GDPR Cookie Compliance: Beyond the Banner

Key Takeaways

Point	Summary
Essential cookies	Don't need consent (authentication, security, load balancing)
Non-essential cookies	Need explicit opt-in consent (analytics, marketing, social media)
Consent requirements	Clear language, separate choices per category, no pre-ticked boxes, easy withdrawal
Common violation	Loading tracking cookies before user consents
Documentation	Keep records of consent: who, when, what they agreed to

Quick Answer: Only essential cookies (login, security) don't need consent. Analytics, marketing, and social media cookies require explicit opt-in before loading. Cookie banners must offer real choices with no pre-ticked boxes.

How GDPR Applies to Cookies

Cookie consent is governed by two complementary EU regulations that work together:

Cookie Regulation Framework:

ePrivacy Directive (Article 5(3)):

• The primary legal basis requiring consent for cookies
• Applies to storing or accessing any information on a user's device
• Often called the "Cookie Law" - specific to tracking technologies
• Will eventually be replaced by the upcoming ePrivacy Regulation

GDPR:

• Defines valid consent (Article 7): Consent must be freely given, specific, informed, and unambiguous
• Applies when cookies process personal data: Most cookies (analytics, marketing) collect data that identifies individuals
• Provides transparency requirements and data subject rights
• Sets enforcement powers and penalties

How They Work Together:

• ePrivacy Directive requires you to obtain consent before setting non-essential cookies
• GDPR defines what that consent must look like to be legally valid
• National data protection authorities enforce both regulations
• Result: Most cookies need opt-in consent meeting GDPR's consent standards

Cookie Categories

Understanding cookie types determines consent requirements:

Category	Examples	Consent Required?
Strictly Necessary	Session cookies, security cookies, load balancing	No
Functionality	Language preferences, user settings	Yes
Performance/Analytics	Google Analytics, Mixpanel	Yes
Marketing/Advertising	Ad tracking, retargeting, social media	Yes

Strictly Necessary Cookies

These don't require consent because the service can't function without them:

Qualifying as "strictly necessary":

• Shopping cart cookies
• Authentication cookies
• Security cookies (CSRF protection)
• Load balancing
• Consent preferences storage

NOT strictly necessary (require consent):

• Analytics (even first-party)
• Personalization
• Any advertising/marketing
• Social media plugins
• A/B testing

Cookie Consent Requirements

Valid Cookie Consent Must Be:

Requirement	Implementation
Prior	Obtained before cookies are set
Informed	Clear explanation of what cookies do
Specific	Separate consent for different purposes
Freely Given	No cookie walls blocking access
Unambiguous	Clear affirmative action
Withdrawable	Easy to change preferences

Cookie Consent Implementation

Proper Cookie Consent Flow:

Page Load:

• Block non-essential cookies
• Display cookie banner/notice
• Load only strictly necessary cookies

User Action:

• Accept All → Set all cookies, record consent
• Reject All → Set no optional cookies, record choice
• Customize → Show granular options
• No action → No optional cookies set

Granular Options:

• Analytics: [Accept/Reject]
• Functionality: [Accept/Reject]
• Marketing: [Accept/Reject]
• Save preferences

Post-Consent:

• Set allowed cookies
• Record consent timestamp
• Record consent version
• Provide way to change preferences

Cookie Banner Best Practices

Do's and Don'ts

Do:

• Show banner before setting non-essential cookies
• Provide genuine choice (Accept/Reject equal prominence)
• Offer granular options
• Explain purposes clearly
• Make "manage preferences" easy to find
• Allow withdrawal at any time
• Work on mobile devices

Don't:

• Pre-tick consent boxes
• Use dark patterns to encourage acceptance
• Make "reject" harder than "accept"
• Require consent to access the site
• Set cookies before consent
• Ignore "Do Not Track" signals
• Make withdrawal difficult

Banner Design

Cookie Banner Example (Good):

Cookie Preferences

We use cookies to improve your experience and
analyze site usage. You can customize your
preferences below.

[Accept All]  [Reject All]  [Manage Settings]

[Privacy Policy]

Note: Accept and Reject have equal visual prominence

Cookie Banner Example (Bad):

We use cookies to enhance your experience.

