Cookie compliance is one of the most visible areas of data protection law — and one of the most frequently violated. Despite years of enforcement, the majority of websites still get it wrong. Banners that pre-check optional cookies, consent mechanisms that make refusal harder than acceptance, and cookie walls that deny access to content without consent remain commonplace.
European data protection authorities have made it clear that they are paying attention. The Belgian DPA, the French CNIL, the Italian Garante, and their counterparts across Europe have issued increasingly specific guidance and significant fines for cookie violations. The legal framework is not ambiguous. What is often missing is the will and the technical know-how to implement it correctly.
This article sets out what the law requires and how to get it right.
Cookie regulation in the EU rests on two overlapping legal instruments. The ePrivacy Directive (Directive 2002/58/EC, as amended) governs the storage of and access to information on a user’s device. The GDPR governs the processing of personal data that follows from that storage or access.
Article 5(3) of the ePrivacy Directive establishes the basic rule: storing information or gaining access to information already stored on a user’s terminal equipment is only permitted if the user has given consent, unless the storage or access is strictly necessary for providing a service explicitly requested by the user.
This means that consent is the default requirement for all non-essential cookies and similar technologies. Analytics cookies, advertising cookies, social media tracking pixels, session recording tools, and A/B testing scripts all require consent before they are placed. Strictly necessary cookies — such as those required for shopping cart functionality, load balancing, or user authentication — are exempt.
When consent is the legal basis, it must meet the GDPR standard: freely given, specific, informed, and an unambiguous indication of the data subject’s wishes through a clear affirmative action.
A compliant cookie consent mechanism must meet several requirements.
Prior consent. Non-essential cookies must not be placed before the user has given consent. This means that analytics scripts, advertising pixels, and third-party tracking technologies must not fire on page load. They may only be activated after the user has made an affirmative choice to accept them.
Granularity. Users must be able to consent to different purposes separately. A single “accept all” button without the ability to choose between analytics, marketing, and functional cookies does not provide specific consent. Best practice is to group cookies by purpose and allow users to toggle each category independently.
No pre-ticked boxes. The CJEU’s decision in Planet49 (C-673/17) confirmed that pre-ticked consent boxes are not valid consent. All optional cookie categories must be unchecked by default.
Equally easy to accept or refuse. Presenting a prominent “Accept All” button alongside a less visible “Manage Settings” link, or requiring multiple clicks to refuse while allowing acceptance in one click, is a dark pattern that regulators are actively targeting. The CNIL and other authorities have made clear that refusing cookies must be as easy as accepting them.
Informed consent. Before making a choice, the user must be told who is placing cookies, for what purposes, how long the cookies persist, and whether data is shared with third parties. This information should be accessible from the consent banner, typically through a link to a detailed cookie policy.
Revocable. Users must be able to withdraw consent as easily as they gave it. This typically means providing a persistent link or widget that allows users to revisit their cookie preferences at any time.
Cookies that are strictly necessary for providing a service explicitly requested by the user do not require consent. This exemption is narrow and should not be stretched to cover convenience features or analytics.
Examples of strictly necessary cookies include session cookies that maintain a user’s login state, load-balancing cookies that distribute traffic across servers, shopping cart cookies that remember items during a purchase session, cookies that remember the user’s consent preferences, and security cookies used for fraud detection during authentication.
Analytics cookies are not strictly necessary, even if you consider them essential for running your business. First-party analytics tools can be configured to minimise privacy impact, but they still require consent under the ePrivacy Directive unless they meet the narrow conditions that some DPAs have outlined for exempted audience measurement — a position that is not uniform across all EU member states.
Most organisations implement cookie consent through a Consent Management Platform (CMP). A CMP manages the consent banner, records user preferences, and controls which scripts and cookies are activated based on those preferences.
Choosing and configuring a CMP correctly is critical. Common implementation failures include the CMP banner appearing but failing to actually block non-essential cookies before consent, cookies being placed by third-party scripts that load before the CMP initialises, consent records that do not contain enough detail to demonstrate valid consent, and the CMP defaulting to implied consent or using nudging techniques that do not meet the GDPR standard.
A properly configured CMP should use tag management to ensure that no non-essential scripts fire until consent is obtained, store a record of each user’s consent choices (including the date, time, and specific categories consented to), respect the user’s choice across the site and on subsequent visits, and provide an easy mechanism for users to change their preferences.
One of the most common compliance failures is the disconnect between what your cookie policy says and what your website actually does. Your cookie policy may state that analytics cookies are only placed with consent, but a technology audit of your website might reveal that Google Analytics, Meta Pixel, or other tracking scripts fire on page load regardless of consent state.
This gap typically arises because the website was built or updated without coordinating with legal and compliance teams, third-party scripts were added by marketing teams without considering cookie consent requirements, or the CMP was not properly integrated with the tag management system.
Regular technology audits — scanning your website to identify every cookie, pixel, and script that is placed, and verifying that each one respects the consent mechanism — are essential to closing this gap. At Pitch, our domain monitoring capabilities can detect third-party technologies deployed on your website and flag discrepancies between your cookie policy and your actual cookie behaviour.
A cookie wall makes access to a website conditional on the user accepting all cookies. The EDPB’s position is that consent obtained through a cookie wall is generally not freely given — because the user has no genuine choice. If refusing cookies means losing access to the service entirely, the consent is not free.
Some authorities have recognised limited exceptions where a genuine equivalent alternative is offered — for example, offering users the choice between a cookie-funded free service and a paid subscription without tracking. But the conditions are strict, and this approach requires careful legal analysis before implementation.
Cookie enforcement has intensified significantly across Europe. The CNIL has imposed fines of EUR 150 million and EUR 60 million on major technology companies for cookie violations. The Belgian DPA has issued decisions addressing cookie consent mechanisms. The Italian Garante published detailed cookie guidelines with a six-month implementation deadline.
The trend is clear: regulators are moving from guidance to enforcement, and the organisations most at risk are those with high-traffic websites, extensive use of advertising technology, or cookie mechanisms that do not meet the consent standards outlined above. Smaller organisations are not immune — complaints from individual users can trigger investigations at any scale.
Getting cookie compliance right requires coordination between legal, marketing, IT, and web development teams. Practical steps include conducting a full cookie audit to identify every cookie and tracking technology on your website, classifying each cookie by purpose and determining whether it requires consent, selecting and configuring a CMP that genuinely blocks non-essential cookies until consent is obtained, updating your cookie policy to accurately describe the cookies in use and their purposes, training marketing and web development teams to consult with compliance before adding new tracking technologies, and scheduling periodic audits to verify that actual cookie behaviour matches your policy.
At Pitch, we help organisations achieve and maintain cookie compliance through a combination of legal advice and technology monitoring. Our approach includes conducting cookie audits that map every technology on your digital properties, advising on CMP selection and configuration to ensure genuine consent, drafting cookie policies that accurately reflect your processing, and using our domain monitoring capabilities to detect changes in your website’s technology landscape and flag potential compliance gaps.
We also advise on the broader ePrivacy and GDPR implications of digital marketing strategies, helping you balance marketing effectiveness with legal compliance.
Pitch is the law firm for innovators and creatives. If you need to review your cookie compliance or implement a consent management framework, get in touch or schedule a meeting with our team.
%402x.svg){kind=small}
%402x.svg){kind=icon}
%402x.svg){kind=icon}
