DEV Community

Custodia-Admin
Custodia-Admin

Posted on

GDPR Website Cookies: The Complete Compliance Guide for 2026

#gdpr #cookies #privacy #webdev

GDPR Website Cookies: The Complete Compliance Guide for 2026

Cookies are the most litigated area of GDPR enforcement. Regulators across Europe have issued hundreds of fines specifically for bad cookie practices — not for data breaches, not for missing privacy policies, but for getting cookie consent wrong. If your website sets any kind of tracking technology, this guide explains what the law actually requires and how to comply without breaking your site or annoying your visitors.

What Makes a Cookie Subject to GDPR?

Not all cookies trigger GDPR obligations. The regulation applies to cookies that process personal data — information that can identify an individual, directly or indirectly.

Most tracking cookies meet this threshold. A Google Analytics cookie assigns a unique identifier to each visitor. Facebook's pixel links browsing behaviour to a known user profile. Advertising cookies build profiles tied to device fingerprints that courts have ruled constitute personal data. Even an IP address, on its own, is personal data under GDPR when held alongside other identifying information.

Strictly functional cookies — like a session cookie that keeps you logged in, or a cookie that remembers your shopping basket — generally do not require consent because they do not track you across sessions or sites, and they are technically necessary for the service you requested.

The practical rule: if a cookie persists beyond a single session, shares data with third parties, or enables tracking of behaviour, it almost certainly requires GDPR-compliant consent.

Strictly Necessary vs. Non-Essential Cookies

GDPR's cookie framework, technically rooted in the ePrivacy Directive (which GDPR sits alongside), draws a clear line between cookie types:

Strictly necessary cookies can be set without consent. These are cookies that are essential to deliver a service the user has explicitly requested. Examples include:

  • Session authentication cookies (keeping you logged in)
  • Shopping cart cookies
  • Load balancing cookies
  • Security tokens (CSRF protection)

The key word is necessary. A cookie that makes your site work better, or that helps you analyse how people use it, does not qualify. The test is whether the site would functionally break without it.

Non-essential cookies require prior, informed, freely given, specific consent. This category includes virtually everything that isn't strictly functional:

  • Analytics cookies (Google Analytics, Mixpanel, Hotjar)
  • Marketing and advertising cookies (Facebook Pixel, Google Ads)
  • Personalisation cookies (remembering user preferences beyond the current session)
  • Social media tracking pixels

Why "By Continuing to Browse, You Agree" Fails

Implied consent — the idea that visiting a website constitutes agreement to its cookie practices — was explicitly rejected by European data protection authorities long before GDPR formalised the requirement.

The standard is unambiguous. Article 4(11) of GDPR defines consent as a "freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement." Recital 32 adds: "Silence, pre-ticked boxes or inactivity should not therefore constitute consent."

"By continuing to browse" fails on every element:

  • It is not specific (what exactly are you consenting to?)
  • It is not informed (what data is collected? Who receives it?)
  • It is not an affirmative action (passivity cannot be consent)
  • It is not freely given (no genuine choice is offered)

The French data protection authority (CNIL) fined Google €150 million and Facebook €60 million in 2022 specifically because their cookie consent flows made it easy to accept all cookies and hard to refuse them — which CNIL found violated the requirement for freely given consent. If the biggest tech companies in the world get fined for dark patterns around consent, a small business relying on "by continuing to browse" is on very thin ice.

What Valid Cookie Consent Looks Like Under GDPR

The requirements for valid cookie consent under GDPR are:

1. Prior to setting cookies. Non-essential cookies cannot be set before consent is obtained. This means the consent banner must appear before any tracking fires — not after, not simultaneously.

2. Freely given. Users must be able to decline non-essential cookies as easily as they can accept them. A prominent "Accept All" button next to a buried "Manage Preferences" link does not meet this standard. Many supervisory authorities require that the reject option be equally prominent.

3. Specific. Consent must be given for specific purposes. Bundling all non-essential cookies under one "I agree to all cookies" toggle does not meet the specificity requirement. Users should be able to accept analytics but decline advertising, for example.

4. Informed. Users must understand what they are consenting to. The banner must identify the purposes, the types of data collected, and at minimum name the major third-party processors.

5. Unambiguous affirmative action. Clicking "Accept" or toggling a switch counts. Pre-ticked checkboxes, scrolling, or continued browsing does not.

6. Documented. You must be able to prove consent was obtained. This means storing a record of what the user consented to, when, and under which version of your consent flow.

The Cookie Categories

When building a compliant consent management setup, cookies are typically organised into functional categories:

Necessary — always on, no consent required. Session management, authentication, security. These should be clearly disclosed in your cookie policy but do not require an opt-in.

Analytics — require consent. Tools like Google Analytics, Mixpanel, Fathom (unless using a privacy-preserving configuration), and Hotjar. These cookies measure how people use your site and generally require prior consent unless you have implemented true anonymisation.

Marketing — require consent. Facebook Pixel, Google Ads tags, LinkedIn Insight Tag, TikTok Pixel, and similar advertising tracking. These are the highest-risk category because the data feeds into large advertising ecosystems and is processed by third parties for their own purposes.

Preferences/Functional — typically require consent. Cookies that remember display settings, language preferences, or personalisation options that go beyond the current session. Some may qualify as strictly necessary if the user explicitly requested the personalisation — but this is a narrow exception.

How Long Is Cookie Consent Valid?

