GDPR Cookie Consent Requirements (2026): Complete Guide for Websites and Businesses

Cookie consent is one of the most visible, and most misunderstood, areas of GDPR and ePrivacy compliance.

Websites across the EU, EEA, and UK are expected to give users meaningful control over non-essential cookies and similar tracking technologies. But many businesses still get the basics wrong: setting cookies before consent, treating all analytics as exempt, burying the reject option, or assuming a banner alone is enough.

This guide covers what GDPR and the ePrivacy Directive actually require for cookie consent in 2026, which cookies need consent, what a compliant banner looks like, how to handle analytics and advertising cookies, and how a CMP can help.

Disclaimer: This article is for general information only and is not legal advice. Cookie consent requirements depend on your specific website, tracking technologies, jurisdictions, and data processing activities. Always verify current requirements and consult qualified legal counsel where appropriate.

Quick Answer

GDPR vs ePrivacy: Which Law Actually Requires Cookie Consent?

This is one of the most common sources of confusion.

The main EU cookie consent rule comes from the ePrivacy Directive, specifically Article 5(3). This rule requires consent before storing or accessing information on a user’s device, unless an exemption applies.

GDPR does not directly regulate cookies. What GDPR does is define the standard for valid consent and govern the processing of personal data. When cookies involve personal data, GDPR applies to the data processing side.

The ePrivacy Directive provides two main exemptions from the consent requirement:

• The storage or access is strictly necessary for providing a service explicitly requested by the user.
• The storage or access is for the sole purpose of carrying out the transmission of a communication over a network.

In practice, these two laws work together. The more accurate way to describe the requirement is:

EU cookie consent under ePrivacy, using GDPR-standard consent where personal data is involved.

National implementations of the ePrivacy Directive vary across EU member states, so the specific rules may differ in detail. But the general principle, prior consent for non-essential cookies, is consistent.

What Counts as a Cookie or Similar Technology?

The ePrivacy Directive applies broadly. It covers not only HTTP cookies but any technology that stores or accesses information on a user’s device.

This includes:

• HTTP cookies (first-party and third-party)
• localStorage
• sessionStorage
• IndexedDB
• SDK identifiers
• Mobile app identifiers
• Tracking pixels
• Tracking scripts
• Device identifiers
• Fingerprinting techniques
• Tags and beacons
• Embedded third-party content (iframes, widgets, social plugins)
• Link decoration (URL-based tracking parameters)

Any technology that stores or reads information on the user’s device should be assessed against the ePrivacy consent requirement.

What Is Valid Consent Under GDPR?

When consent is required for cookies, it must meet the GDPR standard. Under GDPR, valid consent must be:

• Freely given: the user must have a genuine choice without detriment.
• Specific: consent must be given for specific, clearly defined purposes.
• Informed: the user must understand what they are consenting to.
• Unambiguous: consent must be given through a clear affirmative action.

What does not count as valid consent:

• Pre-ticked boxes
• Implied consent through browsing or scrolling
• Bundled consent (one checkbox for everything)
• Vague or generic purposes
• Making it harder to reject than to accept
• Manipulative design or dark patterns
• Setting cookies before the user has made a choice
• No mechanism to withdraw consent

The CJEU confirmed in the Planet49 ruling that pre-ticked checkboxes do not constitute valid consent for cookies.

Is a Cookie Banner Enough for GDPR Cookie Compliance?

No. A cookie banner alone is not enough.

A banner is only the visible part of a consent system. Behind the banner, you need:

• Cookie and tracker discovery: knowing what is on your site.
• Clear information: explaining what cookies do and why.
• Accept, reject, and preference options: giving users real choices.
• Category-level consent: letting users choose by purpose.
• Script blocking: preventing non-essential scripts from running before consent.
• Consent records: storing proof of what was consented to and when.
• Withdrawal mechanism: allowing users to change their mind.
• Accurate policies: cookie and privacy policies that match reality.
• Ongoing monitoring: keeping the cookie inventory up to date.

