A Brief History of Cookie Law
Long before GDPR, the EU introduced privacy rules for electronic communications. The journey of 'cookie law' spans more than two decades:
- 2002: ePrivacy Directive (2002/58/EC) introduced — requires informed consent for cookies
- 2009: Amended to strengthen consent requirements (the 'Cookie Directive' amendment)
- 2011: EU member states begin enforcing the cookie consent requirement. The classic 'banner era' begins.
- 2018: GDPR introduces far stricter definitions of valid consent, effectively upgrading cookie banner requirements
- 2020–present: Proposed ePrivacy Regulation (ePR) still in negotiation — intended to replace the Directive with a directly applicable EU Regulation
The ePrivacy Directive: Core Requirements
The ePrivacy Directive (implemented differently in each EU member state as national law) establishes the foundational cookie consent requirements:
- Prior consent required for any cookie that is not strictly necessary for the service explicitly requested by the user
- Consent must be informed — users must understand what cookies do before agreeing
- The 'strictly necessary' exception is narrow: only cookies essential for the specific service the user actively requested, not for analytics or advertising the site operator wants
- Member states must ensure effective remedies and sanctions for non-compliance
The ePrivacy Directive works alongside GDPR: the Directive determines when consent is needed for cookies; GDPR determines the standard that consent must meet (freely given, specific, informed, unambiguous, withdrawable).
How GDPR Changed Cookie Law in Practice
Before GDPR, many interpretations of cookie consent were quite lenient — a notice bar saying 'we use cookies, by continuing you agree' was often considered compliant. GDPR's strict definition of valid consent changed everything:
| Requirement | Pre-GDPR (2011–2018) | Post-GDPR (2018–present) |
|---|---|---|
| Implied consent | Often accepted | Invalid — consent must be affirmative |
| Pre-ticked boxes | Sometimes accepted | Explicitly invalid |
| Scroll/continue = consent | Widely used | Invalid — no unambiguous action taken |
| Bundled consent | Common | Invalid — must be specific per purpose |
| No withdrawal mechanism | Often absent | Required — as easy as giving consent |
| Consent record keeping | Rarely required | Mandatory under GDPR Art. 7 |
The Proposed ePrivacy Regulation
The European Commission has been working on a new ePrivacy Regulation (ePR) since 2017, intended to replace the ePrivacy Directive. If enacted, it would:
- Apply directly in all EU member states (no national implementation required)
- Introduce browser-level consent settings — users set preferences in their browser, not per-site
- Potentially allow implied consent for analytics cookies under certain conditions
- Extend coverage to new communication services (WhatsApp, Messenger, etc.)
- Introduce fines aligned with GDPR (up to €20M or 4% of global turnover)
ePR Is Still Being Negotiated
As of early 2026, the ePrivacy Regulation has been stalled in Council negotiations for over 7 years. Do not count on it arriving or significantly changing current requirements in the near term. Comply with the current ePrivacy Directive + GDPR framework — that is what is being enforced today.
National Implementation Differences
Because the ePrivacy Directive must be implemented by each EU member state as national law, there are important differences between countries:
| Country | National Law | Notable Differences |
|---|---|---|
| Germany | TTDSG (2021) | Introduced 'Consent Management Platform' recognition framework |
| France | Loi Informatique et Libertés | CNIL has issued detailed guidelines and fined Google, Facebook |
| Netherlands | Telecommunicatiewet | Analytics cookies may be exempt under certain conditions |
| Italy | Codice Privacy | Garante has issued specific cookie guidance requiring Reject All button |
| UK | PECR | Post-Brexit but practically identical; ICO enforcement active |
ePrivacy / Cookie Law Compliance Checklist
No non-essential cookies set before consent
Analytics, marketing, and preference cookies must wait. Only session management and security cookies can fire immediately.
Affirmative opt-in required (no scrolling = consent)
Users must take a positive action (click Accept). Passive behaviour cannot be treated as consent.
Reject option equally prominent on first screen
Multiple DPAs (France, Italy, Spain) specifically require a Reject All button on the main banner layer.
Cookie policy accurately lists all cookies
Each cookie by name, purpose, vendor, and retention period. Update whenever you add or remove cookies.
Consent withdrawal mechanism in place
A floating cookie icon or footer link that opens the preference centre for users to change or withdraw consent.
Consent records maintained
Log timestamp, consent version, categories granted, and user identifier for each consent event. Required for GDPR Art. 7 accountability.
