It's been five years since the cookie consent wars began in earnest. And yet, walk around the web today and you'll still find banners with "Accept All" in bold green and "Manage Preferences" buried in grey six-point text. Regulators have noticed.
In 2024 and 2025, the French CNIL, the Italian Garante, and the Irish DPC all increased enforcement activity specifically targeting cookie consent mechanisms. The combined fines from cookie-related enforcement actions broke €300 million in 2024 alone.
"If rejecting cookies is harder than accepting them, your banner doesn't comply — regardless of what your lawyers told you in 2020."
What the Law Actually Requires
GDPR and the ePrivacy Directive (still in effect, still relevant) require that consent for non-essential cookies is:
- Freely given — no "cookie wall" that denies access to users who decline
- Specific — consent for analytics must be separate from consent for marketing
- Informed — users must know what each category of cookie does before they consent
- Unambiguous — pre-ticked boxes don't count; nor does "continued use of this site"
- As easy to withdraw as to give — if you can accept in one click, you must be able to reject in one click
The Dark Patterns Regulators Are Targeting
Compliant patterns
- Equally prominent Accept / Reject buttons
- All cookies off by default
- Preferences accessible from a persistent link
- Granular category-level toggles
- Clear "what this does" descriptions
Dark patterns under scrutiny
- "Accept" styled prominently, "Reject" hidden
- Pre-ticked optional categories
- Requiring multiple clicks to decline
- Vague language like "enhance your experience"
- No way to change preferences after initial consent
What Your Technical Setup Must Do
A compliant cookie implementation has two parts: the consent UI (your banner) and the consent enforcement (your code). Both must work together.
Consent UI checklist
- A prominent "Reject All" or "Decline" button visible on the first layer (same prominence as "Accept All")
- Category descriptions that explain what each type of cookie does in plain language
- A list of specific cookies or third-party vendors for each category
- A link to your Cookie Policy with full details
- A persistent "Manage Cookie Preferences" link in your footer
Consent enforcement checklist
- Non-essential scripts are blocked before consent is recorded (not just after)
- Analytics scripts (GA4, Hotjar, etc.) only fire when analytics consent is given
- Marketing pixels (Meta, LinkedIn, TikTok) only fire when marketing consent is given
- Consent choices are stored in a tamper-evident log for auditing
- Consent is re-requested if your cookie list changes significantly
Important: Loading Google Analytics before consent is recorded is one of the most common enforcement triggers. "We load it on every page but only track users who consent" is not compliant — the script loading itself may set cookies.
The Third-Party Tracker Problem
One reason many businesses fail cookie audits is that they don't know what's actually on their site. A chat widget added by marketing, a retargeting pixel from six months ago, a button that loads a social media SDK — all of these can drop cookies without your knowledge.
Before you can build a compliant banner, you need a complete inventory of every third-party script and cookie on your site. Our tracker scanner crawls your pages using a real browser and captures all network requests — not just what's visible in the HTML source.
Consent Records: The Audit Trail
If a regulator or a data subject asks "do you have proof this person consented to marketing cookies on 14 January 2025?", you need to be able to answer yes or no with evidence. That means keeping records of:
- What banner version was shown
- What categories were available
- What the individual chose
- When and from which page
Most cookie platforms retain this data automatically. If yours doesn't, ask your vendor whether they offer a consent receipt API.
Practical Next Steps
If you haven't reviewed your cookie setup in the last 12 months, start here:
- Scan your site with a real-browser tool to find all trackers
- Categorise each tracker correctly (essential / functional / analytics / marketing)
- Audit your banner for dark patterns
- Check that non-essential scripts are actually blocked pre-consent in your live environment
- Update your cookie policy to match what you actually use
Fix your cookie consent today
Cookie Setup Wizard — free to use
Scan, categorise, and generate a compliant embed script in under 10 minutes.
Launch Cookie Wizard