A banner without script blocking is one of the most common compliance failures. If the banner says “We respect your choices” but advertising pixels fire before the user clicks anything, the banner is not doing its job.

Which Cookies Require Consent?

The answer depends on the purpose of the cookie and whether an exemption applies.

Strictly Necessary Cookies

Strictly necessary cookies are generally exempt from the consent requirement. These are cookies that are essential for providing a service explicitly requested by the user.

Examples:

• Authentication and login session cookies
• Shopping cart cookies
• Security cookies (CSRF tokens)
• Load balancing cookies
• Consent preference cookies
• Payment processing cookies
• User session management cookies

Even strictly necessary cookies require transparency. You should still explain what they do in your cookie policy.

Functional Cookies

Functional cookies are used for features like language preferences, region settings, or UI customizations.

Whether these require consent depends on the specific implementation. A language preference cookie tied to a user’s explicit choice may be closer to strictly necessary. A cookie that remembers UI preferences for personalization purposes may require consent in some interpretations.

Assess each functional cookie individually rather than assuming the entire category is exempt.

Analytics Cookies

Analytics is the hardest area for cookie consent classification.

Some regulators, notably the CNIL in France, have issued guidance suggesting that narrow first-party measurement tools may qualify for an exemption under certain conditions. These conditions typically require that the analytics tool is first-party only, limited to aggregate measurement, does not involve cross-site tracking, does not share data with third parties for their own purposes, and does not integrate with advertising features.

However, many common analytics implementations do not meet these narrow conditions. In particular:

• Analytics tools from third-party vendors that process data on their own infrastructure
• Analytics linked to cross-site tracking or advertising networks
• Analytics with advertising integrations enabled
• Google Analytics 4 configurations with Google Ads linking, remarketing audiences, or ad personalization

GA4 in particular requires careful assessment. A default GA4 setup with Google Ads integration, audience building, or advertising features enabled is difficult to argue as strictly necessary.

Advertising and Marketing Cookies

Advertising and marketing cookies generally require prior consent. There is very little ambiguity here.

This includes:

• Retargeting cookies
• Behavioral advertising cookies
• Conversion tracking pixels
• Marketing pixels (Meta Pixel, Google Ads, LinkedIn Insight Tag, TikTok Pixel, Pinterest Tag, Snapchat Pixel)
• Social advertising pixels
• Programmatic advertising identifiers

Social Media Cookies

Embedded social media content often sets cookies or tracking identifiers. Social share buttons, embedded posts, and social login features may set cookies that are used for tracking and advertising purposes.

These generally require consent when they involve tracking, advertising, or profiling identifiers.

Session Replay and Heatmapping Cookies

Tools like Hotjar, Microsoft Clarity, FullStory, and Smartlook often record user sessions, mouse movements, clicks, and scrolling behavior. These tools frequently use cookies or similar identifiers.

Session replay and heatmapping tools often require consent, especially when they record detailed user behavior or involve third-party data processing.

A/B Testing Cookies

A/B testing tools may require consent unless they can be shown to be strictly necessary for the service requested by the user. In most cases, A/B testing serves the website operator’s optimization interests rather than a service the user explicitly requested.

Assess whether the testing tool stores identifiers on the device and whether it involves third-party processing.

Security and Fraud Prevention Cookies

Security cookies such as CSRF tokens, fraud detection identifiers, and bot prevention mechanisms may qualify as strictly necessary. However, if a security tool also tracks users for other purposes or shares data with third parties, it needs separate assessment.

Do Session Cookies Require Consent?

Session cookies are not automatically exempt from the consent requirement.

The exemption under ePrivacy is based on purpose, not duration. A session cookie used for a login session may be strictly necessary. A session cookie used for advertising or tracking is not.

The fact that a cookie expires when the browser closes does not change its classification. What matters is what the cookie does, not how long it lasts.

