Key Takeaways
- Active, affirmative action required. Scrolling, closing the banner, or "continued browsing" does not count. Amazon was fined $38.5 million for a banner that treated site usage as consent.
- Granular per purpose. Users must consent to analytics separately from marketing.
- Revocable at any time. You need a re-entry mechanism to reopen consent preferences.
- Documented. You need proof of when, what, and how a user consented.
The Legal Foundation: GDPR + ePrivacy
Cookie consent in Europe sits on two laws. GDPR (Articles 6 and 7) defines what valid consent means: freely given, specific, informed, and unambiguous. The CJEU reinforced this in the Planet49 ruling (2019): pre-ticked checkboxes do not constitute valid consent. Consent must also be as easy to withdraw as it was to give (Article 7(3)).
The ePrivacy Directive (2002/58/EC) specifically targets cookies and device access. You need consent before setting any cookie unless it is strictly necessary for the service the user requested. Even an anonymous analytics cookie requires consent because it is stored on the user's device.
For implementation, this means:
- Active, affirmative action required. Scrolling, closing the banner, or "continued browsing" does not count. Amazon was fined $38.5 million for a banner that treated site usage as consent.
- Granular per purpose. Users must consent to analytics separately from marketing.
- Revocable at any time. You need a re-entry mechanism to reopen consent preferences.
- Documented. You need proof of when, what, and how a user consented.
Learn how ConsentStack handles GDPR compliance
What You Must Implement: The Requirements Checklist
Cookie Categories
GDPR requires granular consent across standard categories:
Strictly Necessary (exempt from consent): Session cookies, auth tokens, CSRF protection, load balancer cookies, the consent cookie itself. Google Analytics, Hotjar, Mixpanel, and any marketing pixel are never strictly necessary.
Analytics / Performance (requires consent): Google Analytics, Hotjar, Mixpanel, Heap, A/B testing tools, performance monitoring.
Functional (requires consent): Live chat widgets, embedded video players, social sharing buttons, language preference cookies.
Marketing / Advertising (requires consent): Google Ads, Meta Pixel, TikTok Pixel, LinkedIn Insight Tag, retargeting platforms, any cross-domain tracking. See how Meta Conversions API interacts with consent
ConsentStack auto-classifies scripts against 6,592 tracker domains sourced from DuckDuckGo Tracker Radar. How script blocking works
The Consent Banner
Every one of these requirements has been the subject of enforcement actions:
Must appear before any non-essential cookies are set. The banner is a gate. No scripts fire until the user chooses. 59% of websites with CMPs fail this: the banner shows, but scripts fire anyway. Why cookie banner performance matters
Must have a clear "Reject All" option on the first layer. The EDPB Cookie Banner Taskforce (January 2023) confirmed reject must be available on the first layer, not buried in settings.
Reject must be as prominent as Accept. Same size, same visual weight. This is the most-enforced violation worldwide:
| Company | Fine | Regulator | Violation |
|---|---|---|---|
| $165M | CNIL | Asymmetric accept/reject buttons | |
| $358M | CNIL | Consent violations (September 2025) | |
| $66M | CNIL | No equivalent reject button | |
| Microsoft/Bing | $66M | CNIL | Asymmetric buttons |
| TikTok | $5.5M | CNIL | Reject not equally accessible |
| Honda | $632,000 | CPPA | Misconfigured CMP (OneTrust named specifically) |
Must not use pre-checked boxes. Apple was fined $8.8M for pre-ticked consent on 27.5M devices. Kruidvat paid $660K for a pre-checked "Accept all." How dark patterns in cookie banners lead to fines
Must allow granular choices and provide a re-entry mechanism. A floating button, footer link, or settings page that is accessible within one or two clicks from every page.
Script Blocking
This is where compliance theater becomes visible. 59% of websites with CMPs set cookies before consent. The banner loads, scripts fire anyway.
Three approaches exist, and only one guarantees compliance:
1. Parse-time blocking (MutationObserver). A MutationObserver installs during HTML parsing, before any third-party scripts execute. It intercepts script elements before the browser fetches or executes them. ConsentStack uses this approach with a <10KB SDK, checking scripts against 6,592 tracker domains. No cookies fire before consent.
2. Runtime blocking. The CMP loads after the page, then tries to retroactively block scripts. There is always a window where scripts execute without consent. This is why 59% fail.
3. GTM consent templates. Blocks GTM-managed tags only. Inline scripts and direct third-party includes bypass them entirely. Partial coverage leaves gaps that regulators are now catching.
Consent Storage
GDPR requires you to demonstrate consent if challenged. Store: timestamp, anonymous user identifier, consent state per category, version of consent text, and method of consent. ConsentStack stores these automatically, viewable in the dashboard. On the Business plan, logs are retained for one year. See ConsentStack's consent analytics
What Regulators Actually Enforce
The largest cookie and consent enforcement actions to date:
| Company | Fine | Regulator | Year | What Went Wrong |
|---|---|---|---|---|
| Amazon | $821M | CNPD Luxembourg | 2021 | No consent mechanism |
| Meta | $429M | DPC Ireland | 2023 | Forced consent as condition of service |
| $358M | CNIL France | 2025 | Multiple consent violations | |
| $165M | CNIL France | 2022 | Asymmetric buttons | |
| SHEIN | $165M | CNIL France | 2025 | "Refuse all" button non-functional |
| $110M | CNIL France | 2020 | Cookies before consent | |
| Criteo | $44M | CNIL France | 2023 | Partner websites lacked lawful consent |
Total documented consent/cookie fines: over $2.3 billion.