Cross-border: reviewed per target market
If significant traffic from Germany, France, or Italy, review local DPA guidance for country-specific requirements.
Enforcement Is Real and Active
Cookie law enforcement has accelerated dramatically since 2021. Notable fines: Google/YouTube (€150M — France CNIL, 2022), Meta/Facebook (€60M — France CNIL, 2022), TikTok (€5M — France CNIL, 2023). The most common violation found? Making it harder to reject cookies than to accept them.
ICO (UK) Cookie Guidance: Post-Brexit Rules
The United Kingdom left the EU in January 2020, but UK cookie law remains substantively very similar to the EU framework — at least for now. The UK Information Commissioner's Office (ICO) enforces the Privacy and Electronic Communications Regulations 2003 (PECR), which is the UK's implementation of the ePrivacy Directive. PECR was amended in 2011 to align with the revised Cookie Directive and has been updated via statutory guidance since Brexit.
For most practical purposes, if your cookie banner is compliant with GDPR and the EU ePrivacy Directive, it will also be compliant with PECR and the UK GDPR. However, there are some specific differences worth noting.
UK vs EU Cookie Requirements: Key Differences
Post-Brexit, the UK has retained equivalent cookie consent requirements but the ICO has signalled a slightly more pragmatic approach to analytics cookies than some EU DPAs. Key differences to be aware of:
- Analytics cookies: The ICO has historically been more open to a 'legitimate interests' argument for purely internal analytics cookies (no cross-site tracking, no vendor data sharing, short retention). This contrasts with France's CNIL and Germany's DSK, which require explicit consent for all analytics cookies. As of 2025, the ICO still requires consent for most third-party analytics tools including Google Analytics, as these involve international data transfers and vendor data sharing.
- ICO enforcement approach: The ICO tends to pursue a 'comply or we will escalate' approach with larger operators before issuing fines, giving companies more opportunity to remediate. This is less common with EU DPAs like CNIL or Garante, which have moved directly to fines for prominent violations.
- UK GDPR vs EU GDPR: The UK's retained version of GDPR ('UK GDPR') is currently identical in substance to EU GDPR for cookie consent purposes. However, the UK government has proposed reforms through the Data Protection and Digital Information Bill that could introduce more flexibility. Monitor developments as the UK regulatory environment may diverge from the EU in coming years.
- No 'Reject All' on first layer — yet: Unlike CNIL (France) and Garante (Italy), the ICO's guidance does not yet explicitly mandate a Reject All button on the primary banner layer. However, the ICO does require that rejecting cookies must be as easy as accepting them — in practice, this means a clear and accessible reject path is required.
- PECR fines: Current PECR maximum fines are £500,000, significantly lower than GDPR's €20M / 4% of global turnover. The ICO gains new powers under the DPDI Bill, including potentially higher PECR fines aligned with UK GDPR levels.
CookieBeam supports UK-specific banner configurations in the dashboard. Under Settings → Geo-Targeting → UK, you can apply UK-specific banner text and button arrangements that satisfy ICO guidance while differing from your EU configuration where appropriate.
Cookie Law Enforcement Cases: Lessons Learned
Cookie law enforcement has accelerated dramatically across the EU and UK since 2021. Studying actual enforcement actions reveals which violations regulators prioritise and what remediation they require. The following cases represent the most significant enforcement actions through early 2026.
| Company | Country / Authority | Fine | Violation | Year |
|---|---|---|---|---|
| Google & YouTube | France (CNIL) | €150M | Rejecting cookies made significantly more difficult than accepting; one-click accept vs multi-step reject | 2022 |
| Facebook (Meta) | France (CNIL) | €60M | Same violation: asymmetric consent UX favouring acceptance; reject path buried in settings | 2022 |
| TikTok | France (CNIL) | €5M | No Reject All button on first consent layer; accept easier than reject | 2023 |
| Criteo | France (CNIL) | €40M | Relying on invalid consent from third-party CMPs; no verification that consent met GDPR standard | 2023 |
| Grindr | Norway (Datatilsynet) | €6.5M | Sharing user data with advertising partners without valid consent; consent bundled and not granular | 2021 |
| Sephora | USA (California AG) | $1.2M USD | CCPA violation — sale of personal data without opt-out mechanism; comparable to cookie law violations | 2022 |
| Clearview AI | Italy (Garante) | €20M | No lawful basis for processing; no consent mechanism; facial recognition data collected without knowledge | 2022 |
The pattern across these enforcement actions is consistent: making it harder to reject than to accept is the most common violation cited. Regulators are particularly focused on the symmetry between the accept and reject user journeys. If a user can accept cookies in one click but requires three clicks (or navigation through a settings menu) to reject, that asymmetry is itself a violation regardless of whether the reject option technically exists.
