GDPR Cookie Consent: A Complete 2025 Guide for Compliance & Optimization

If your website uses cookies, and it almost certainly does, you need to understand the rules around GDPR cookie consent. Since 2018, the General Data Protection Regulation (GDPR) has shaped how websites across the EU (and beyond) collect personal data, including data from cookies.

But here’s the tricky part: GDPR works alongside another set of rules, like the ePrivacy Directive (aka the Cookie Law). Together, they define when and how cookie consent must be collected, and what makes it valid.

Whether you’re a site owner, marketer, or developer, this guide will walk you through exactly what compliance looks like in 2025 from the legal foundations to UX design, global nuances, and smarter tools like Geo Consent by Geo Targetly.

Understanding GDPR and ePrivacy: The legal foundation

Cookies might seem small, but they carry legal weight, especially when they track user behavior or store personal data. To fully understand cookie consent in the EU, you need to look at two key frameworks: the General Data Protection Regulation (GDPR) and the ePrivacy Directive.

Here’s how they work together and what that means for your site.

What is the GDPR, and how does it apply to cookies?

The GDPR governs how personal data is collected, stored, and processed. Cookies that can directly or indirectly identify a user fall under this definition.

That includes cookies that:

• Track behavior across sessions or websites
• Store user IDs, preferences, or IP addresses
• Help build user profiles for marketing or analytics
  

Under GDPR Article 6(1)(a), you need freely given, informed, and unambiguous consent before processing this data – meaning users must actively opt in before any non-essential cookies are dropped.

What is the ePrivacy Directive?

Often called the “Cookie Law,” the ePrivacy Directive (2002/58/EC) deals specifically with the confidentiality of online communications. It requires that:

• Users are given clear and comprehensive information about cookies
• Consent is obtained before storing or accessing information on their device (unless cookies are strictly necessary)

While GDPR defines what valid consent looks like, the ePrivacy Directive is what actually triggers the need for it.

Think of it this way:
ePrivacy says: “You need consent for this.”
GDPR says: “Here’s what that consent must look like.”

When is consent required?

Consent is required for any cookie that’s not essential to the core function of the site.

There are many, many documents about GDPR, but unless you love reading legalese, check out the most important ones below.

Key legal references in plain language

If you want to dig into the official text, these are the most relevant parts of the law:

• GDPR Article 4(11): Defines consent as “freely given, specific, informed and unambiguous.” In practice, this means no pre-ticked boxes, no vague explanations, and no bundling consent with unrelated actions.
  
  
• GDPR Article 6(1)(a): Lists consent as one of the valid legal bases for processing personal data; for cookies, this is usually the only applicable one.
  
  
• ePrivacy Directive Article 5(3): Storing or accessing information on a user’s device requires prior consent, except where strictly necessary for a service requested by the user.
  
  
• ePrivacy (2009 amendment) Recital 66: Explains the rationale: third parties may store/access info (like cookies); users must get clear, comprehensive information and a genuine ability to refuse, with the exception for strictly necessary storage/access.

Together, these provisions form the backbone of EU cookie consent rules: ePrivacy tells you when consent is needed, and GDPR tells you how it must be collected.

Landmark legal rulings you need to know

Speaking of the legal system, since the GDPR came into force, several court decisions and enforcement actions have clarified exactly how cookie consent should work. 

These rulings have real implications for your website, especially if you’re still relying on vague consent banners or pre-ticked boxes.

Let’s look at the most important case and what it means in practice.

The Planet49 case (CJEU, 2019)

The Planet49 ruling from the Court of Justice of the European Union (CJEU) is the cornerstone of GDPR cookie consent enforcement.

What happened?

A company used a pre-ticked checkbox for cookie consent during an online contest signup. The CJEU ruled that this method did not constitute valid consent under GDPR.

The key results from this case were that consent must be…

• Active: Pre-ticked boxes, default opt-ins, or passive browsing are not valid.
  
  
• Informed: Users must be told who is placing cookies, what data is collected, and why.
  
  
• Specific and granular: Users should be able to choose consent for different cookie categories, not just all-or-nothing.
  
  
• Withdrawable: Users must have the option to change or revoke their choices just as easily as they gave them.
  

What happens if you get it wrong?

GDPR violations can lead to multi-million-euro fines, reputational damage, and mandatory operational changes that disrupt your business. Regulators have shown they’re willing to enforce cookie consent rules aggressively:

• Google – €100 million fine (France, 2020) for making it harder to refuse cookies than accept them.
  
