Cookiewise
Features Pricing Documentation About Contact
Log In Start Free Trial
← Back to Blog
GDPR 15 min read

The Complete GDPR Cookie Compliance Guide for 2025

Everything you need to know about cookie consent, legitimate interest, and staying on the right side of Europe's most important privacy regulation.

CW
Cookiewise Team
Published Mar 1, 2025 · Updated Mar 6, 2025

Key Takeaways

  • GDPR requires explicit, informed consent before setting non-essential cookies
  • Pre-ticked checkboxes and implied consent are not valid
  • Users must be able to withdraw consent as easily as they gave it
  • Fines can reach €20M or 4% of global annual turnover

What is GDPR?

The General Data Protection Regulation (GDPR) is the European Union's landmark privacy law that came into effect on May 25, 2018. It fundamentally changed how businesses collect, process, and store personal data - and cookies are firmly in its crosshairs.

Under GDPR, cookies that can identify a user (directly or indirectly) are considered personal data. This means analytics cookies, advertising trackers, and social media pixels all require explicit consent before they can be placed on a visitor's device.

The Six Lawful Bases for Processing

GDPR defines six lawful bases for processing personal data. For cookies, the two most relevant are:

Consent

The user has given clear, affirmative consent. Required for analytics, marketing, and social cookies.

Legitimate Interest

Processing is necessary for legitimate business purposes. May apply to strictly necessary cookies only.

Cookie Consent Requirements

The GDPR, combined with the ePrivacy Directive (often called the "Cookie Law"), sets strict rules for cookie consent:

1

Prior consent is mandatory

Non-essential cookies must not be set until the user actively consents. No cookies on page load.

2

Consent must be granular

Users must be able to accept or reject cookies by purpose/category. Bundled consent is invalid.

3

Consent must be freely given

Access to a website cannot be conditional on accepting cookies ("cookie walls" are controversial).

4

Easy withdrawal

It must be as easy to withdraw consent as it was to give it. Provide a persistent settings link.

5

Documentation

You must maintain records proving when and how consent was obtained. Store consent receipts.

Common Compliance Mistakes

Even well-intentioned websites frequently get cookie compliance wrong. Here are the most common pitfalls:

  • Pre-ticked consent boxes - GDPR explicitly prohibits this. Consent must be an affirmative action.
  • Treating "continued browsing" as consent - Scrolling or navigating does not constitute valid consent.
  • "Accept only" banners - You must provide an equally prominent option to reject non-essential cookies.
  • Dark patterns - Making "Accept" prominent while hiding "Reject" behind multiple clicks violates the spirit of GDPR.
  • Firing tracking scripts before consent - Google Analytics, Facebook Pixel, and similar tools must wait for consent.
  • Not re-asking after changes - If you add new cookie categories, existing consent may no longer be valid.

Enforcement and Fines

GDPR enforcement has intensified year over year. Notable cookie-related fines include:

Google (France) €150M
Amazon (Luxembourg) €746M
Meta / Facebook (Ireland) €390M
TikTok (Ireland) €345M

How Cookiewise Helps

Cookiewise automates GDPR cookie compliance so you don't have to worry about any of the above:

  • Auto-blocking - Non-essential cookies are automatically blocked until consent is given
  • Granular controls - Category-level consent toggles for full transparency
  • Consent receipts - Every consent action is logged with timestamp, method, and categories
  • Easy withdrawal - Persistent cookie settings button lets users change preferences anytime
  • Cookie scanning - Automatic detection and categorization of all cookies on your site

Get GDPR compliant in 5 minutes

Start your free 14-day trial. No credit card required.

Start Free Trial