CookieBeam's default banner template is designed to satisfy the symmetry requirement enforced by CNIL, Garante, and the EDPB: Accept All and Reject All appear as equally sized, equally prominent buttons on the first banner layer.
Preparing for the ePrivacy Regulation: Future-Proofing Your Setup
Do not wait — comply with the current framework to the highest standard today
The ePrivacy Regulation has been stalled for over seven years and its final form remains uncertain. The websites that will be best positioned when (if) the ePR arrives are those that already meet the strictest current interpretations of the ePrivacy Directive + GDPR. This means: Reject All on the first layer, no dark patterns, granular consent per category, and full consent records.
Implement browser-level consent signal support
One of the ePR's proposed innovations is browser-level consent — users would set their cookie preferences in their browser, and websites would read those preferences rather than showing a banner. CookieBeam already supports the Global Privacy Control (GPC) signal, which is a browser-level consent signal gaining adoption. Enabling GPC support in CookieBeam (Settings → Advanced → Honor GPC Signal) future-proofs your setup for browser-level consent frameworks.
Decouple your consent management from your analytics platform
Current cookie law requires per-site consent. If the ePR introduces browser-level consent, your consent management system must be able to receive and act on externally set preferences — not just self-managed banner interactions. CookieBeam's architecture already separates consent management from data collection, making this transition straightforward.
Build a first-party analytics capability
If the ePR introduces stricter cross-site tracking restrictions, reliance on third-party analytics platforms becomes riskier. Complement your Google Analytics setup with a first-party, privacy-preserving analytics solution (Plausible, Fathom, or a self-hosted Matomo instance). CookieBeam integrates with all of these platforms.
Maintain comprehensive consent records
Both the current ePrivacy Directive and the proposed ePR require organisations to be able to demonstrate valid consent. CookieBeam's consent audit log stores a timestamped, tamper-evident record of every consent event — what was consented to, when, under which banner version, and from which geographic region. Export these records quarterly and store them in your compliance archive.
Cookie Law for Mobile Apps: Different Rules Apply
The ePrivacy Directive and cookie law primarily targets web browsers. Mobile apps operate under a different — and sometimes stricter — regulatory framework. Understanding the difference is critical if your business includes both a website and a mobile app.
Cookie Law for Mobile Apps: A Different Regulatory Landscape
Mobile apps do not use browser cookies in the traditional sense, but they do use equivalent tracking technologies: mobile advertising IDs (IDFA on iOS, GAID on Android), in-app analytics SDKs, and push notification tokens. These are subject to GDPR in the EU (as personal data), but the specific consent mechanism differs significantly from web cookie banners.
iOS: Apple's App Tracking Transparency (ATT)
Since iOS 14.5 (2021), Apple requires all apps to obtain explicit user permission before accessing the IDFA for cross-app tracking. This is enforced at the operating system level via the App Tracking Transparency prompt — a system-level dialog that appears before your app can access any tracking identifier. Opt-in rates for ATT prompts average 20–35% globally. You cannot replace or supplement the ATT prompt with your own GDPR consent banner for IDFA access — Apple requires the system prompt.
GDPR still applies in parallel: if your app collects other personal data (account details, usage analytics linked to user IDs), you still need a privacy notice and appropriate legal basis. For in-app analytics not using the IDFA (e.g. Firebase Analytics with IDFA collection disabled), GDPR's standard consent or legitimate interests analysis applies without the ATT requirement.
Android: Google Play Data Safety
Google Play requires all apps to disclose their data collection practices in the Play Store Data Safety section. While Google does not enforce an OS-level consent prompt equivalent to ATT, GDPR still requires explicit consent for advertising identifiers and sensitive data categories. Many apps implement their own GDPR consent layer using the IAB's TCF (Transparency and Consent Framework) for mobile.
Practical Implication for CookieBeam Users
CookieBeam's JavaScript SDK is designed for web deployments. If you have a companion mobile app, your mobile consent framework operates separately. Ensure your privacy notice and consent records system covers both web and app data collection. CookieBeam's consent records API can receive mobile consent events via a server-side call, allowing you to maintain a unified consent database even across web and mobile.
Interaction Between the ePrivacy Directive and GDPR: Which Takes Precedence?