  
• Amazon – €35 million fine (France, 2020) for setting tracking cookies without valid consent.
  
  
• IAB Europe – Consent framework ruled non-compliant (2022), forcing industry-wide changes.
  

Under GDPR, penalties can reach up to €20 million or 4% of your global annual turnover (whichever is higher) for the most serious infringements. Even smaller violations can cost hundreds of thousands. Ouch!

Types of cookies & what GDPR says about each

There’s more than one metaphorical flavor of cookie, and under GDPR, how you handle each type makes a difference. Some cookies don’t require consent at all, while others can’t legally be dropped until the user opts in.

Let’s break it down by category.

1. Strictly necessary cookies: Consent NOT required

These are essential for your website to function properly. Without them, users wouldn’t be able to log in, add items to a cart, or securely browse pages. While you don’t need consent, you still have to tell users you’re collecting these.

Examples:

Session cookies
Authentication cookies
Load balancing
CSRF tokens (security)

2. Preferences/functionality cookies: Consent required

These make the user experience better, but aren’t essential. They remember choices like language, region, or UI customizations. You need consent for these cookies because they affect personalization and may collect identifiable data.

Examples:

Language selection
Dark mode toggle
Remembering user preferences

3. Statistics/performance cookies: Consent required

Used to gather data on how users interact with your site. This helps site owners optimize performance, but it also tracks behavior, which means it falls under GDPR. Even if IP anonymization is enabled, consent is still generally required under GDPR for analytics cookies.

Examples:

Google Analytics

Heatmaps (e.g., Hotjar)
Scroll tracking

4. Marketing/targeting cookies: Consent required

These track users across websites to show relevant ads and build behavioral profiles. These are the most heavily regulated and often come from third-party ad networks. GDPR and ePrivacy rules apply especially strictly to third-party cookies, due to the high level of personal data involved.

Examples:

Facebook Pixels

HubSpot tracking cookies

LinkedIn Insight Tag

5. Third-party cookies: Consent required

Any cookie set by a domain other than your own; often for ads, social media, or embedded services.

Examples:

YouTube video embeds

Social share buttons

External widgets (chat, reviews)

What makes a GDPR-compliant cookie banner + mistakes to avoid

A cookie banner might be the first thing users see when they land on your site, but if it’s not set up correctly, it could also be the reason you get fined. Here’s a quick rundown of what makes a good banner, or a bad one, and some tips.

UX and behavioral psychology in consent banners

Cookie consent isn’t just a legal checkbox, it’s also a user experience. How your banner looks, what it says, and where the buttons are placed can all influence whether someone gives (or withholds) consent.

The trick is designing a banner that encourages engagement without manipulating the user. Under GDPR, using deceptive design, or so-called dark patterns, can invalidate consent and lead to penalties.

This is how to design better banners, both legally and psychologically.

Design matters more than you think

Studies show that users are far more likely to accept cookies when the banner is designed to guide them there – big green buttons, minimal effort, no obvious alternative.

But GDPR doesn’t just care about what users do, it cares about how they’re nudged to do it. Any layout that pushes users toward “Accept” over other options can violate the requirement that consent be freely given and informed.

To avoid this:

• Make Accept and Reject options equal in size, color, and prominence
• Don’t bury cookie settings in multiple layers of clicks
• Use plain language instead of technical jargon
• Avoid auto-scrolling, time pressure, or confusing toggle switches

Once your design is down, it’s time to move to the copy.

Copywriting dos and don’ts

The words you use matter. Consent is only valid if the user knows what they’re agreeing to, so clarity is everything.

Can you still design for opt-ins?

Yes, just not manipulatively. If you want to increase your opt-in rates legally, focus on:

• Transparency and trust-building
• Clean, accessible design
• Clearly showing the benefits of enabling certain cookie types (“These help us improve your experience”)

Consent rates tend to be higher when users feel informed and respected, so resist the urge to trick them into saying yes.

Beyond the EU: Cookie consent around the world

While the GDPR and ePrivacy Directive set the tone for cookie consent globally, they’re not the only regulations you need to worry about. If your website gets international traffic, and especially if you use global ad platforms or analytics tools, compliance needs to go beyond Europe.

United Kingdom: UK-GDPR and PECR

Post-Brexit, the UK now enforces its own version of GDPR, known as UK-GDPR, alongside the Privacy and Electronic Communications Regulations (PECR).

For all practical purposes, the rules are nearly identical to the EU’s:

• Consent is required for non-essential cookies
• Consent must be freely given, specific, informed, and affirmative
• PECR governs the use of electronic communications, including cookies

So if your site serves UK users, you need to present the same type of banner you’d use in the EU.

