Global · Last reviewed April 2026

Cookie consent in 2026: what your website actually needs

GDPR, UK GDPR, CCPA, and ePrivacy requirements — with statutory citations

P
PrivacyLawApplies.com Editorial Team
CAMS · AIGP (IAPP) · Reviewed April 2026
The key rule: opt-in before cookies load

Most analytics and advertising cookies require opt-in consent before they load — not opt-out. Pre-ticked boxes, implied consent, and "by continuing to browse" notices do not meet the GDPR standard.

What is cookie consent?

Cookie consent is the legal requirement to obtain a user's prior, informed agreement before storing or accessing non-essential information on their device. The requirement originates from Art. 5(3) of the ePrivacy Directive (2002/58/EC, as amended by 2009/136/EC), which states that storing or gaining access to information already stored in the terminal equipment of a subscriber or user is only allowed when the user has given prior consent.

Where cookies collect personal data — which most analytics, advertising, and tracking cookies do — the GDPR also applies. The legal basis for that processing is consent under Art. 6(1)(a) GDPR, which requires consent to be freely given, specific, informed, and unambiguous (Art. 4(11) GDPR). These two frameworks operate together: the ePrivacy Directive governs the act of setting the cookie; the GDPR governs the processing of personal data the cookie collects.

Not all cookies require consent. Art. 5(3) of the ePrivacy Directive exempts cookies that are strictly necessary to provide a service explicitly requested by the user — for example, session cookies that keep a user logged in, or cookies that remember items in a shopping cart. The ICO and CNIL have both published guidance confirming this exemption and setting out where it ends.

The threshold for "strictly necessary" is narrow. Cookies that are convenient, or that improve performance, do not automatically qualify. Analytics cookies, advertising cookies, and social media tracking scripts are not strictly necessary and require consent regardless of which consent management platform or cookie banner tool you use.

Which cookies need consent?

Strictly necessary
No consent needed
Legitimate interests / contract (ePrivacy Art. 5(3) exemption)
Session ID, CSRF token, load balancer cookie
Functional / preference
Depends on use
Consent recommended (purpose determines necessity)
Language preference, theme, remembered form data
Analytics / performance
Consent required
Consent (Art. 6(1)(a) GDPR + ePrivacy Art. 5(3))
Google Analytics, Hotjar, Mixpanel
Marketing / advertising
Consent required
Consent (Art. 6(1)(a) GDPR + ePrivacy Art. 5(3))
Google Ads, Meta Pixel, retargeting cookies
Third-party social media
Consent required
Consent (Art. 6(1)(a) GDPR + ePrivacy Art. 5(3))
Facebook Like button, Twitter/X embed, LinkedIn Insight

What makes consent valid under GDPR?

Seven requirements from Art. 4(11), Art. 7, Recital 32 GDPR, and EDPB Guidelines 05/2020 on consent.

  1. 1
    Freely given
    Consent must be given without any detriment for refusing. A cookie wall that blocks access to content unless a user accepts all cookies does not satisfy this requirement. The EDPB Guidelines 05/2020 confirm that bundling consent with access to a service renders it involuntary.
  2. 2
    Specific
    Consent must be given separately for each distinct purpose or category of processing. A single "I accept all cookies" checkbox that covers analytics, advertising, and social media tracking simultaneously is not sufficiently specific. Users must be able to consent to analytics without also consenting to advertising.
  3. 3
    Informed
    Users must be told who is collecting data, what cookies do, what personal data they collect, how long they persist, and which third parties receive data. This information must be provided before consent is given, not buried in a linked policy the user has to navigate to separately.
  4. 4
    Unambiguous — requires a clear affirmative action
    Recital 32 GDPR states that consent requires a clear affirmative act. Clicking an "Accept" button qualifies. Silence, pre-ticked boxes, or continuing to browse do not. Art. 7 GDPR requires that the request for consent be clearly distinguishable from other matters and in plain, intelligible language.
  5. 5
    Prior to setting cookies
    No non-essential cookies may load before consent is obtained. This means analytics scripts, advertising pixels, and social media trackers must be blocked until the user has actively accepted them. Loading them on page render and then displaying a banner is not compliant.
  6. 6
    As easy to withdraw as to give
    Art. 7(3) GDPR requires that withdrawal of consent be as easy as giving it. If a user can accept in one click, they must also be able to withdraw in one click — or at most the same number of steps. A persistent "Cookie Settings" link in the footer, or a floating icon, is the standard implementation.
  7. 7
    Documented and auditable
    Art. 7(1) GDPR places the burden of proof on the controller: "the controller shall be able to demonstrate that the data subject has consented." You must log the timestamp, the banner version shown, the choices made, and the user's session or identifier. Without this, you cannot demonstrate compliance to a supervisory authority.

