Back to Blog

GDPR and Cookie Consent: The Practical Guide for Global Businesses

10 min read Nick Ashkar

GDPR fines have topped €4.3 billion since 2018. Meta paid €1.2 billion in a single enforcement action in 2023. And yet 65% of consent banners deployed right now are technically non-compliant — including many that were built by someone who genuinely thought they were following the rules.

The gap between what GDPR requires and what most businesses implement is frustrating, because the regulation is actually readable. The confusion comes from how the ad-tech industry spent years designing consent flows to maximise opt-ins rather than actually obtain consent. That practice is unwinding fast, and regulators aren't being gentle about it.

This guide explains what the law actually says, what compliant implementation looks like, where most businesses go wrong, and what you need to do if your current setup falls short.

What GDPR Actually Requires (And What It Doesn't)

The regulation doesn't mention "cookie banners" once. What it requires is a lawful basis for processing personal data. Cookies that track behaviour, build profiles, or share data with third parties involve personal data. So you need a lawful basis before you set them.

For most marketing and analytics cookies, that lawful basis is consent. GDPR defines valid consent as: freely given, specific, informed, and unambiguous. All four conditions need to be met — not just ticked off on paper, but genuinely satisfied.

The problem is that most consent banners fail at least one of these. "Freely given" means the user can decline just as easily as they can accept. Hiding the reject button, pre-ticking boxes, or burying opt-out options in nested menus all fail this standard. Regulators across Europe have issued hundreds of fines for exactly these patterns.

The ePrivacy Directive Still Applies

Alongside GDPR, the ePrivacy Directive (sometimes called the "Cookie Law") specifically governs cookie use in the EU. It requires prior consent before setting non-essential cookies. GDPR then governs how that consent is obtained and recorded. Both apply simultaneously — you can't satisfy one while ignoring the other.

The ePrivacy Regulation has been in draft for years and keeps getting delayed. Don't wait for it to finalise before getting compliant with the existing rules.

Cookie Categories: What You're Actually Deploying

Before you can build a compliant consent mechanism, you need to know what cookies your site sets. Most businesses are surprised by the audit results. Third-party scripts — social share buttons, embedded videos, support widgets, analytics platforms — often set cookies automatically on page load, before any consent is recorded.

Strictly Necessary Cookies

These don't require consent. They're essential for the site to function: session management, shopping cart state, security tokens, load balancing. The key word is "strictly" — if your site would still work without it, it doesn't qualify. Using this category as a catch-all for everything you don't want to ask consent for is one of the most common violations regulators flag.

Functional (Preference) Cookies

These remember choices the user has made: language preference, accessibility settings, saved login. Technically optional, but the user experience degrades without them. Many DPAs accept that these can be justified under legitimate interests in some cases, but the safer approach is to include them in your consent flow.

Analytics Cookies

Google Analytics, Mixpanel, Hotjar — these require consent in the EU. Google's GA4 in "consent mode" allows some measurement without full consent, but it reduces data quality significantly. There's no compliant workaround that preserves the same data collection without asking users to opt in.

Some organisations are moving to privacy-preserving analytics tools like Plausible or Fathom, which don't use cookies at all and therefore don't require consent. That's a valid architectural choice if full consent rates are hurting your analytics.

Marketing and Targeting Cookies

Facebook Pixel, Google Ads conversion tracking, LinkedIn Insight Tag — all require explicit consent before loading. These are the highest-risk category. They send data to third-party platforms that may combine it with other data they hold, which makes the processing scope difficult to fully disclose. Regulators are particularly focused on this category.

What a Compliant Consent Banner Actually Looks Like

The ICO (UK), CNIL (France), and the Dutch DPA have all published specific guidance on consent banner design. Their enforcement actions show a consistent pattern of what they reject.

What Makes a Banner Non-Compliant

  • No "Reject All" button at the first layer — if accepting is one click but rejecting requires three, that's not freely given consent
  • Pre-ticked boxes — consent must be active, not passive
  • Cookies loaded before consent is recorded — this is arguably the most common violation, and the hardest to fix without proper consent management tooling
  • Dark patterns in button design — making "Accept" visually prominent and "Reject" grey and small is considered a dark pattern by most EU regulators
  • No way to withdraw consent — users must be able to change their mind, and doing so must be as easy as giving consent was
  • Vague category descriptions — "We use cookies to improve your experience" doesn't satisfy the "specific and informed" requirement

What Compliant Looks Like

  • Accept All and Reject All buttons at equal visual prominence on the first layer
  • A clear third option — "Manage Preferences" — for granular control
  • Specific descriptions of what each category does and which vendors are involved
  • No cookies loaded (except strictly necessary) until consent is recorded
  • Consent records stored with timestamp, user ID where available, and the version of your consent notice they responded to
  • A persistent way to withdraw consent — usually a "Cookie Settings" link in the footer
The CNIL fined Google €150 million and Facebook €60 million in early 2022 specifically because users couldn't refuse cookies as easily as they could accept them. The fix was simple. The failure to implement it was not.