[        ACCEPT ALL COOKIES        ]

[manage preferences - tiny link]

Problems: No reject option, accept emphasized,
preferences hidden

Cookie Policy Requirements

Your cookie policy should include:

Section	Content
What Are Cookies	Plain language explanation
Types We Use	Categories and purposes
Cookie Table	Specific cookies, purposes, expiry
How to Control	Browser settings, consent management
Third-Party Cookies	Who sets them, their policies
Updates	How you communicate changes
Contact	How to reach you with questions

Cookie Table Example

Cookie Name	Provider	Purpose	Type	Expiry
session_id	Us	User authentication	Necessary	Session
csrf_token	Us	Security	Necessary	Session
_ga	Google	Analytics	Analytics	2 years
_fbp	Facebook	Advertising	Marketing	3 months

Technical Implementation

Cookie Blocking Before Consent

// Conceptual approach - block scripts until consent

// Don't load analytics automatically
// Instead, load after consent

function loadAnalytics() {
  // Only call this after user consents
  const script = document.createElement('script');
  script.src = 'https://analytics-provider.com/script.js';
  document.head.appendChild(script);
}

// On page load - check stored consent
const consent = getStoredConsent();
if (consent.analytics) {
  loadAnalytics();
}

Consent Management Platform (CMP)

Consider using a CMP for easier implementation:

CMP Features	Benefits
Banner Management	Pre-built, customizable banners
Consent Recording	Automatic consent documentation
Script Blocking	Technical blocking of non-consented cookies
Preference Center	User-friendly settings interface
Compliance Updates	Stays current with regulation changes

Popular CMPs: Cookiebot, OneTrust, Usercentrics, CookieYes

Common Cookie Compliance Issues

Issue 1: Cookie Walls

Problem: "Accept cookies or leave"

Why it's wrong: GDPR requires freely given consent. Denying service for refusing cookies isn't free choice.

Solution: Allow access with only strictly necessary cookies.

Issue 2: Pre-Selected Options

Problem: Analytics and marketing pre-checked in settings.

Why it's wrong: Consent must be opt-in, not opt-out.

Solution: All optional categories off by default.

Issue 3: Cookies Set Before Consent

Problem: Analytics loads immediately on page visit.

Why it's wrong: Consent must be prior to processing.

Solution: Block non-essential cookies until consent given.

Issue 4: "Accept" Prominently Displayed

Problem: Big green "Accept" button, tiny "Reject" link.

Why it's wrong: Dark pattern influences choice.

Solution: Equal prominence for accept and reject options.

Issue 5: Difficult to Withdraw

Problem: Can't find where to change cookie preferences.

Why it's wrong: Withdrawal must be as easy as giving consent.

Solution: Visible "Cookie Settings" link in footer or menu.

Third-Party Cookie Considerations

Managing Third-Party Scripts

Script Type	Considerations
Analytics (Google, etc.)	Configure for privacy, IP anonymization
Social Media Buttons	Load only on consent or use privacy-friendly versions
Advertising	Block until consent, respect opt-outs
Embedded Content (YouTube, etc.)	Use privacy-enhanced modes

Google Analytics Considerations

Google Analytics Privacy Configuration:

Recommended Settings:

• Enable IP anonymization
• Disable data sharing with Google
• Set appropriate data retention period
• Disable User-ID feature if not needed
• Configure consent mode

Consent Mode (GA4):

• Default: denied
• Update on consent
• Allows modeling without cookies

Enforcement and Penalties

Cookie compliance is heavily enforced:

Country	Notable Actions
France (CNIL)	€150M fine to Google, €60M to Facebook for cookie violations
Spain (AEPD)	Multiple fines for cookie consent issues
Italy	Fines for improper cookie banners
Belgium	Enforcement against news sites

Cookie Compliance Checklist

Banner/Notice:

• Shown before non-essential cookies set
• Clear explanation of purposes
• Accept and Reject equally prominent
• Link to manage preferences
• Works on mobile
• Not blocking content (no cookie wall)

Consent:

• Opt-in (not opt-out)
• Granular by category
• Prior to setting cookies
• Recorded with timestamp
• Easy to withdraw

Technical:

• Non-essential cookies blocked until consent
• Consent preferences respected
• Third-party scripts controlled
• Consent state persisted

Documentation:

• Cookie policy published
• All cookies listed
• Third parties disclosed
• Regular cookie audits

How Bastion Helps

Cookie compliance sits at the intersection of technical implementation, legal requirements, and user experience. Working with experienced partners helps ensure your approach is both compliant and practical.

Challenge	How We Help
Cookie Audit	Comprehensive identification of all cookies and tracking technologies on your site
Implementation	Guidance on configuring consent mechanisms that meet GDPR standards
Policy Creation	Cookie policy templates tailored to your specific cookie usage
Vendor Management	Review and tracking of third-party cookies and scripts
Ongoing Compliance	Periodic audits to catch new cookies as your site evolves

Cookie compliance is an area where getting things right from the start helps avoid enforcement actions—regulators have shown particular attention to cookie consent issues in recent years.

---

Looking for help with cookie compliance? Talk to our team →