The Lex Specialis Principle
The relationship between the ePrivacy Directive and GDPR is governed by the lex specialis principle — the more specific law takes precedence over the more general law in its specific area of application. For electronic communications and cookie storage, the ePrivacy Directive is the lex specialis and takes precedence over GDPR.
This has practical implications: if the ePrivacy Directive requires consent for placing a cookie, you cannot substitute a different GDPR legal basis (such as legitimate interests or contractual necessity) to avoid the consent requirement. The need for consent is established by the ePrivacy Directive, and GDPR then defines the quality standard that consent must meet.
Where GDPR Fills the Gaps
The ePrivacy Directive predates many modern data processing activities and does not address everything. GDPR fills these gaps:
- Data processed after cookie placement: Once a cookie has been set (subject to ePrivacy consent requirements), the subsequent processing of the data collected by that cookie falls under GDPR. You need both a valid ePrivacy consent for placing the cookie and a valid GDPR legal basis for processing the data it collects.
- Profiling and automated decision-making: GDPR Articles 21 and 22 govern profiling and automated decisions. The ePrivacy Directive does not address these directly. A GDPR legitimate interests assessment may be the correct legal basis for privacy-respecting profiling, even if the underlying data collection required ePrivacy consent.
- Data subject rights: GDPR rights (access, erasure, portability, restriction) apply to all personal data including data collected via cookies. The ePrivacy Directive does not provide for these rights — they come entirely from GDPR.
The Consent Quality Question
Before 2018, many national implementations of the ePrivacy Directive had relatively low consent quality standards. The arrival of GDPR effectively raised the bar for all cookie consent by requiring that consent (wherever it is the legal basis) meets GDPR's definition: freely given, specific, informed, and unambiguous. The result is that 'implied consent' (continuing to browse = consent) and 'soft opt-in' mechanisms are invalid under both the ePrivacy Directive and GDPR together, even if some early ePrivacy implementations had tolerated them.
Building a Compliant Cookie Consent Management System
No non-essential cookies fired before explicit consent
Technically enforce this at the tag level — not just a policy statement. CookieBeam blocks all non-necessary tags until the user has made a choice. Verify with browser DevTools on a fresh session.
Consent banner appears on every session until a choice is made
New visitors and visitors whose previous consent has expired (CookieBeam default: 12 months) must be shown the banner again. Do not suppress the banner for returning visitors who have not yet consented.
Accept All and Reject All both on the primary banner layer
Required by CNIL (France), Garante (Italy), and increasingly adopted by all major EU DPAs. This is the single most important design requirement for compliance.
Granular category consent available in preference centre
Users must be able to consent to or reject individual categories (analytics, marketing, functional) in addition to the Accept All / Reject All options.
Consent records stored with required metadata
Timestamp, banner version ID, categories granted, user identifier (anonymised), and jurisdiction must all be stored for each consent event. CookieBeam's consent log captures all of these automatically.
Cookie policy linked from banner and updated regularly
Your cookie policy must list all cookies by name, purpose, type, and retention period. Review and update whenever you add or remove cookies — at minimum quarterly.
Persistent re-open mechanism on all pages
A floating icon or footer link must allow users to revisit and change their consent at any time after the initial choice. This is required for consent to be validly withdrawable.
Consent re-triggered on material policy changes
When you add new cookie categories or change the purpose of existing cookies, re-consent is required for affected users. CookieBeam's version-based re-consent feature handles this automatically.
Geo-targeted banner configuration for multi-jurisdiction sites
Apply stricter (French CNIL, Italian Garante) configurations to users from those jurisdictions. CookieBeam's geo-targeting feature enables per-country banner variants from a single dashboard.
Legal review conducted at least annually
Cookie law guidance evolves frequently. Schedule an annual review of your consent management setup against current DPA guidance in your key markets.
Frequently Asked Questions
Do I need a cookie banner if I only use strictly necessary cookies?
If your website genuinely uses only strictly necessary cookies — those essential for the service the user has explicitly requested (session management, security, shopping cart) — you do not need a consent banner for those specific cookies. However, you still need a cookie policy explaining what cookies you use. Be honest about this classification: analytics cookies (even GA4 in basic mode) are not strictly necessary, and most third-party scripts set non-necessary cookies. CookieBeam's cookie scanner can audit your site and identify which cookies are genuinely necessary vs which require consent.
Is Google Analytics exempt from cookie consent requirements?