Can Legitimate Interest Be Used for Cookies?

This is one of the most common mistakes in cookie compliance.

Legitimate interest is a legal basis under GDPR for processing personal data. It does not override the ePrivacy consent requirement for storing or accessing information on a user’s device.

The two rules operate at different levels:

• ePrivacy (Article 5(3)): Can you store or access information on the user’s device? This requires consent unless an exemption applies.
• GDPR: Can you process the personal data? This requires a legal basis such as consent or legitimate interest.

You need to satisfy both requirements. Even if you could argue legitimate interest for the data processing under GDPR, you still need consent under ePrivacy to store or access the cookie in the first place, unless it is strictly necessary.

Relying on legitimate interest to bypass cookie consent is a common compliance error that regulators have specifically addressed.

What Should a GDPR Cookie Banner Include?

A cookie consent banner should provide users with the information and controls they need to make a meaningful choice.

A well-designed banner should include:

• Clear information about what cookies and trackers the website uses and why.
• Clearly stated purposes for each category of cookies.
• An accept option for consenting to non-essential cookies.
• A reject option that is as easy to use as the accept option.
• A manage preferences option for category-level control.
• Category-level controls so users can choose which purposes to allow.
• A link to the cookie policy or privacy policy with full details.
• No pre-ticked boxes for non-essential categories.
• No scripts running before consent for non-essential purposes.
• A withdrawal mechanism so users can change their choices later.

The EDPB Cookie Banner Taskforce has examined cookie banner practices across the EU and identified common issues with banner design. The CNIL has also issued guidance requiring that refusing cookies should be as easy as accepting them.

Common Cookie Banner Mistakes

1. No Reject Button on First Layer

Many cookie banners only show an “Accept” button on the first layer, forcing users to navigate to a second layer to reject cookies. Multiple EU regulators have taken action against this practice. The reject option should be as prominent and easy to use as the accept option.

2. Pre-Selected Categories

Some banners pre-select non-essential cookie categories, requiring users to deselect them manually. This does not constitute valid consent under GDPR. All non-essential categories should be deselected by default.

3. Cookies Set Before Consent

This is the most serious technical mistake. If advertising pixels, analytics scripts, or tracking tools fire before the user has interacted with the banner, the consent mechanism is ineffective. Script blocking must be in place to prevent non-essential technologies from loading before consent.

4. Vague Purposes

Descriptions like “We use cookies to improve your experience” do not meet the GDPR requirement for specific, informed consent. Each purpose should be clearly explained so users understand what they are agreeing to.

5. Hard-to-Find Withdrawal

GDPR requires that withdrawing consent must be as easy as giving it. If the only way to change cookie preferences is to clear browser cookies and revisit the site, the withdrawal mechanism is inadequate. A persistent link or button to reopen the consent preferences should be available.

6. Treating All Analytics as Exempt

Some businesses assume that all analytics cookies are strictly necessary. This is not the case. Most analytics implementations, especially those involving third-party vendors, advertising integrations, or cross-site tracking, require consent.

7. Ignoring Non-Cookie Tracking

The ePrivacy Directive applies to all technologies that store or access information on a user’s device, not just HTTP cookies. localStorage, sessionStorage, IndexedDB, pixels, fingerprinting, and embedded third-party content all fall within scope.

8. Not Updating Cookie Inventory

Websites change over time. New plugins, marketing tools, tag manager rules, and third-party integrations can introduce new cookies and trackers. A cookie inventory that was accurate six months ago may no longer reflect reality. Regular scanning and review are essential.

Does Google Analytics Require Consent Under GDPR?

In many cases, yes.

Google Analytics 4 (GA4) in its common configurations often requires consent, especially when:

• GA4 is linked to Google Ads
• Remarketing or audience features are enabled
• Advertising reporting or ad personalization is active
• Data is shared with Google for advertising purposes
• Cross-site measurement or signals are in use

Some narrow exemptions may apply for first-party, aggregate-only measurement under certain regulator guidance. But the mainstream GA4 setup, with advertising features, Google Ads linking, or audience building, does not typically fit those narrow exemptions.

