Start for free
Guide

GDPR cookie consent: a practical guide

To use cookies in a GDPR-compliant way, you must get each visitor's prior, informed, specific and freely-given consent before any non-essential cookie or tracker loads — and make rejecting as easy as accepting. This guide explains what that means in practice and how to set it up.

Last updated June 2026
Start for freeSee how it works

What GDPR and ePrivacy require for cookies

Cookie consent in the EU comes from two rules working together. The ePrivacy Directive (Article 5(3)) requires prior consent before any non-essential cookie is stored or read on a visitor's device. The GDPR (Articles 4(11) and 7) defines what valid consent is: a freely given, specific, informed and unambiguous affirmative action that is as easy to withdraw as to give.

The EDPB's Guidelines 05/2020 spell out the details: no pre-ticked boxes, rejecting must be as easy as accepting, and continuing to browse is not consent. The CJEU confirmed in Planet49 (C-673/17) that pre-ticked consent boxes are invalid.

This is general information, not legal advice. The right setup depends on your site and audience — check with qualified counsel for your situation.

The four cookie categories

Most consent setups sort cookies into four categories. Only the first runs without consent:

  • Necessary — required to run the site (login, cart, security). No consent needed.
  • Preferences — remember choices like language or region.
  • Statistics — analytics that measure how the site is used.
  • Marketing — advertising and cross-site tracking.

How to make your cookie use compliant

  1. Scan your site to find every cookie, pixel and tracker it sets.
  2. Sort them into the four categories above.
  3. Block non-essential cookies and scripts until the visitor consents.
  4. Show a banner with equal-weight Accept and Reject and granular, unticked choices.
  5. Record each choice (what, when, and how) as proof of consent.
  6. Let visitors change or withdraw consent at any time.
  7. Publish a cookie policy that lists the cookies and their purposes.

A consent management platform does all of this for you, so you do not have to build or maintain it by hand.

Common mistakes to avoid

  • Pre-ticked boxes or "consent" assumed from scrolling — both are invalid.
  • Making "Reject" harder to find or use than "Accept".
  • Loading analytics or ad scripts before the visitor agrees.
  • A cookie wall that forces acceptance to use the site.
  • Keeping no record of who consented to what, and when.

These are exactly the patterns the EDPB and national regulators act on most.

What a compliant cookie banner looks like

A compliant banner makes accepting and rejecting equally easy — the “Accept all” and “Reject all” buttons sit side by side, with the same size, prominence and visual weight. It does not nudge you toward consent with a bright “Accept” next to a greyed-out or hidden “Reject”, and it does not bury rejection two clicks deep behind a “Manage preferences” link.

On the first layer, the banner names who is collecting data and why, links to the full cookie policy, and lets the visitor accept, reject, or open granular per-category choices. Non-essential categories are unticked by default, and closing the banner, scrolling, or continuing to browse is never treated as consent.

A quick test: if rejecting takes more clicks or effort than accepting, the banner is probably not compliant — regulators treat that asymmetry as a dark pattern.

Cookie consent fines and enforcement

These rules are actively enforced. In December 2021 France’s CNIL fined Google a total of €150 million and Amazon €35 million specifically because rejecting cookies took more clicks than accepting them — the single most-cited objection. Authorities including the CNIL (France), the DSK (Germany) and the ICO (UK) have all published guidance that rejecting must be as easy as accepting.

Most enforcement targets the same handful of mistakes: trackers that fire before consent, no genuine “Reject all”, pre-ticked boxes, and consent assumed from scrolling. Getting the banner right — prior blocking, an equal-weight reject, granular unticked choices, and a record of every choice — is what keeps you on the right side of both the ePrivacy rules and the GDPR.

Do it for free with KookiOk

KookiOk is built around these requirements: it scans your site, blocks non-essential cookies until consent, ships a banner with an equally easy "Reject all" and granular categories by default, and keeps 5-year, tamper-evident consent records. It is free, with unlimited sites and page-views.

Add your free banner in minutesNo credit card · Unlimited sites and page-views

Start for free

Frequently asked questions

How do I make my website GDPR compliant for cookies?

Scan and categorize your cookies, block non-essential ones until the visitor consents, show a banner with an equally easy Reject and granular unticked choices, record each choice, and let people withdraw consent. A consent management platform like KookiOk does this for you.

Does GDPR require prior consent for cookies?

Yes — the ePrivacy Directive (Article 5(3)) requires consent before non-essential cookies are stored or read, and the GDPR defines what valid consent looks like. Strictly necessary cookies are the exception.

Are pre-ticked cookie boxes allowed?

No. The EDPB's Guidelines 05/2020 and the CJEU's Planet49 ruling both make clear that pre-ticked boxes are not valid consent — categories must be unticked until the visitor actively opts in.

Do I need to keep proof of cookie consent?

Yes. Under GDPR Article 7 you must be able to demonstrate that consent was given. KookiOk records each choice as a tamper-evident log, kept for 5 years and exportable as PDF or JSON.

Keep reading

Add a free cookie consent banner today.

No credit card · Unlimited sites and page-views · Live in minutes

Start for freeTry the live editor