No. Google Analytics (including GA4) is not exempt from cookie consent requirements in the EU. Analytics cookies, even when used purely for internal site improvement, are not 'strictly necessary' under the ePrivacy Directive because the core service requested by the user (viewing your web page) does not require analytics measurement. Additionally, GA4 involves data transfer to Google's servers, adding a GDPR data transfer dimension. You need valid GDPR consent before GA4 sets cookies or collects identifiable data. The Dutch DPA (AP) provides a limited analytics exemption for specific configurations, but this does not apply to standard GA4 implementations.
What is the maximum duration a cookie consent can be stored?
EU law does not specify a maximum consent duration, but GDPR requires that consent remain current and that users can withdraw it at any time. Most DPA guidance and industry practice treats 12 months as an appropriate consent validity period — after which the user should be prompted to re-confirm their preferences. CookieBeam's default consent expiry is 12 months with automatic re-consent prompting, which aligns with this standard. You can configure a shorter period (6 months) for higher-sensitivity sites.
Can I use a 'legitimate interests' legal basis for analytics cookies instead of consent?
In most EU jurisdictions, no. The ePrivacy Directive establishes that placing analytics cookies on a user's device requires consent as the legal basis — you cannot substitute legitimate interests, even if your analytics processing after the fact might be justifiable under LI. France's CNIL, Italy's Garante, Germany's DSK, and the EDPB all confirm this interpretation. The Netherlands is a partial exception for specific configurations of purely internal, privacy-preserving analytics without vendor data sharing.
How do I handle cookie consent for a website that serves both EU and non-EU visitors?
CookieBeam's geo-targeting feature automatically detects visitor location by IP and applies jurisdiction-appropriate banner configurations. EU/UK visitors see GDPR/PECR-compliant banners; US visitors from states with CCPA/CPRA requirements see compliant opt-out banners; visitors from jurisdictions without specific cookie laws see a lighter notification. You manage all configurations from a single CookieBeam dashboard without needing separate website deployments.
Are cookies set by embedded third-party widgets (YouTube, Google Maps) my responsibility?
Yes. When you embed a third-party widget on your website, any cookies that widget sets on your users' devices are, from a legal perspective, subject to the same consent requirements as your own cookies. You are responsible for ensuring those cookies are not set before the user has consented to the relevant category. CookieBeam's 'Resource Blocking' feature prevents iframes and embedded scripts from loading until the relevant consent category is granted, replacing them with a placeholder that explains the embedded content requires consent to display.
ICO (UK) Cookie Guidance: Post-Brexit Rules
The United Kingdom left the EU in January 2020, but UK cookie law remains substantively very similar to the EU framework — at least for now. The UK Information Commissioner's Office (ICO) enforces the Privacy and Electronic Communications Regulations 2003 (PECR), which is the UK's implementation of the ePrivacy Directive. PECR was amended in 2011 to align with the revised Cookie Directive and has been updated via statutory guidance since Brexit.
For most practical purposes, if your cookie banner is compliant with GDPR and the EU ePrivacy Directive, it will also be compliant with PECR and the UK GDPR. However, there are some specific differences worth noting.
UK vs EU Cookie Requirements: Key Differences
Post-Brexit, the UK has retained equivalent cookie consent requirements but the ICO has signalled a slightly more pragmatic approach to analytics cookies than some EU DPAs. Key differences to be aware of:
- Analytics cookies: The ICO has historically been more open to a 'legitimate interests' argument for purely internal analytics cookies (no cross-site tracking, no vendor data sharing, short retention). This contrasts with France's CNIL and Germany's DSK, which require explicit consent for all analytics cookies. As of 2025, the ICO still requires consent for most third-party analytics tools including Google Analytics, as these involve international data transfers and vendor data sharing.
- ICO enforcement approach: The ICO tends to pursue a 'comply or we will escalate' approach with larger operators before issuing fines, giving companies more opportunity to remediate. This is less common with EU DPAs like CNIL or Garante, which have moved directly to fines for prominent violations.
- UK GDPR vs EU GDPR: The UK's retained version of GDPR ('UK GDPR') is currently identical in substance to EU GDPR for cookie consent purposes. However, the UK government has proposed reforms through the Data Protection and Digital Information Bill that could introduce more flexibility. Monitor developments as the UK regulatory environment may diverge from the EU in coming years.
- No 'Reject All' on first layer — yet: Unlike CNIL (France) and Garante (Italy), the ICO's guidance does not yet explicitly mandate a Reject All button on the primary banner layer. However, the ICO does require that rejecting cookies must be as easy as accepting them — in practice, this means a clear and accessible reject path is required.
