GuidesGDPR
European Union · GDPR

GDPR Cookie Compliance Guide

What the EU's General Data Protection Regulation requires for cookies and trackers.

Last reviewed: 2026-04-29

What GDPR is

The General Data Protection Regulation (GDPR) is the European Union's comprehensive data protection law. It came into force on 25 May 2018 and replaced the older 1995 Data Protection Directive. GDPR governs how organisations collect, store, use, and share personal data — and cookies that identify a user count as personal data.

For website operators, the most important effects of GDPR are: a hard requirement for a lawful basis before any non-essential processing, a duty to obtain genuine consent (not inferred consent) for that processing, and a long list of user rights including the right to withdraw consent as easily as it was given.

Who GDPR applies to

  • Any organisation established in the EU, regardless of where the data subject lives.
  • Any organisation outside the EU that offers goods or services to people in the EU (paid or free) or that monitors EU residents' behaviour — including via analytics, ad-tech, or fingerprinting.

The UK has its own near-identical "UK GDPR" since Brexit. If you serve UK users, the analysis in this guide applies in substantially the same way under the UK regime enforced by the ICO.

Common violations CookieGap detects

  • Cookies set before consent — Google Analytics, Meta Pixel, or any third-party script firing on page load is the single most common issue we see.
  • Cookies persisting after reject — the site shows a banner, the user clicks reject, but tracking cookies are still set on the next page load. This indicates the consent management platform isn't actually wired to block scripts.
  • Missing or hidden reject button — only an "Accept all" button on the first layer, with reject hidden behind "Manage preferences" or buried in a settings modal.
  • No privacy policy — or one that doesn't disclose the third parties receiving data.
  • Legitimate-interest abuse — claiming legitimate interest as the legal basis for marketing or analytics cookies, especially in IAB TCF strings.

Penalties

GDPR fines can reach €20 million or 4% of global annual turnover, whichever is higher. Beyond fines, regulators routinely order processing to stop, which can mean turning off analytics or ad-tech entirely until the consent flow is fixed. Major enforcement decisions against Google, Amazon, and Meta have all centred on cookie consent specifically.

How CookieGap helps

CookieGap runs a real browser against your site from an EU IP, captures the cookies loaded before consent, after accept, and after reject (with a reload), and identifies the consent management platform you're using. The report flags pre-consent tracking, reject-button issues, persistence-after-reject, and missing privacy policies — the violations that drive most GDPR enforcement.

What CookieGap measures for GDPR

Derived from the live scanner rubric — updates automatically when the rubric changes.

  • No consent banner present
  • No reject button (consent not freely given)
  • Tags fired without matching consent (CMP-verified)
  • Non-necessary cookies persist after reject
  • Non-necessary cookies set before consent
  • No privacy policy found
  • Legitimate interest claimed on consent-required TCF purposes
  • Trackers declared as necessary / uncategorized

For the full picture — including what we don't measure — see scope & limitations.

Frequently asked questions

Does GDPR require a cookie banner?

GDPR requires a lawful basis for processing personal data. For non-essential cookies and trackers, that basis is almost always consent — and consent under GDPR must be specific, informed, freely given, and revocable. In practice this means a banner that loads no non-essential cookies until the visitor opts in, with reject and accept options that are equally prominent.

Can I rely on legitimate interest for analytics cookies?

European data protection authorities have repeatedly held that legitimate interest is not a valid basis for analytics or advertising cookies that involve personal data. The combination of GDPR and the ePrivacy Directive effectively requires opt-in consent for any non-strictly-necessary cookie that reads or stores information on a user's device.

What counts as a 'strictly necessary' cookie?

Cookies that the user has explicitly requested are essential to provide — for example, a session token that keeps the user logged in, a CSRF token, or a shopping cart identifier. Analytics, A/B testing, social embeds, and ad targeting are never strictly necessary, even if you consider them business-critical.

Does GDPR apply to my site if I'm based outside the EU?

Yes, if you offer goods or services to people in the EU or monitor their behavior. Targeting language, currency, and the practical reality of who uses the site all matter — a US-based blog with EU readers may still fall under GDPR if it shows ads or runs analytics on those visitors.

How long can consent be valid before I have to ask again?

GDPR doesn't fix a single expiry, but most data protection authorities recommend re-asking at least every 12 months — and immediately whenever your processing purposes or third-party recipients change. Storing consent indefinitely is not defensible.

See where your site stands

Run a free CookieGap scan and get a GDPR compliance report in under a minute.

Scan your site free

This guide is informational only and does not constitute legal advice. Privacy laws evolve frequently — always confirm current obligations with qualified counsel before making compliance decisions.