What must your cookie banner include?

Based on ICO, CNIL, and EDPB enforcement guidance.

  1. 1
    Clear identity of who is collecting data
    The banner must identify your organisation as the data controller. If you operate a group of companies or white-label a product, the entity with whom the user has a relationship must be named.
  2. 2
    Categories of cookies and their purposes
    Users must be told which categories of cookies are used (strictly necessary, functional, analytics, marketing) and what each category does — in plain language, not technical jargon. Purpose descriptions like "to improve the site" are not specific enough.
  3. 3
    Names of third parties who set cookies
    Where third parties set cookies — such as Google, Meta, or Hotjar — those entities must be named in or accessible from the banner. Users cannot give informed consent to unnamed third parties.
  4. 4
    Accept all and reject all buttons at equal prominence
    Both the ICO and CNIL have adopted enforcement positions requiring that a "Reject all" or "Decline all" button be presented at the same visual level as the "Accept all" button, on the first layer of the banner. Hiding rejection behind a "Manage preferences" link is insufficient.
  5. 5
    Granular category toggles
    Users must be able to accept or reject individual cookie categories — analytics, marketing, functional — separately. Offering only "Accept all" or "Reject all" with no middle ground satisfies the bare legal minimum but limits user control. Most compliant implementations offer per-category toggles.
  6. 6
    Link to full cookie policy
    The banner must link to your cookie policy, which provides full details of every cookie used, its duration, its provider, and its purpose. The policy must be kept up to date; outdated policies are a separate compliance risk.
  7. 7
    Easy re-access to preferences
    Users must be able to change or withdraw their consent at any time, as easily as they gave it. A persistent "Cookie Settings" link in the footer, or a floating settings icon on every page, is the standard implementation. Re-consent may be required periodically or when the cookie inventory materially changes.

CCPA and cookie consent

The California Consumer Privacy Act (CCPA) and its amendment the CPRA take a different approach from GDPR. The CCPA does not require opt-in consent for cookies per se. Instead, the key trigger is whether cookies result in the "sale" or "sharing" of personal information with third parties.

Under Cal. Civ. Code §1798.135, if your website uses cookies that result in personal data being disclosed to advertising networks, data brokers, or other third parties for cross-context behavioural advertising — which covers the vast majority of advertising and retargeting cookie implementations — you must provide a "Do Not Sell or Share My Personal Information" opt-out link, prominently displayed on your homepage and every page on which personal information is collected.

The Global Privacy Control (GPC) signal — a browser-level opt-out signal — must be honoured as a valid opt-out under Cal. Civ. Code §1798.135(d). If a user's browser sends a GPC signal, your website must treat it as a "Do Not Sell or Share" request and stop transmitting data to advertising third parties, without requiring the user to take any further action.

Businesses subject to CCPA that also have EU or UK users will need to operate a dual-track compliance approach: a GDPR-compliant opt-in consent mechanism for EU/UK users, and a CCPA-compliant opt-out mechanism (including GPC support) for California users. Many consent management platforms now support geo-targeted banner logic to serve the appropriate mechanism by user location.

Common mistakes — and why they fail

These are the most frequently cited issues in regulatory enforcement actions and audits.