- PECR fines: Current PECR maximum fines are £500,000, significantly lower than GDPR's €20M / 4% of global turnover. The ICO gains new powers under the DPDI Bill, including potentially higher PECR fines aligned with UK GDPR levels.
CookieBeam supports UK-specific banner configurations in the dashboard. Under Settings → Geo-Targeting → UK, you can apply UK-specific banner text and button arrangements that satisfy ICO guidance while differing from your EU configuration where appropriate.
Cookie Law Enforcement Cases: Lessons Learned
Cookie law enforcement has accelerated dramatically across the EU and UK since 2021. Studying actual enforcement actions reveals which violations regulators prioritise and what remediation they require. The following cases represent the most significant enforcement actions through early 2026.
| Company | Country / Authority | Fine | Violation | Year |
|---|---|---|---|---|
| Google & YouTube | France (CNIL) | €150M | Rejecting cookies made significantly more difficult than accepting; one-click accept vs multi-step reject | 2022 |
| Facebook (Meta) | France (CNIL) | €60M | Same violation: asymmetric consent UX favouring acceptance; reject path buried in settings | 2022 |
| TikTok | France (CNIL) | €5M | No Reject All button on first consent layer; accept easier than reject | 2023 |
| Criteo | France (CNIL) | €40M | Relying on invalid consent from third-party CMPs; no verification that consent met GDPR standard | 2023 |
| Grindr | Norway (Datatilsynet) | €6.5M | Sharing user data with advertising partners without valid consent; consent bundled and not granular | 2021 |
| Sephora | USA (California AG) | $1.2M USD | CCPA violation — sale of personal data without opt-out mechanism; comparable to cookie law violations | 2022 |
| Clearview AI | Italy (Garante) | €20M | No lawful basis for processing; no consent mechanism; facial recognition data collected without knowledge | 2022 |
The pattern across these enforcement actions is consistent: making it harder to reject than to accept is the most common violation cited. Regulators are particularly focused on the symmetry between the accept and reject user journeys. If a user can accept cookies in one click but requires three clicks (or navigation through a settings menu) to reject, that asymmetry is itself a violation regardless of whether the reject option technically exists.
CookieBeam's default banner template is designed to satisfy the symmetry requirement enforced by CNIL, Garante, and the EDPB: Accept All and Reject All appear as equally sized, equally prominent buttons on the first banner layer.
Preparing for the ePrivacy Regulation: Future-Proofing Your Setup
Do not wait — comply with the current framework to the highest standard today
The ePrivacy Regulation has been stalled for over seven years and its final form remains uncertain. The websites that will be best positioned when (if) the ePR arrives are those that already meet the strictest current interpretations of the ePrivacy Directive + GDPR. This means: Reject All on the first layer, no dark patterns, granular consent per category, and full consent records.
Implement browser-level consent signal support
One of the ePR's proposed innovations is browser-level consent — users would set their cookie preferences in their browser, and websites would read those preferences rather than showing a banner. CookieBeam already supports the Global Privacy Control (GPC) signal, which is a browser-level consent signal gaining adoption. Enabling GPC support in CookieBeam (Settings → Advanced → Honor GPC Signal) future-proofs your setup for browser-level consent frameworks.
Decouple your consent management from your analytics platform
Current cookie law requires per-site consent. If the ePR introduces browser-level consent, your consent management system must be able to receive and act on externally set preferences — not just self-managed banner interactions. CookieBeam's architecture already separates consent management from data collection, making this transition straightforward.
Build a first-party analytics capability
If the ePR introduces stricter cross-site tracking restrictions, reliance on third-party analytics platforms becomes riskier. Complement your Google Analytics setup with a first-party, privacy-preserving analytics solution (Plausible, Fathom, or a self-hosted Matomo instance). CookieBeam integrates with all of these platforms.
Maintain comprehensive consent records
Both the current ePrivacy Directive and the proposed ePR require organisations to be able to demonstrate valid consent. CookieBeam's consent audit log stores a timestamped, tamper-evident record of every consent event — what was consented to, when, under which banner version, and from which geographic region. Export these records quarterly and store them in your compliance archive.
Cookie Law for Mobile Apps: Different Rules Apply
The ePrivacy Directive and cookie law primarily targets web browsers. Mobile apps operate under a different — and sometimes stricter — regulatory framework. Understanding the difference is critical if your business includes both a website and a mobile app.
