GDPR and Cookies

The General Data Protection Regulation (GDPR) and the ePrivacy Directive together form the legal framework that governs how websites use cookies in the European Union and the UK.

ePrivacy Directive and GDPR: how they work together

Cookie consent in Europe is governed by two separate but complementary laws. Understanding which does what helps clarify what you need to comply with:

  • ePrivacy Directive (2002/58/EC, amended 2009): governs the act of storing or accessing information on a user's device. This is the law that specifically requires consent before setting cookies.
  • GDPR (2016/679): governs the processing of personal data collected through cookies. It defines what counts as valid consent and sets the penalties for non-compliance.

In short: the ePrivacy Directive requires you to get consent before setting a cookie. The GDPR defines the standard that consent must meet and regulates what you do with the data afterwards. You need to comply with both, but in practice they form a single workflow: ask for consent properly, then handle the data lawfully.

What GDPR requires for cookies

Prior consent

No non-essential cookies may be set before the visitor actively consents. The website must block analytics, marketing, and other tracking scripts until the visitor clicks "Accept" or selects specific categories.

Granular choices

Visitors must be able to accept or reject cookies by category. An "Accept All" button is allowed, but there must also be an equally accessible way to reject non-essential cookies or customize choices.

Easy withdrawal

It must be as easy to withdraw consent as it is to give it. A persistent button or icon that reopens the consent preferences satisfies this requirement.

Consent records

The website must be able to demonstrate that consent was obtained. This means storing timestamped records of each visitor's consent choices.

Clear information

The consent banner must explain what cookies the site uses, why, and who has access to the collected data. Vague statements like "we use cookies to improve your experience" are not sufficient.

What "strictly necessary" means

The ePrivacy Directive exempts cookies that are "strictly necessary" for providing a service explicitly requested by the user. These cookies do not require consent.

A cookie is strictly necessary only if the website cannot function without it. Session cookies for login, shopping cart cookies, security tokens, and the consent preference cookie itself (the cookie that stores the visitor's consent choice) all qualify. Analytics cookies, even if you consider them important for your business, do not.

The test is whether the service would break for the user without that specific cookie, not whether it's useful for the website operator.

Legitimate interest and cookies

Some consent management frameworks (notably IAB's Transparency and Consent Framework) allow setting certain cookies based on "legitimate interest" rather than consent. This means the website operator claims a business need that outweighs the visitor's privacy interest, without asking for explicit permission.

This practice is controversial. Several data protection authorities have taken the position that legitimate interest is not a valid legal basis for non-essential cookies, because the ePrivacy Directive specifically requires consent for storing data on a user's device, regardless of the legal basis under GDPR. LiteConsent uses a consent-based approach: non-essential cookies require the visitor's active choice.

Common violations

Setting cookies before consent

Loading Google Analytics or advertising scripts on page load, before the visitor has interacted with the banner. This is the most common violation and has led to significant fines across Europe.

No reject option

Showing an "Accept" button without an equally prominent way to reject non-essential cookies. Several data protection authorities have ruled that a hidden "manage preferences" link is not sufficient.

Pre-ticked checkboxes

Showing cookie category checkboxes that are pre-selected. The Court of Justice of the EU ruled in 2019 (Planet49 case) that pre-ticked boxes do not constitute valid consent.

Cookie walls

Blocking access to website content unless the visitor accepts all cookies. Most data protection authorities consider this non-compliant because consent is not freely given if the alternative is losing access. Some jurisdictions allow variations where a paid alternative is offered, but the safest approach is to avoid cookie walls entirely.

Penalties

GDPR violations can result in fines of up to 4% of global annual turnover or 20 million euros, whichever is higher. However, cookie-specific fines are often imposed under national laws implementing the ePrivacy Directive, where penalties vary by country. For example, CNIL (France) has issued cookie fines under French national law rather than directly under GDPR.

  • Data protection authorities in France (CNIL), Italy, Spain, and Austria have issued fines specifically for cookie consent violations
  • Enforcement has targeted both large companies and smaller websites
  • The trend is toward stricter enforcement, not less

UK GDPR

After Brexit, the UK adopted its own version of the GDPR (the UK GDPR), enforced by the Information Commissioner's Office (ICO). The cookie consent requirements are functionally identical to EU GDPR. The UK also retains the Privacy and Electronic Communications Regulations (PECR), which is the UK's equivalent of the ePrivacy Directive and specifically governs cookie consent.

How LiteConsent handles GDPR compliance

For EU and UK visitors, LiteConsent enforces an opt-in consent flow:

  • Script blocking before consent: non-essential scripts are prevented from executing until the visitor actively consents, using resource rules and markup-mode attributes
  • Granular category choices: the banner presents each cookie category individually, with accept and reject options
  • Consent withdrawal: a persistent floating icon lets visitors reopen preferences and change their choices at any time
  • Consent logging: every consent decision is stored with a timestamp, visitor identifier, and the categories chosen, accessible from the dashboard's Consent Logs tab
  • Jurisdiction detection: LiteConsent determines the visitor's location at the CDN edge and applies the GDPR flow only to EU/UK visitors. See Jurisdictions for details.