United States: CCPA and CPRA (California)

The California Consumer Privacy Act (CCPA) and its updated sibling, the California Privacy Rights Act (CPRA), don’t focus on cookies as directly as GDPR, but they still affect how you use them. Check out our post about CCPA and CPRA to learn more.

Under CCPA/CPRA:

• You’re required to disclose cookie use, especially if it involves “selling” or “sharing” personal data (like via ad networks)
• Users must be able to opt out of such sharing via a clear “Do Not Sell or Share My Personal Information” link
• Consent isn’t required for all cookies, but transparency and opt-out options are

Other U.S. states (Colorado, Virginia, Connecticut) have passed similar laws, with more expected to follow.

Brazil: LGPD

Brazil’s Lei Geral de Proteção de Dados (LGPD) is heavily inspired by the GDPR. It:

• Requires consent for non-essential cookies that collect personal data
• Demands clear, informed communication and a valid legal basis for processing
  

Much like the GDPR, LGPD consent must be active and documented.

Canada: PIPEDA

Under Canada’s PIPEDA, consent must be meaningful, which includes:

• Full transparency about what data is collected and why
• A clear and easy way for users to opt out
• Proportionality: data collection must be appropriate to the context

PIPEDA doesn’t mention cookies specifically, but regulators have clarified that cookie use does fall under these consent requirements.

Why geolocation matters

Global laws differ, not just in what they require, but in how consent must be collected and displayed. Showing the same banner to every user can either:

• Undermine user experience (showing GDPR-style banners to U.S. users who don’t legally need them), or
• Leave you exposed to legal risk (failing to provide opt-out options to California users)
  

The best approach? Use geolocation-based banners that adjust based on where your visitors are coming from.

Geo Consent by Geo Targetly: A smarter way to stay compliant

So far, we’ve talked about the legal requirements, common mistakes, and how different regions enforce different rules. Now here’s the problem: no single cookie banner setup can cover all that. At least not without frustrating your users or risking non-compliance.

That’s where Geo Consent by Geo Targetly can help

What is Geo Consent?

Geo Consent is a geolocation-based cookie consent tool designed to help you meet regional requirements automatically. Instead of showing the same banner to every visitor, it detects the user’s location and displays the right banner tailored to local laws like:

• GDPR (EU and UK)
• CCPA/CPRA (California)
• LGPD (Brazil)
• PIPEDA (Canada)
• And more
  

This ensures you’re offering the correct consent format and legal language for each visitor, without cluttering the experience for those who don’t need a full opt-in banner.

Why it’s different from basic CMPs

Most consent management platforms (CMPs) are either too rigid or too generic. They either:

• Use a one-size-fits-all banner (which risks over-disclosure or under-compliance), or
• Require heavy manual configuration to get region-specific behavior
  

Geo Consent solves this by doing the hard work for you:

• Automatically detects user location
• Displays region-specific banners with the correct format (opt-in, opt-out, info-only)
• Blocks cookies prior to consent (for GDPR)
• Offers full category-level controls, banner styling, and custom messaging
• Integrates with all major websites and CMSs, with lightweight performance
  

It’s flexible, lightweight, and built for teams who want compliance without the chaos.

What this looks like in practice

Let’s say your site gets traffic from the EU, the US, and Brazil. Here’s what Geo Consent might display:

No extra coding or switching tools. Just one system that adapts to your users wherever they are.

Try it for yourself

You don’t need to take our word for it. Try Geo Consent free for 14 days and see how easy it is to stay compliant, build trust, and create a better user experience, no matter where your visitors come from.

Try 14 days free

Step-by-step implementation checklist

Understanding GDPR and cookie consent laws is one thing. Actually implementing a compliant solution on your site? That’s where things often fall apart.

Use this step-by-step checklist to roll out a legally sound, user-friendly cookie consent strategy, no matter what kind of site you run.

1. Audit your cookies

Start by scanning your website to identify all cookies currently in use. You need to know:

• Which scripts set cookies (analytics, ads, embedded media, etc.)
• Whether they are first-party or third-party
• What data they collect and for how long
  

You can use browser dev tools, online scanners, or built-in features in tools like Geo Consent to generate this audit.

2. Categorize your cookies

Group each cookie into the appropriate category:

• Strictly necessary
• Preferences/functionality
• Statistics/analytics
• Marketing/targeting

Only strictly necessary cookies can be set without consent. All others require proper consent mechanisms.