Common Violations That Trigger Fines

Looking at the enforcement record across EU data protection authorities, the same patterns appear repeatedly.

Loading Third-Party Scripts Before Consent

This is the most widespread problem. A site loads Google Tag Manager, which loads a dozen other scripts, which set cookies — all before the user sees the consent banner. The technical fix requires your consent management platform to block script loading conditionally. Most "install-a-banner" solutions don't do this properly.

Consent Buried in Privacy Policies

Burying consent in a checkbox buried in a terms and conditions page doesn't count. The consent must be granular (separate for each purpose), not bundled, and it must be obvious to the user what they're consenting to.

Not Keeping Consent Records

GDPR requires you to be able to demonstrate compliance. If a regulator asks you to prove that User X consented to marketing cookies on a specific date, you need records. Most lightweight cookie solutions don't log this. Proper consent management platforms do.

Treating All Regions the Same

UK businesses need to follow UK GDPR (post-Brexit, similar but separate). Swiss businesses follow Swiss DPA requirements. Some US states have their own rules. If you have visitors from multiple jurisdictions, your consent mechanism needs to handle them differently — or default to the strictest applicable standard.

GDPR vs. CCPA: The Key Differences

If you serve US customers, particularly in California, CCPA (California Consumer Privacy Act) is also relevant. The two regimes take different approaches.

GDPR is opt-in: you can't process data without prior consent for most purposes. CCPA is opt-out: you can process data, but consumers have the right to say "don't sell my personal information." They're not equivalent, and a solution built for one doesn't automatically satisfy the other.

CPRA (the 2023 update to CCPA) added opt-out rights for "sharing" data in addition to "selling" it — a distinction that matters for digital advertising. The Global Privacy Control (GPC), a browser-level signal that opts users out automatically, must now be honoured by California businesses.

If you're a UAE or GCC business with US visitors, you typically only trigger CCPA obligations if you meet certain thresholds (annual revenue over $25M, or processing data of 100,000+ California consumers). But if you do meet those thresholds, you need both GDPR-style and CCPA-style consent handling.

Practical Implementation Steps

Getting compliant isn't as complicated as it sounds, but it does require doing the steps in the right order.

Step 1: Cookie Audit

Before you can consent to cookies, you need to know what cookies your site sets. Use a tool like Cookiebot's scanner, or check your browser's developer tools after loading your site with all scripts active. Document each cookie: name, purpose, duration, and whether it's first-party or third-party.

Step 2: Choose a Consent Management Platform

A proper CMP (Consent Management Platform) handles the blocking, recording, and banner rendering in a compliant way. Cookibot, OneTrust, Usercentrics, and Osano are established options. Some are better suited for enterprise, some for smaller sites. The key requirement: the platform must block script execution until consent is given, not just display a banner and hope for the best.

Step 3: Categorise Your Cookies Correctly

Map each cookie from your audit to the right category. Be honest about this — stuffing marketing cookies into "functional" to avoid asking for consent is exactly the kind of thing auditors look for.

Step 4: Design the Consent Flow

Reject All must be at the same level as Accept All. Descriptions must be specific. Consent must be logged. Withdrawal must be easy. If your design team pushes back on the "Reject All" button being equally prominent, that's a compliance conversation, not a design conversation.

Step 5: Set Up Consent Records

Configure your CMP to log consent events with timestamps and version IDs. Your privacy policy and consent notice should be versioned — if you change them, existing consent records need to be refreshed.

Step 6: Test Before Going Live

Load your site with all cookies cleared. Before accepting consent, open developer tools and verify no non-necessary cookies are set. Accept one category at a time and verify only those cookies load. This is worth half an hour of testing before you push to production.

Where This Is Heading

Enforcement is increasing, not decreasing. The European Data Protection Board has been coordinating cross-border enforcement since 2023, which means a complaint in one country can now trigger investigation across all member states. DPAs are also getting more technical — they're not just reading policies, they're scanning sites for cookie behaviour.

Browser-level privacy defaults are also tightening. Safari blocks third-party cookies by default. Firefox does too. Chrome's Privacy Sandbox is still evolving but the direction is clear: the third-party cookie ecosystem is winding down, and businesses built on it need to adapt.

Getting consent right now also positions you well for whatever comes next. A business that's actually collected first-party consent data has a marketing asset that privacy changes can't take away.

Cirvgreen is building a cookie consent solution designed specifically for businesses operating across multiple jurisdictions — including the UAE, UK, and EU. If you want to be notified when it launches, subscribe to the newsletter below.