There's no single EU cookie law you can read cover to cover. What actually governs your banner is a stack of interpretation built by the European Data Protection Board (EDPB), the body that coordinates the national data protection authorities. Over the past few years the EDPB has produced three documents that, together, define what a compliant cookie banner looks like and how far cookie rules reach: the Cookie Banner Taskforce report, Guidelines 2/2023 on the technical scope of Article 5(3), and Opinion 08/2024 on consent-or-pay.
This guide walks through each one in plain language, with the dates and sources so you can check the primary text yourself. Want the specific fine amounts these principles produced? See our guide to the biggest GDPR cookie fines. This article is about the rules behind them.
The Cookie Banner Taskforce: How Complaints Became a Common Position
The enforcement wave started with complaints. From May 2021, the privacy group noyb (led by Max Schrems) filed more than 700 complaints against websites whose cookie banners it said broke the rules, targeting pre-ticked boxes, missing reject buttons, and deceptive design. Between May 2021 and August 2022, 18 EU/EEA data protection authorities received hundreds of them.
Rather than answer 18 different ways, the DPAs formed a Cookie Banner Taskforce under the EDPB to line their positions up. On 17 January 2023, the EDPB adopted the taskforce's final report. It isn't a fine and it isn't binding law, but it's the shared checklist regulators now apply. Practices it flags as problematic:
- No reject option on the first layer, so refusing takes more clicks than accepting.
- Pre-ticked boxes or sliders defaulted to "on".
- Deceptive contrast and design that nudges users toward "Accept".
- Consent-critical information hidden behind links.
- Wrongly classifying tracking cookies as "essential".
Want to know what a DPA checks first when a complaint lands? This report is the answer.
Guidelines 2/2023: Article 5(3) Reaches Far Beyond Cookies
The consent requirement lives in Article 5(3) of the ePrivacy Directive, which covers the storing of information, or gaining access to information already stored, in a user's terminal equipment. For years, businesses treated that as "the cookie rule". The EDPB's Guidelines 2/2023 on the Technical Scope of Art. 5(3), adopted in final form on 16 October 2024 after public consultation, make clear the provision is technology-neutral and much broader.
The guidelines set out the criteria that pull an operation within Article 5(3), and confirm that consent (or a valid exemption) applies well past classic browser cookies. It also covers:
- Tracking pixels and beacons embedded in web pages and emails.
- Local storage and IndexedDB read from or written to the browser.
- Device fingerprinting, where information is gained from the device even without storing anything.
- URL and cache-based tracking, and identifiers passed via links.
- IoT and connected-device data collection.
The practical takeaway: swapping cookies for "cookieless" pixels, fingerprinting, or local storage doesn't dodge the consent rule. The EDPB also clarifies that the "information" involved need not be personal data for Article 5(3) to apply. A thorough consent audit has to catch these non-cookie techniques too, not stop at the cookie jar.
Opinion 08/2024: The Limits of "Consent or Pay"
On 17 April 2024, the EDPB adopted Opinion 08/2024 on valid consent in the context of consent-or-pay models run by large online platforms. The question: can a platform offer users a binary choice, agree to tracking or pay a fee, and still claim the consent was freely given?
The headline answer is sceptical. For large online platforms, offering only "consent to behavioural advertising or pay" will in most cases not amount to valid consent. Consent has to be free, and the EDPB stresses that a genuine, usually free, equivalent alternative without behavioural advertising should be on the table, for example a version funded by non-behavioural or contextual advertising. Detriment, imbalance of power, and the fee level all bear on whether the choice is really free.
The opinion is formally about large platforms, but it shapes the wider debate. Weighing a paywall-style model? Read it alongside our guide to cookie walls and pay-or-consent legality, which covers the national rulings and CJEU precedent around it.
The Cookie Pledge That Wasn't
One EDPB-adjacent initiative is worth knowing about, mostly so you can ignore it: the European Commission's Cookie Pledge. Announced by the Justice Commissioner around the 2023 Consumer Summit, it was meant to be a voluntary set of banner principles that major companies would sign at the April 2024 Consumer Summit.
It never came together. Most large companies saw signing as premature given the Digital Markets Act and Digital Services Act had just taken effect, and the pledge was quietly dropped. Commentators called it "dead in all but name". The lesson Brussels took from it, that voluntary self-regulation wouldn't fix banner fatigue, is part of why cookie reform later moved into the binding Digital Omnibus instead.
Putting the Three Documents Together
Read as a set, the EDPB's guidance hands you a practical compliance test:
- From the Taskforce report: put an equally prominent reject on the first layer, no pre-ticked boxes, no misclassifying trackers as essential.
- From Guidelines 2/2023: apply that consent gate to pixels, local storage, fingerprinting, and IoT, not cookies alone.
- From Opinion 08/2024: if you monetise consent through a paywall, make sure a real, free-ish alternative exists.
None of these is a statute, but DPAs treat them as the reference framework, which is why they translate so directly into enforcement. Line your banner up with all three and you're defending against the exact practices regulators built these documents to catch.
How CookieBeam Applies This
CookieBeam is built around the same principles the EDPB guidance codifies. Reject and Accept carry equal prominence on the first layer, nothing is pre-selected, and the scanner is designed to surface non-cookie techniques, tracking pixels, local storage, and third-party connections, so they can be gated the way Guidelines 2/2023 wants rather than slipping through as "cookieless". Consent choices are logged with timestamps and purpose-level detail, which is the evidence a DPA asks for when a taskforce-style complaint arrives.
Check every specific claim here against the primary text: the EDPB publishes the taskforce report, Guidelines 2/2023, and Opinion 08/2024 in full, and they're the source of truth if your legal team needs to cite them.