Cookie Law for Mobile Apps: A Different Regulatory Landscape
Mobile apps do not use browser cookies in the traditional sense, but they do use equivalent tracking technologies: mobile advertising IDs (IDFA on iOS, GAID on Android), in-app analytics SDKs, and push notification tokens. These are subject to GDPR in the EU (as personal data), but the specific consent mechanism differs significantly from web cookie banners.
iOS: Apple's App Tracking Transparency (ATT)
Since iOS 14.5 (2021), Apple requires all apps to obtain explicit user permission before accessing the IDFA for cross-app tracking. This is enforced at the operating system level via the App Tracking Transparency prompt — a system-level dialog that appears before your app can access any tracking identifier. Opt-in rates for ATT prompts average 20–35% globally. You cannot replace or supplement the ATT prompt with your own GDPR consent banner for IDFA access — Apple requires the system prompt.
GDPR still applies in parallel: if your app collects other personal data (account details, usage analytics linked to user IDs), you still need a privacy notice and appropriate legal basis. For in-app analytics not using the IDFA (e.g. Firebase Analytics with IDFA collection disabled), GDPR's standard consent or legitimate interests analysis applies without the ATT requirement.
Android: Google Play Data Safety
Google Play requires all apps to disclose their data collection practices in the Play Store Data Safety section. While Google does not enforce an OS-level consent prompt equivalent to ATT, GDPR still requires explicit consent for advertising identifiers and sensitive data categories. Many apps implement their own GDPR consent layer using the IAB's TCF (Transparency and Consent Framework) for mobile.
Practical Implication for CookieBeam Users
CookieBeam's JavaScript SDK is designed for web deployments. If you have a companion mobile app, your mobile consent framework operates separately. Ensure your privacy notice and consent records system covers both web and app data collection. CookieBeam's consent records API can receive mobile consent events via a server-side call, allowing you to maintain a unified consent database even across web and mobile.
Interaction Between the ePrivacy Directive and GDPR: Which Takes Precedence?
The Lex Specialis Principle
The relationship between the ePrivacy Directive and GDPR is governed by the lex specialis principle — the more specific law takes precedence over the more general law in its specific area of application. For electronic communications and cookie storage, the ePrivacy Directive is the lex specialis and takes precedence over GDPR.
This has practical implications: if the ePrivacy Directive requires consent for placing a cookie, you cannot substitute a different GDPR legal basis (such as legitimate interests or contractual necessity) to avoid the consent requirement. The need for consent is established by the ePrivacy Directive, and GDPR then defines the quality standard that consent must meet.
Where GDPR Fills the Gaps
The ePrivacy Directive predates many modern data processing activities and does not address everything. GDPR fills these gaps:
- Data processed after cookie placement: Once a cookie has been set (subject to ePrivacy consent requirements), the subsequent processing of the data collected by that cookie falls under GDPR. You need both a valid ePrivacy consent for placing the cookie and a valid GDPR legal basis for processing the data it collects.
- Profiling and automated decision-making: GDPR Articles 21 and 22 govern profiling and automated decisions. The ePrivacy Directive does not address these directly. A GDPR legitimate interests assessment may be the correct legal basis for privacy-respecting profiling, even if the underlying data collection required ePrivacy consent.
- Data subject rights: GDPR rights (access, erasure, portability, restriction) apply to all personal data including data collected via cookies. The ePrivacy Directive does not provide for these rights — they come entirely from GDPR.
The Consent Quality Question
Before 2018, many national implementations of the ePrivacy Directive had relatively low consent quality standards. The arrival of GDPR effectively raised the bar for all cookie consent by requiring that consent (wherever it is the legal basis) meets GDPR's definition: freely given, specific, informed, and unambiguous. The result is that 'implied consent' (continuing to browse = consent) and 'soft opt-in' mechanisms are invalid under both the ePrivacy Directive and GDPR together, even if some early ePrivacy implementations had tolerated them.
Building a Compliant Cookie Consent Management System
No non-essential cookies fired before explicit consent
Technically enforce this at the tag level — not just a policy statement. CookieBeam blocks all non-necessary tags until the user has made a choice. Verify with browser DevTools on a fresh session.
Consent banner appears on every session until a choice is made
New visitors and visitors whose previous consent has expired (CookieBeam default: 12 months) must be shown the banner again. Do not suppress the banner for returning visitors who have not yet consented.
