Skip to main content
Back to Guides
Compliance5 min read

Cookie Consent Myths That Cost Companies Millions

"Implied consent is fine." "We're US-only, so GDPR doesn't apply." "A banner makes us compliant." Ten cookie consent myths that regulators have already fined, and what the law actually says.

The myths are expensive

Most cookie consent violations don't come from companies that tried to cheat. They come from teams that believed something about the law that wasn't true, built a banner around it, and moved on. The French regulator (CNIL) has handed out more than 200 million euros in cookie fines to companies that were confident they had it covered. Here are ten beliefs that keep showing up in enforcement files, and what the rules actually say.

Myth 1: "Implied consent is fine, using the site means they agreed"

Consent under the GDPR has a legal definition: a "freely given, specific, informed and unambiguous" indication given by "a clear affirmative action" (Article 4(11)). Recital 32 spells out what doesn't count: "silence, pre-ticked boxes or inactivity." Continuing to browse, scrolling down the page, or ignoring a banner are not affirmative actions. Both the CNIL and Italy's Garante have said outright that continued browsing can't be treated as consent. If your banner says "by using this site you accept cookies," you don't have consent. You have a notice. See the forms of consent that don't count.

Myth 2: "We're a US company, so GDPR doesn't apply to us"

Article 3(2) of the GDPR reaches businesses with no EU office at all. It applies when you offer goods or services to people in the EU, or when you monitor their behaviour. Running Google Analytics or a Meta Pixel on visitors who happen to be in Germany or France is monitoring behaviour. If EU users reach your site and you track them, you're likely in scope. We break the test down in does GDPR apply to US companies.

Myth 3: "We put up a cookie banner, so we're compliant"

A banner is the visible part. Compliance is what happens around it: non-essential scripts blocked until the visitor opts in, a reject option as easy as accept, granular choices per purpose, and a record of each decision. A 2025 audit of 10,000 EU sites found 78% of banners were non-compliant, and most of those sites had a banner. The banner wasn't the fix. See why most cookie banners still fail.

Myth 4: "We can rely on legitimate interest for analytics and ad cookies"

This one trips up privacy teams who know the GDPR's six legal bases. The problem is that cookies are governed first by the ePrivacy Directive, whose Article 5(3) requires prior consent to store or read information on a device, with narrow exemptions for strictly necessary cookies. Legitimate interest isn't one of the gateways. Even with a GDPR basis on paper, you still need consent to set a non-essential cookie. Full detail in legitimate interest vs consent for cookies.

Myth 5: "Small businesses are exempt"

There's no size exemption for cookie consent. The often-quoted "fewer than 250 employees" figure comes from Article 30 of the GDPR, which relaxes the duty to keep a full record of processing activities. It has nothing to do with cookies or consent. A five-person shop that runs advertising cookies needs consent exactly like a multinational does.

Myth 6: "Analytics cookies are harmless and don't need consent"

Analytics cookies are not "strictly necessary" for a service the user asked for, which is the test for the ePrivacy exemption. Delivering your website works fine without them. Regulators across the EU treat first-party analytics as consent-required, and several DPAs (including the CNIL and Austria's authority) have questioned specific Google Analytics configurations over EU-US data transfers. See is Google Analytics GDPR compliant.

Myth 7: "One banner works for the whole world"

GDPR wants opt-in before tracking. California's CPRA runs on opt-out and a "Do Not Sell or Share" signal. Brazil's LGPD, the UK's PECR, and a dozen US state laws each draw the line differently. A single global "accept or reject" either over-asks your US traffic (hurting conversion) or under-protects your EU traffic (inviting a fine). Region-aware banners solve both. See the US state privacy laws guide.

Myth 8: "Once someone accepts, we have consent forever"

Consent is a state you have to be able to reverse. Withdrawing has to be as easy as giving it (GDPR Article 7(3)), and consent goes stale. The CNIL recommends re-asking roughly every six months in many cases, and treating an old "yes" as permanent is a common finding in audits. You also need a way to change your mind that isn't buried three menus deep.

Myth 9: "We copied a compliant-looking competitor, so we're safe"

Their banner was built for their cookies, their vendors, and their jurisdiction, not yours. If your competitor is in the 78% that fail, you just copied their liability. And you can't copy their consent records, which have to be yours. Walk through the failure modes in why copying a competitor's banner backfires.

Myth 10: "A cookie policy page covers us"

A written policy explains what you do. It doesn't collect consent, and it doesn't stop a tracking script from firing on page load. You need both: clear information (the policy) and a working consent mechanism that blocks non-essential cookies until the visitor chooses. One without the other leaves a gap regulators look for.

What actually keeps you out of trouble

Strip the myths away and the requirements are short. Block non-essential cookies until the visitor opts in. Make reject as easy as accept. Ask per purpose, with nothing pre-selected. Adapt to the visitor's region. Log every choice so you can prove it later. A consent platform like CookieBeam scans your real cookies, blocks them before consent, and stores a timestamped record of each decision, which closes most of the gaps above by default. Start with the GDPR cookie compliance checklist.

Sources

10 Cookie Consent Myths That Get Sites Fined | CookieBeam | CookieBeam