3. Choose a consent management platform (CMP)

You need a tool that can:

• Block cookies before consent is given
• Show a customizable, legally compliant banner
• Store consent logs in case of audits
• Display region-specific consent types (opt-in, opt-out, or disclosure-only)

4. Design your banner with UX and compliance in mind

Make sure your banner:

• Explains what cookies are used and why
• Allows users to accept, reject, or customize cookies
• Provides granular category-level controls
• Links to your full cookie and privacy policy
• Avoids any layout tricks or manipulative design
  

Also include a persistent icon or footer link that lets users change their consent at any time.

5. Test across regions

If your tool supports geolocation (like Geo Consent does), check that:

• EU users see a full opt-in banner
• California users see a CCPA-style disclosure + opt-out link
• Other regions are covered appropriately

Make sure cookie-blocking behavior matches legal requirements before and after consent is given.

6. Document consent records

You should be able to prove when, how, and from whom you obtained consent—especially if regulators come knocking.

Your CMP should log:

• Timestamp of consent
• Type of consent given (full, partial, rejected)
• IP address or device data (where legally allowed)
  

7. Update your privacy policy

Your cookie and privacy policies should reflect:

• What cookies are in use
• What data is collected and why
• Who sets the cookies (including third parties)
• How users can manage or withdraw consent
  

This isn’t optional. Transparency is a legal requirement under GDPR and related laws.

Final thoughts

Cookie consent isn’t just a legal requirement, it’s a trust signal. When done right, it tells users you take their privacy seriously and respect their right to choose what data they share.

In 2025, compliance means more than adding a banner to your homepage. It means understanding how laws like GDPR, ePrivacy, CCPA, and others intersect. It means giving users clear, fair, and accessible options. And it means choosing the right tools to help you manage all of that without sacrificing user experience.

If your site attracts global traffic, a one-size-fits-all approach won’t cut it anymore. That’s why platforms like Geo Consent by Geotargetly offer a more modern solution, helping you stay ahead of evolving regulations while keeping things simple and scalable.

The bottom line? Prioritize clarity. Prioritize user control. And most of all, treat consent as an ongoing experience. Not a one-time checkbox.

Try 14 days free

FAQ

What is GDPR cookie consent?‍

It’s a legal requirement under the General Data Protection Regulation (GDPR) that users must actively agree to the use of non-essential cookies (like tracking or analytics) before those cookies can be set.

Is cookie consent required under GDPR?‍

Yes, for any cookies that collect personal data and are not strictly necessary for the website’s basic function.

What types of cookies require user consent?‍

Analytics, marketing, personalization, and third-party cookies all require prior consent under GDPR. Only strictly necessary cookies are exempt.

What is the difference between GDPR and the ePrivacy Directive?‍

The ePrivacy Directive (aka the Cookie Law) determines when consent is needed (e.g., for storing cookies), while the GDPR defines how that consent must be collected: freely given, informed, specific, and unambiguous.

Are cookie banners mandatory under GDPR?‍

Yes, if your website uses cookies that require consent, you need a clear and compliant cookie banner to capture and manage that consent.

What makes a cookie banner GDPR-compliant?‍

It must:

• Block non-essential cookies until consent is given
  
  
• Offer clear Accept and Reject options
  
  
• Allow granular control over cookie categories
  
  
• Provide links to a detailed cookie policy
  
  
• Let users change or withdraw consent at any time
  

Are pre-checked boxes allowed for cookie consent?‍

No. Consent must be an affirmative action. Pre-ticked boxes or default opt-ins are not valid under GDPR.

Can I use implied consent for cookies under GDPR?‍

No. “By continuing to use this site…” messages are not enough. Users must actively opt in.

How do I categorize cookies for GDPR compliance?‍

Cookies should be sorted into:

• Strictly necessary (no consent required)
  
  
• Preferences/functionality
  
  
• Statistics/analytics
  
  
• Marketing/targeting
  

Only the first category is exempt from consent.

What happens if my website doesn’t comply with GDPR cookie rules?‍

You could face regulatory enforcement, including warnings, public reprimands, or fines, some in the millions of euros, especially if you collect data without proper consent.

How often should I ask users for cookie consent?‍

Best practice is to ask on the first visit, then re-prompt:

• When the cookie categories change
  
  
• After a set time period (typically 6–12 months)
  
  
• If the user withdraws consent
  

Can users withdraw cookie consent after accepting?‍

Yes, and they must be able to do so easily. This is a core requirement of GDPR. A persistent link or settings icon should allow users to revisit their choices at any time.