Cookie consent under GDPR is one of the most misunderstood areas of privacy law. Regulators across the EU have issued billions in fines — not because companies ignored cookies entirely, but because their consent mechanisms had subtle flaws.
What GDPR actually requires
The law is clear on four points: consent must be freely given, specific, informed, and unambiguous. In practice this means users must be able to say no as easily as they can say yes, and tracking cookies cannot fire before they do.
The three most common mistakes
First, pre-ticked boxes. Checkboxes that default to "yes" for analytics or advertising cookies are not valid consent — the user must take an affirmative action. Second, burying the reject option. If your banner has a prominent "Accept All" button and a hard-to-find "Manage Preferences" link, regulators consider the choice unfair. Third, cookies that fire before consent. This is the most technically common failure — analytics tags loading on page render before the user has responded to the banner at all.
What a compliant flow looks like
A compliant implementation presents a clear choice upfront, fires no non-necessary cookies until that choice is made, and stores the consent record. If a user rejects, a subsequent page load should respect that decision — no trackers, no exceptions.
Running a free CookieGap scan will show you exactly which of these your site passes or fails, with a compliance score and specific recommendations.
See where your site stands
Run a free CookieGap scan and get a compliance report in under a minute.
Scan your site free