GDPRLedger GDPR Guide Cookies and consent under EU GDPR and ePrivacy
GDPR · ePrivacy Directive

Cookies and consent under EU GDPR and ePrivacy

Updated April 2026EU GDPR · ePrivacy Directive 2002/58/ECEDPB aligned

Cookie consent in the EU is governed by the ePrivacy Directive 2002/58/EC (implemented in national law across member states) and EU GDPR. The EDPB has published guidelines on cookies, and national DPAs — including the CNIL, Belgian DPA, and Italian Garante — have taken significant enforcement action against non-compliant cookie consent mechanisms.

How to read this guide. This guide explains requirements and expectations derived from EU GDPR 2016/679 and EDPB published guidance. Where we write “EU GDPR requires” we cite the regulation. Where we write “EDPB guidance indicates” we cite regulatory guidance, which is not identical to a statutory obligation. Application of GDPR obligations may vary depending on member state law and supervisory authority interpretation — consult a qualified data protection practitioner familiar with the relevant jurisdiction.

Two overlapping frameworks

The ePrivacy Directive requires prior consent before non-essential cookies are stored on or accessed from a user’s device. EU GDPR provides the standard for what valid consent means. Both apply simultaneously. Member states have implemented the ePrivacy Directive differently — German law (TDDDG), French law (CPCE), Italian Codice Privacy — and some have specific requirements beyond the Directive’s minimum. The ePrivacy Regulation, proposed to replace the Directive, has been in negotiation for years and remains outstanding as at April 2026.

Source: ePrivacy Directive 2002/58/EC; EU GDPR Article 7; EDPB Guidelines 05/2020 on consent; EDPB Guidelines 03/2022 on dark patterns

Strictly necessary cookies

The ePrivacy Directive exempts cookies strictly necessary for a service explicitly requested by the user. Session management, authentication, and shopping cart cookies are typically exempt. Analytics, advertising, social media tracking, and A/B testing cookies are not — they serve the organisation’s interests, not the user’s requested service. The EDPB has been clear that “strictly necessary” is a narrow exemption.

GDPR consent requirements apply: freely given, specific, informed, and unambiguous. Cookie walls conditioning access on accepting all cookies are not considered freely given by the EDPB or most national DPAs. Dark patterns making acceptance easier than rejection are not compliant. The EDPB’s Guidelines 03/2022 on dark patterns identify specific prohibited practices including pre-selected options, confusing language, misleading button colours, and making the reject path more complex than the accept path.

Enforcement across member states

Cookie enforcement has been active across the EU. The French CNIL fined Google €150 million and Facebook €60 million for making cookie rejection more complex than acceptance. The Belgian DPA issued an enforcement notice against the IAB Europe’s Transparency and Consent Framework. The Italian Garante has fined organisations for analytics cookie deployment without valid consent. National DPA enforcement priorities vary, but the EDPB’s 2022 coordinated enforcement action on cookie banners established that dark patterns attract enforcement across member states.

Analytics cookies

Analytics cookies require consent before being set. Some member state DPAs have taken nuanced positions on analytics — the French CNIL has published conditions under which certain analytics configurations may be treated as less privacy-intrusive, but has not exempted them from the consent requirement entirely. The default across the EU is that analytics cookies require prior informed consent.

Record this. Maintain a cookie audit documenting every cookie, its purpose, its provider, whether it is strictly necessary, and the consent mechanism in place. Retain consent records. Where your organisation operates across multiple EU member states, verify compliance with each member state’s ePrivacy implementation.

Note: application of EU GDPR obligations may vary under member state law. Confirm with a practitioner familiar with the relevant jurisdiction.

Not legal advice. This guide is derived from EU GDPR (Regulation (EU) 2016/679), EDPB published guidelines, and national supervisory authority guidance as at April 2026. Obligations are subject to change. Consult a qualified solicitor or data protection practitioner for advice specific to your organisation.
Early access

GDPRLedger is coming soon

Join the early access list and be notified when the programme opens. €149 Standard · €499 Pro · One-off payment · No subscription.

No spam. Your email is used only to notify you of programme launch.