Pre-ticked boxes

A pre-ticked checkbox does not constitute a clear affirmative action. Invalid under GDPR Recital 32, which explicitly states that "silence, pre-ticked boxes or inactivity should not therefore constitute consent."

Recital 32 GDPR
"By continuing to browse" implied consent

Implied consent from continued browsing was rejected by the Court of Justice of the EU in Planet49 (Case C-673/17). Continuing to use a website is not an unambiguous indication of agreement.

CJEU C-673/17 (Planet49)
Cookie wall (access denied unless you accept)

Blocking access to a website unless the user accepts all cookies is generally invalid. The EDPB Guidelines 05/2020 state that consent is not freely given if users have no genuine choice. Regulators in France, Germany, and the Netherlands have enforced against cookie walls.

EDPB Guidelines 05/2020
Loading analytics cookies before consent

Cookies cannot be set or read before consent is obtained. Loading analytics scripts (e.g. Google Analytics) on page load — even if you display a banner — is a breach. The ICO and CNIL have both fined organisations for this practice.

Art. 5(3) ePrivacy Directive
No reject all button at equal prominence

If you show an "Accept all" button, you must show a "Reject all" button at the same level of visual prominence and on the same screen. The ICO and CNIL have both taken enforcement action against banners that hide the reject option behind multiple clicks.

ICO / CNIL enforcement position (2022–2024)
Not documenting consent records

Art. 7(1) GDPR requires controllers to demonstrate that consent was obtained. You must keep records of when consent was given, what version of the banner was shown, and what choices were made. Without this audit trail, you cannot demonstrate compliance.

Art. 7(1) GDPR

Frequently asked questions

Do I need a cookie consent banner?

Yes, if you use any non-strictly-necessary cookies and your website is accessible to EU or UK users. The legal basis is Art. 5(3) of the ePrivacy Directive, which requires prior informed consent before storing or accessing information on a user's device, combined with Art. 6(1)(a) GDPR for the processing of personal data those cookies collect. A banner is also advisable for websites with California users that use advertising or analytics cookies that result in data sharing with third parties.

Does Google Analytics require consent?

Yes, under GDPR. Google Analytics 4 sets analytics cookies that require prior opt-in consent from EU and UK users before those cookies can load. Several EU data protection authorities — including the French CNIL, Austrian DSB, and Italian Garante — have ruled that standard GA4 implementations are non-compliant without server-side anonymisation or a compliant consent mechanism that prevents data transfer before consent is given.

Can I use legitimate interests as the legal basis for analytics cookies?

No. The ePrivacy Directive Art. 5(3) requires consent specifically for accessing or storing information on a user's terminal device. This is a lex specialis provision that overrides the general GDPR legal bases for this particular act. Legitimate interests cannot be used as an alternative to consent for cookies that are not strictly necessary. This position is confirmed by the EDPB Guidelines 05/2020 on consent.

What is the difference between a cookie banner and a cookie policy?

A cookie banner is the interactive consent mechanism displayed to users — it must allow users to accept, reject, or granularly manage cookie categories before non-essential cookies load. A cookie policy is the written disclosure document that explains what cookies are used, their purposes, who sets them, and how long they last. Both are legally required. The cookie policy must be accessible directly from the banner and linked in the website footer.

Does CCPA require cookie consent?

CCPA does not require opt-in consent for cookies in the way GDPR does. However, if cookies result in the "sale" or "sharing" of personal data with third parties — for example, advertising networks — you must provide a "Do Not Sell or Share My Personal Information" opt-out link under Cal. Civ. Code §1798.135. The Global Privacy Control (GPC) signal must also be honoured as a valid opt-out request under Cal. Civ. Code §1798.135(d).

Related privacy law guides

GDPR
EU/EEA
View guide →
UK GDPR
United Kingdom
View guide →
CCPA / CPRA
California, USA
View guide →

Find out which privacy laws apply to your business

Answer 13 questions and get a personalised privacy law checklist with statutory citations — including cookie consent obligations for every applicable jurisdiction.

Start free assessment →