Enforcement Is Accelerating
CNIL issued $523M in consent fines in September 2025 alone, exceeding all of 2020-2021 combined. Dutch DPA monitors 10,000 websites annually and plans to warn 500 organizations per year. ICO found a 67% failure rate in its UK website review. CPPA named OneTrust in the Honda enforcement. noyb found 72% of EU cookie banners contain at least one dark pattern, and only 2.18% of users visit the second layer of a consent banner.
The Belgian DPA ruled that IAB TCF itself violates GDPR. The framework designed to standardize consent was ruled non-compliant.
Regulators now audit whether CMPs actually block scripts, whether buttons are truly symmetric, and whether reject actually works. The era of compliance theater is ending.
ConsentStack was built for this environment. Symmetric buttons are the default. Parse-time blocking ensures no cookies fire before consent. No dark patterns by design. See how ConsentStack ensures compliance
Implementation Guide
Option 1: Use a CMP (Recommended)
| Feature | Why It Matters | Red Flag |
|---|---|---|
| Parse-time script blocking | Only way to guarantee no scripts fire before consent | "Runtime blocking" or "tag manager based" |
| SDK size under 20KB | Consent tool shouldn't be the heaviest thing on your page | 100KB+ bundles (OneTrust ships 184KB+) |
| 30+ regulations | Global visitors need geo-detected consent models | "GDPR and CCPA" only |
| Platform adapters | [Google Consent Mode v2](https://consentstack.io/blog/google-consent-mode-v2-setup), Meta CAPI need consent signals | Manual GTM configuration required |
| Symmetric buttons by default | Asymmetric is the #1 enforced violation | Defaults to hidden reject |
ConsentStack checks every box: <10KB SDK, parse-time MutationObserver blocking, 32 regulations with auto geo-detection, 6 platform adapters, symmetric buttons by default, and $29/month Pro pricing. Add one script tag to your <head>, configure in the visual builder, publish.
Option 2: Build Your Own (Not Recommended)
You would need to build: geo-detection, consent storage backend, MutationObserver script blocking, accessible banner UI, preferences center, re-entry mechanism, platform signaling (Google Consent Mode v2, Meta CAPI, TikTok, LinkedIn, Pinterest), consent proof logging, and multi-language support.
Then maintain it as regulations change, new US states pass laws, Google updates Consent Mode, and tracker databases need updates. At ConsentStack's Pro pricing ($29/month, $348/year), the annual cost is less than a single day of senior developer time.
Option 3: GTM Consent Templates (Partial)
GTM consent templates block GTM-managed tags but miss inline scripts and direct third-party includes. They provide no consent banner, no geo-detection, no consent storage, and no re-entry mechanism. When Honda was fined $632,000, the issue was a misconfigured CMP interacting with tag management. GTM templates are a supplement, not a replacement. See ConsentStack integrations
Frequently Asked Questions
**If EU residents can visit your site, GDPR applies.** The regulation protects people in the EU, regardless of where your company is based. Enforcement is more likely if you actively serve EU customers, but the legal requirement doesn't depend on intent.
**No. Never.** Strictly necessary means required for the service the user explicitly requested. Google Analytics measures traffic. It is useful for your business, not necessary for the user. Every analytics tool requires consent.
You risk regulatory enforcement. Amazon was fined **$821M** for cookies without consent. noyb has filed **500+ complaints**. The Dutch DPA monitors **10,000 websites annually**. Even small companies face fines: Techpump (**$99K**), Motorsport (**$5.5K**).
**Yes.** The ePrivacy Directive applies to all cookies on the user's device, first-party or third-party. If a first-party cookie isn't strictly necessary, it requires consent.
**For cookies specifically:** the ePrivacy Directive requires consent for storing information on a device, regardless of GDPR's legitimate interest provision. You cannot use legitimate interest to bypass cookie consent for analytics or marketing.
**GDPR requires opt-in consent before setting cookies. CCPA requires opt-out rights after the fact.** Under GDPR, no non-essential cookies fire until the user affirmatively consents. Under CCPA/CPRA, you can set cookies by default but must provide a "Do Not Sell or Share My Personal Information" mechanism. [Full CCPA cookie consent guide](https://consentstack.io/blog/ccpa-cookie-consent-requirements)
Many free tiers are compliance theater. Osano Free shows a banner but doesn't block cookies. CookieScript's Lite tier is explicitly not fully GDPR compliant. **ConsentStack's free tier** includes the full compliance engine: script blocking, geo-detection, all consent models. Limited by traffic (1,000 visitors/month), not by compliance features. [See pricing](https://consentstack.io/pricing) ---
Conclusion
GDPR cookie consent is the most-enforced privacy requirement in the world. Over $2.3 billion in fines. $523M in a single month. 59% of websites with CMPs still set cookies before consent. 72% of EU cookie banners contain dark patterns. Regulators now name CMPs by name when they cause violations.
ConsentStack handles all of this: 32 regulations with automatic geo-detection. Parse-time script blocking. Symmetric buttons enforced by default. <10KB SDK. 6 platform adapters. $29/month Pro pricing with no sales calls or contracts.
Try it free. One script tag. Minutes to compliant. Get started free