2022): Confusing rejection process
- Amazon (€746 million, CNPD Luxembourg): Inadequate consent mechanisms
- TikTok (€5 million, CNIL): Insufficient information and reject button placement
- Microsoft (CNIL): Reject option hidden on second layer
The pattern is clear: regulators are specifically targeting implementations that technically show consent options but manipulate users toward acceptance.
Cookie Categories: What Actually Needs Consent?
Not all cookies require consent. Understanding the categories and their requirements is essential.
| Category | Description | Consent Required? | Examples |
|---|---|---|---|
| Strictly Necessary | Essential for basic website functionality | No | Session, shopping cart, security, consent storage |
| Functional | Enhanced features and personalization | Yes | Language preference, user settings |
| Analytics | Usage statistics and performance measurement | Yes | Google Analytics, Hotjar, visitor counts |
| Marketing | Advertising and retargeting | Yes | Facebook Pixel, Google Ads, ad networks |
| Third-party | Cookies set by external services | Yes | Embedded videos, social plugins, maps |
The "Strictly Necessary" Exemption
For a cookie to qualify as strictly necessary and be exempt from consent, it must meet one of these criteria under Article 5(3):
- Technical transmission: Essential for carrying out the transmission of a communication over an electronic network
- Requested service: Strictly necessary to provide a service explicitly requested by the user
Critical point: Analytics, marketing, and advertising cookies can never be classified as strictly necessary. Using "legitimate interest" to justify these cookies without consent isn't compliant—the ePrivacy Directive takes precedence over GDPR's legitimate interest provisions for cookies.
If you're running Google Analytics or Google Ads, you need explicit consent for EU visitors. There's no legitimate interest workaround.
Documentation and Record-Keeping Requirements
Under GDPR Article 7(1), you must be able to demonstrate that consent was obtained. This creates specific documentation requirements that many implementations overlook.
Consent Record Requirements
Each consent interaction must record:
| Data Element | Description |
|---|---|
| Timestamp | Exact date and time (to second precision) |
| User/Device identifier | Unique identifier linking consent to the user |
| Consent decision | What the user accepted or rejected |
| Categories selected | Specific cookie categories approved/rejected |
| Banner version | Version of the consent text/banner shown |
| Geolocation | User's location (for determining applicable laws) |
| Withdrawal logs | Records of any consent withdrawal or modification |
Storage and Retention
- Retention period: At least 5 years recommended for audit trail protection
- Security: Records must be encrypted and protected from unauthorized access
- Integrity: Logs should be tamper-proof (regulators increasingly verify audit trail integrity)
- Accessibility: Must be retrievable for regulatory audits or user requests
Cookient maintains detailed consent logs with timestamps, decision records, and exportable audit trails—essential for demonstrating compliance during regulatory inquiries.
Consent Renewal Periods
Consent isn't permanent. Different jurisdictions recommend different renewal periods:
| Jurisdiction | Recommended Period |
|---|---|
| ePrivacy Directive (EU-wide) | 12 months maximum |
| France (CNIL) | 6 months |
| Ireland (DPC) | 6 months |
| Germany (BfDI) | 6-12 months |
| Spain (AEPD) | Up to 24 months |
| Luxembourg (CNPD) | 12 months |
Best practice: Apply the strictest standard for your user base. If you have visitors from France, use 6 months as your renewal period.
Compliance Checklist
Use this to verify your implementation meets EU requirements:
Technical Implementation
- Non-essential cookies blocked before consent is given
- Scripts and tags only fire after receiving appropriate consent
- Google Consent Mode v2 properly implemented (if using Google services)
- Cookie scanning performed regularly to detect new cookies
Banner Design
- "Accept All" and "Reject All" buttons have equal prominence
- Both options available on the first layer
- No pre-ticked checkboxes for non-essential cookies
- Colors and contrast are neutral (no deceptive design)
- Language is clear and neutral (no manipulative wording)
- Banner works properly on mobile devices
Information Provided
- Controller identity clearly stated
- Purposes for each cookie category explained
- Third parties identified
- Cookie durations disclosed
- Link to full cookie policy provided
- Information in plain language (not legal jargon)
User Control
- Granular consent options for different cookie categories
- Persistent link/icon to access preferences (footer or floating)
- Withdrawal as easy as giving consent
- Website functions even if non-essential cookies rejected
- Changes take effect immediately
Documentation
- Consent records stored with timestamps
- Audit trail maintained securely
- Banner versions archived
- Consent renewal configured appropriately
- Cookie policy regularly updated
Key Takeaways
EU cookie consent requirements may seem complex, but they follow a clear logic: users must have genuine choice and control over their personal data.
The essentials:
- Prior consent is mandatory — Block non-essential cookies until users actively consent
- Equal choice matters — Accept and Reject must be equally easy and prominent
- Transparency is required — Users must understand what they're consenting to
- Dark patterns are prohibited — Any manipulation invalidates consent
- Documentation is essential — You must prove consent was properly obtained
- Withdrawal must be easy — Users must be able to change their mind at any time
With regulators increasingly focused on cookie compliance and fines reaching hundreds of millions, proper implementation isn't just a legal requirement—it's a business necessity.
The websites getting fined aren't malicious—they're usually running cookie banners that look compliant but fail on technical requirements they didn't know existed. The gap between appearance and actual compliance is where enforcement happens.
Get Compliant Without the Complexity
Cookient provides a fully GDPR-compliant cookie consent solution with all the requirements covered in this guide:
- True prior blocking via DOM-level script interception
- Equal prominence buttons by default—no dark patterns
- Granular category controls with clear descriptions
- Detailed consent logging with exportable audit trails
- Lightweight ~5KB script that won't destroy your Core Web Vitals
- Built-in Google Consent Mode v2 support
- Automatic cookie scanning to detect new cookies weekly
No enterprise complexity. No dark patterns. Just proper compliance that works.
Get started free — no credit card required.
Questions about EU cookie compliance? Reach out at [email protected]