Consent does not last forever. The Article 29 Working Party (now the European Data Protection Board, EDPB) has indicated that consent should not last indefinitely, and that periodic re-consent is appropriate.

In practice, most supervisory authorities and consent management guidance suggests re-asking for consent after 12 months. Some national guidance (notably the French CNIL) specifically sets this as the recommended maximum duration before re-requesting consent.

What this means operationally:

  • Your consent management platform should store a timestamp with each consent record
  • After 12 months, the user should be presented with the consent banner again
  • If the user has changed their preferences or withdrawn consent, your systems must respect that promptly

The Right to Withdraw Consent Easily

GDPR is explicit: withdrawing consent must be as easy as giving it. Article 7(3) states that the data subject has the right to withdraw consent at any time, and that withdrawal must not affect the lawfulness of processing before withdrawal, but shall be carried out before it relates to the future.

In cookie terms: if a user accepted your analytics cookies six months ago, they should be able to change their mind today in a few clicks. Your cookie settings must be accessible at all times — not just at first visit. A persistent link in the footer ("Cookie Preferences") that reopens the consent management panel is the standard implementation.

When consent is withdrawn, you must:

  • Stop setting those cookies immediately
  • Not re-set them until new consent is obtained
  • Where technically feasible, delete cookies already set

Cookie Walls: Are They Legal?

A cookie wall is a mechanism that prevents access to website content unless the user accepts all cookies (including non-essential ones). The classic form: a modal that says "To access our site, you must accept our cookies" with no option to decline and still access the content.

The EDPB has issued clear guidance: cookie walls that make access to a service conditional on consent to non-essential cookie processing are generally not compatible with freely given consent under GDPR. If consent is required to access the service, it cannot be truly voluntary.

However, there is nuance. Some national authorities (notably the Dutch DPA) have indicated that a cookie wall may be acceptable if there is a genuine alternative — for example, paying a subscription fee to access the service without tracking. The key is whether a real, reasonable alternative exists. Several major publishers in Europe have implemented "pay or consent" models that have so far survived regulatory scrutiny, though this remains contested.

For most websites — particularly SaaS tools, informational sites, and e-commerce stores — cookie walls are a compliance risk. The safer position is to allow access regardless of cookie consent decisions, then restrict only the features that depend on those cookies.

How Regulators Have Fined Companies for Bad Cookie Banners

Cookie enforcement has accelerated significantly since 2021. Some landmark cases:

Google and Facebook (CNIL, France, 2022): €150 million and €60 million respectively. The finding: both companies made it easy to accept cookies (one click) but hard to refuse them (multiple steps). The unequal design violated freely given consent requirements.

TikTok (ICO, UK, 2023): £12.7 million fine. Among the findings: use of children's data without appropriate consent mechanisms.

Cosmote (Greek DPA, 2022): €6 million for unlawful processing of traffic and location data.

Vodafone Italy (2022): €12.25 million for aggressive marketing calls without consent.

Belgian IAB Europe (2022): The Belgian DPA found the Transparency and Consent Framework (TCF) — used across much of the digital advertising industry — violated GDPR. This decision rippled across hundreds of publishers using TCF-based consent banners.

The pattern across enforcement: regulators look at whether consent is actually free (equal prominence for accept/reject), whether it is informed (is the banner transparent about who receives data?), and whether records are maintained. Small businesses are increasingly in scope as DPAs publish tools for complaint intake that allow individuals to report non-compliant sites easily.

Practical Steps to Get Cookie Compliance Right

Getting cookie compliance right is not a one-time project — it requires ongoing monitoring. Here is a practical sequence:

Step 1: Audit what cookies your site sets. You cannot manage what you have not mapped. Use a scanning tool to detect all cookies, pixels, and tracking scripts loading on your pages — including those loaded by third-party embeds you may have forgotten about.

Step 2: Classify each cookie. For each cookie identified, determine whether it is strictly necessary or non-essential. If it is non-essential, which category does it fall into (analytics, marketing, preferences)?

Step 3: Implement a consent management platform (CMP). A proper CMP intercepts non-essential cookies until consent is given, stores consent records, and provides a mechanism for users to change their preferences at any time.

Step 4: Review your banner design. Apply the equal prominence test: is the "Reject" or "Manage Preferences" option as visible as "Accept All"? If not, your consent is unlikely to be freely given.

Step 5: Update your cookie policy. Your cookie policy should list every cookie, its purpose, its duration, and the third-party processor it involves. Keep it current — set a reminder to review it when you add or remove tools.

Step 6: Set up a re-consent schedule. Programme your CMP to re-request consent after 12 months.

Step 7: Test withdrawal. Actually test what happens when a user declines or withdraws consent. Verify that no non-essential cookies fire after a rejection. This is a common failure point even for businesses using CMPs.

Start With a Free Website Scan

If you are not sure what cookies your website is currently setting — or whether your consent setup meets GDPR requirements — the fastest first step is to run a scan.

Custodia's free website scanner detects all tracking technologies on your site, identifies which require consent, and shows you where your current setup falls short. No signup required.

Scan your website free at app.custodia-privacy.com/scan

Results in 60 seconds. Understand your exposure before a regulator does.

This guide provides general information about GDPR cookie compliance. It does not constitute legal advice. Requirements vary by jurisdiction and individual circumstances differ. Consult a qualified data protection professional for advice specific to your situation.

Top comments (0)