If your website uses GA4 with any Google advertising integration, you should treat analytics consent as required and implement Google Consent Mode v2 to communicate the user’s choice to Google tags.

For a detailed guide on Google Consent Mode v2, see Google Consent Mode v2 requirements.

Google Consent Mode and GDPR Cookie Consent

Google Consent Mode v2 is not a law. It is a Google framework that communicates consent states to Google tags and services.

Consent Mode uses four main signals:

• ad_storage, controls advertising-related storage
• analytics_storage, controls analytics-related storage
• ad_user_data, controls sending user data to Google for advertising
• ad_personalization, controls use of data for personalized advertising

A CMP helps by:

• Collecting the user’s consent choices
• Blocking non-essential scripts before consent
• Storing consent proof
• Sending the correct Consent Mode signals to Google

If your website uses Google Ads or GA4 for users in the EEA, UK, or Switzerland, you should implement Google Consent Mode v2.

Google Consent Mode does not replace a cookie banner or consent mechanism. It is the signal layer that communicates consent states, the consent itself must still be collected properly.

For a complete guide, see Google Consent Mode v2 requirements.

Do You Need a Cookie Policy?

Generally yes. Transparency is a core principle of GDPR, and the ePrivacy Directive requires that users are provided with clear and comprehensive information.

A cookie policy should explain:

• What cookies and similar technologies the website uses
• Who sets each cookie (first-party vs third-party)
• The purpose of each cookie or category
• The duration of each cookie
• Whether data is shared with third parties and who they are
• How users can manage or withdraw consent
• Which cookies are strictly necessary and which are optional

The cookie policy must match reality. If the policy says the website uses five cookies but a scan reveals thirty, there is a transparency gap that needs to be addressed.

Consent Records and Auditability

GDPR Article 7 requires data controllers to be able to demonstrate that consent was obtained. For cookie consent, this means maintaining records of consent.

Consent records may include:

• Timestamp of consent
• Categories consented to (and categories rejected)
• Banner version shown at the time of consent
• Cookie/privacy policy version at the time of consent
• User agent information
• Region or jurisdiction of the user
• Consent ID or reference
• Changes to consent (withdrawals, updates)

Be careful not to store more personal data than necessary in consent records. The goal is to demonstrate that consent was obtained, not to build a detailed profile of the user.

How Often Should Consent Be Renewed?

There is no single EU-wide period for how long cookie consent remains valid.

Consent should be refreshed when:

• The purposes or categories of cookies change materially
• New vendors or tracking technologies are added
• The banner text or design changes significantly
• The cookie or privacy policy is updated with material changes
• Consent records expire based on your retention policy
• A user withdraws consent

Do not treat consent as permanent. The user’s consent was given based on specific information at a specific time. If the underlying purposes, vendors, or technologies change, the previous consent may no longer be valid for the new configuration.

GDPR Cookie Consent Checklist

How a CMP Helps With GDPR Cookie Consent

A CMP (Consent Management Platform) does not guarantee compliance by itself. But it provides the infrastructure that makes compliance practical.

A CMP can help with:

• Scanning for cookies, trackers, scripts, pixels, and embedded content
• Detecting vendors and mapping them to purposes
• Categorizing cookies by purpose (strictly necessary, analytics, advertising, etc.)
• Configurable banner with accept, reject, and preference options
• Blocking scripts before consent is given
• Storing consent proof with timestamps, categories, and banner versions
• Allowing withdrawal so users can change their choices
• Supporting regional policies (different rules for different jurisdictions)
• Integrating with Google Consent Mode to send correct signals
• Maintaining an audit trail for accountability

Concentio is designed for businesses that need a practical CMP. It provides automated scanning, script blocking before consent, consent proof and audit records, geo-aware consent policies, Google Consent Mode support, unlimited domains, session-based pricing, and all features included on every plan.

