Cookie consent has been a compliance requirement since the ePrivacy Directive was amended in 2009. Sixteen years later, DPAs across France, Germany, Spain, Italy, and the Netherlands continue to issue fines for non-compliant cookie implementations. The total of ePrivacy-related enforcement actions in 2023 and 2024 exceeded €500 million. The errors driving those penalties are remarkably consistent.
The legal framework
Cookie consent in the EU is governed primarily by the ePrivacy Directive (2002/58/EC), as amended by Directive 2009/136/EC. This Directive is implemented differently across EU member states through national legislation — the UK's PECR, France's LCEN provisions, Germany's TTDSG, and so on. GDPR applies in parallel wherever cookies process personal data (which is most of the time).
An ePrivacy Regulation — a directly applicable EU-wide law replacing the Directive — has been under negotiation for years and remains pending. Until it is adopted, the national implementations of the current Directive continue to apply, with all their jurisdictional variation.
What "valid consent" actually requires
Under both the ePrivacy Directive and GDPR, valid consent for non-essential cookies must be:
- Freely given: The user must have a genuine choice. Cookie walls — "accept or leave" ultimatums — are generally invalid. Refusing cookies must not result in the user being denied access to a service they are entitled to.
- Specific: Consent must be given for specific purposes and specific categories of cookies — not a general "agree to all tracking" click. Bundling consent for analytics, advertising, and personalisation into a single button does not meet this standard.
- Informed: Before consenting, users must receive clear information about what cookies are set, their purposes, their retention periods, and who has access to the data.
- Unambiguous: Consent must be given through a clear affirmative action. Pre-ticked boxes are explicitly prohibited. Scrolling or continuing to browse does not constitute consent.
Critically, withdrawing consent must be as easy as giving it — a single click, not buried in settings menus. This requirement is consistently violated across even large, well-resourced companies.
The common violations DPAs are still finding
1. Accept-only banners without reject options
The CNIL, AP, and Garante have all specifically called out banners that prominently display an "Accept all" button with no equivalent "Reject all" option at the same level. If rejecting cookies requires navigating to preferences while accepting requires one click, consent is not freely given. The CNIL issued guidance in 2022 requiring symmetric accept and reject options — and continues to fine companies that ignore it.
2. Consent stored incorrectly or not at all
Regulatory inspections frequently find that companies cannot produce evidence of user consent — no timestamp, no record of what the user was shown, no version of the consent banner the user saw. Consent records must be maintained and must be specific enough to demonstrate that valid consent was obtained for each category of processing.
3. Cookies firing before consent is given
Technical audits regularly find analytics and advertising cookies placed in the browser before the user has interacted with the consent banner. This is a categorical violation — no amount of consent obtained afterwards cures the pre-consent processing. The banner must block cookie loading until explicit consent is received for the relevant categories.
4. "Legitimate interests" used for advertising
Some companies attempt to bypass the consent requirement for advertising cookies by claiming legitimate interests as the legal basis. Multiple DPAs — including the CNIL and the Belgian APD — have explicitly rejected this approach for advertising and behavioural tracking. Personalised advertising requires consent. There is no legitimate interests pathway around this.
5. Consent banners designed to manipulate
Dark patterns — visual design choices that nudge users towards accepting — are under increasing regulatory scrutiny. This includes: grey-out styling on reject options while "Accept all" is prominently coloured; requiring multiple clicks to reject while accepting is one; hiding consent management behind small or low-contrast links. The EDPB's Dark Patterns Guidelines (adopted 2023) provide specific guidance that regulators now use as a compliance benchmark.
The incoming ePrivacy Regulation
When adopted, the ePrivacy Regulation will:
- Create a single, directly applicable standard across all EU member states — eliminating the current jurisdictional patchwork
- Enable browser-level consent signals — meaning users may be able to set preferences once at the browser level, and websites must honour those signals
- Expand scope to cover over-the-top communications services (messaging apps, VoIP)
- Align penalty levels with GDPR (potentially up to 4% of global turnover)
Companies that invest now in genuinely compliant consent infrastructure will be better positioned when the Regulation passes — rather than needing to rebuild again.
What compliant cookie consent looks like in practice
- A banner presented before any non-essential cookies are loaded — with all tracking scripts blocked pending consent
- Symmetric, equally prominent accept and reject options
- A preference centre where users can accept or reject by category (analytics, advertising, personalisation, etc.)
- Consent records maintained per user session: timestamp, banner version, options presented, choice made
- A clear mechanism for withdrawing consent at any time — typically a persistent link in the footer
- Annual review of the cookie inventory and consent records to catch drift in what cookies are actually deployed
Cookie consent is not a technically complex compliance problem. It is an organisational commitment problem — requiring that product, marketing, and engineering teams all agree to put user choice above conversion rate optimisation. The DPAs have made clear, repeatedly, that they view non-compliant consent banners as evidence of intentional non-compliance. The fines reflect this.