Accept All and Reject All both on the primary banner layer
Required by CNIL (France), Garante (Italy), and increasingly adopted by all major EU DPAs. This is the single most important design requirement for compliance.
Granular category consent available in preference centre
Users must be able to consent to or reject individual categories (analytics, marketing, functional) in addition to the Accept All / Reject All options.
Consent records stored with required metadata
Timestamp, banner version ID, categories granted, user identifier (anonymised), and jurisdiction must all be stored for each consent event. CookieBeam's consent log captures all of these automatically.
Cookie policy linked from banner and updated regularly
Your cookie policy must list all cookies by name, purpose, type, and retention period. Review and update whenever you add or remove cookies — at minimum quarterly.
Persistent re-open mechanism on all pages
A floating icon or footer link must allow users to revisit and change their consent at any time after the initial choice. This is required for consent to be validly withdrawable.
Consent re-triggered on material policy changes
When you add new cookie categories or change the purpose of existing cookies, re-consent is required for affected users. CookieBeam's version-based re-consent feature handles this automatically.
Geo-targeted banner configuration for multi-jurisdiction sites
Apply stricter (French CNIL, Italian Garante) configurations to users from those jurisdictions. CookieBeam's geo-targeting feature enables per-country banner variants from a single dashboard.
Legal review conducted at least annually
Cookie law guidance evolves frequently. Schedule an annual review of your consent management setup against current DPA guidance in your key markets.
Frequently Asked Questions
Do I need a cookie banner if I only use strictly necessary cookies?
If your website genuinely uses only strictly necessary cookies — those essential for the service the user has explicitly requested (session management, security, shopping cart) — you do not need a consent banner for those specific cookies. However, you still need a cookie policy explaining what cookies you use. Be honest about this classification: analytics cookies (even GA4 in basic mode) are not strictly necessary, and most third-party scripts set non-necessary cookies. CookieBeam's cookie scanner can audit your site and identify which cookies are genuinely necessary vs which require consent.
Is Google Analytics exempt from cookie consent requirements?
No. Google Analytics (including GA4) is not exempt from cookie consent requirements in the EU. Analytics cookies, even when used purely for internal site improvement, are not 'strictly necessary' under the ePrivacy Directive because the core service requested by the user (viewing your web page) does not require analytics measurement. Additionally, GA4 involves data transfer to Google's servers, adding a GDPR data transfer dimension. You need valid GDPR consent before GA4 sets cookies or collects identifiable data. The Dutch DPA (AP) provides a limited analytics exemption for specific configurations, but this does not apply to standard GA4 implementations.
What is the maximum duration a cookie consent can be stored?
EU law does not specify a maximum consent duration, but GDPR requires that consent remain current and that users can withdraw it at any time. Most DPA guidance and industry practice treats 12 months as an appropriate consent validity period — after which the user should be prompted to re-confirm their preferences. CookieBeam's default consent expiry is 12 months with automatic re-consent prompting, which aligns with this standard. You can configure a shorter period (6 months) for higher-sensitivity sites.
Can I use a 'legitimate interests' legal basis for analytics cookies instead of consent?
In most EU jurisdictions, no. The ePrivacy Directive establishes that placing analytics cookies on a user's device requires consent as the legal basis — you cannot substitute legitimate interests, even if your analytics processing after the fact might be justifiable under LI. France's CNIL, Italy's Garante, Germany's DSK, and the EDPB all confirm this interpretation. The Netherlands is a partial exception for specific configurations of purely internal, privacy-preserving analytics without vendor data sharing.
How do I handle cookie consent for a website that serves both EU and non-EU visitors?
CookieBeam's geo-targeting feature automatically detects visitor location by IP and applies jurisdiction-appropriate banner configurations. EU/UK visitors see GDPR/PECR-compliant banners; US visitors from states with CCPA/CPRA requirements see compliant opt-out banners; visitors from jurisdictions without specific cookie laws see a lighter notification. You manage all configurations from a single CookieBeam dashboard without needing separate website deployments.
Are cookies set by embedded third-party widgets (YouTube, Google Maps) my responsibility?
Yes. When you embed a third-party widget on your website, any cookies that widget sets on your users' devices are, from a legal perspective, subject to the same consent requirements as your own cookies. You are responsible for ensuring those cookies are not set before the user has consented to the relevant category. CookieBeam's 'Resource Blocking' feature prevents iframes and embedded scripts from loading until the relevant consent category is granted, replacing them with a placeholder that explains the embedded content requires consent to display.