A CMP helps you implement and maintain the technical and organizational side of cookie consent. But the operator must still configure it correctly, ensure disclosures are accurate, and keep the cookie inventory up to date.

GDPR Cookie Consent for Agencies

Agencies managing multiple client websites face unique challenges with cookie consent.

Each client may have a different technology stack, different CMS (WordPress, Shopify, custom), different Google Tag Manager configurations, different advertising pixels, and different domains or subdomains.

Common problems include:

• Different WordPress or Shopify setups with different plugins and scripts
• Different GTM containers with different tag configurations
• Multiple advertising pixels across different platforms
• Multiple domains and subdomains to manage

Agencies should standardize their approach:

• Consistent category mapping across client sites
• Standard banner configuration defaults
• Cookie policy templates
• GTM consent rules and triggers
• Script blocking configuration
• Testing procedures for consent flows
• Client handover documentation

A CMP with unlimited domains is particularly useful for agencies, as it avoids per-site pricing that scales unpredictably with client growth.

GDPR Cookie Consent for Ecommerce

Ecommerce websites typically use a wide range of tracking tools:

• Google Ads conversion tracking
• Google Analytics 4
• Meta Pixel (Facebook)
• TikTok Pixel
• Klaviyo email tracking
• Affiliate tracking scripts
• Product recommendation engines
• Review widgets
• Cart recovery tools
• Payment and fraud prevention tools

The key challenge is separating strictly necessary functionality from marketing and advertising.

A shopping cart cookie may be strictly necessary for the checkout process the user requested. A retargeting pixel from Meta or Google Ads is not.

Payment and fraud prevention cookies may qualify as strictly necessary, but if they also share data with third parties for advertising or profiling, they need careful assessment.

Ecommerce businesses should map every cookie and tracker by purpose, ensure marketing tools are blocked before consent, and maintain a clear separation between essential commerce functionality and optional advertising.

GDPR Cookie Consent for SaaS Websites

SaaS companies often have multiple web properties:

• Marketing website
• Product application
• Documentation site
• Blog
• Help center
• Status page
• Subdomains for different services
• In-app analytics and tracking

Consent requirements may differ between the marketing website and the product application. The marketing site may use advertising pixels, analytics, and remarketing tools. The product application may use different analytics, feature flags, error tracking, and session monitoring.

SaaS businesses should map cookies and tracking technologies by environment, not just by root domain. A consent approach that covers the marketing website but ignores the product application or documentation site leaves gaps.

Each property should be assessed individually to determine which cookies require consent and which may qualify as strictly necessary for the service.

FAQ: GDPR Cookie Consent Requirements

Final Verdict

Cookie consent is not about displaying a banner. It is about giving users meaningful control over how their data is collected and used.

The key rules to remember:

• Non-essential cookies require prior consent under the ePrivacy Directive.
• GDPR defines the standard for valid consent and governs personal data processing.
• Strictly necessary cookies are exempt, but the exemption is narrow.
• Analytics cookies need careful assessment, most common implementations require consent.
• Advertising, retargeting, and profiling cookies require consent.
• Legitimate interest does not override the ePrivacy consent requirement for cookies.
• A banner must be backed by script blocking and consent records.
• Users must be able to reject and withdraw consent easily.

For modern websites using Google Analytics, Meta Pixel, LinkedIn Insight Tag, Hotjar, Microsoft Clarity, Shopify tracking, WordPress plugins, or similar technologies, managing cookie consent manually is difficult and error-prone.

A CMP helps by automating the discovery, blocking, consent collection, and record-keeping that compliance requires.

Concentio helps with automated scanning, script blocking before consent, consent proof, geo-aware policies, Google Consent Mode support, unlimited domains, session-based pricing, and all features included on every plan.

Start free with Concentio →