Why Cookie Consent Matters
The ePrivacy Directive (often called the "Cookie Law") combined with GDPR requirements means that simply showing a cookie banner is not enough. Your implementation must:
- Obtain prior consent before setting non-essential cookies
- Provide granular options — users must be able to choose categories
- Make rejection as easy as acceptance — no dark patterns
- Record proof of consent — maintain auditable consent records
- Allow easy withdrawal — users must be able to change preferences
Common Mistakes
Mistake 1: Pre-checked Boxes
The CJEU ruled in Planet49 (C-673/17) that pre-checked checkboxes do not constitute valid consent.
Mistake 2: Cookie Walls
Blocking access to your website unless cookies are accepted is generally not compliant, as consent must be freely given.
Mistake 3: Vague Descriptions
Telling users you use cookies "to improve experience" is insufficient. You must specify what cookies do and who sets them.
Mistake 4: No Granularity
Offering only "Accept All" without category-level choices violates the granularity requirement.
Implementation Guide
Step 1: Categorize Your Cookies
- Strictly Necessary: Authentication, security, load balancing
- Functional: Language preferences, UI customization
- Analytics: Usage statistics, performance monitoring
- Marketing: Ad targeting, social media integration
Step 2: Block Before Consent
No non-essential cookies should be set before the user makes a choice. This means:
- Analytics scripts should not load until consent is given
- Marketing pixels should be blocked by default
- Third-party embeds should use consent-aware loading
Step 3: Design for Compliance
- Equal prominence for "Accept" and "Reject" buttons
- Detailed information available but not required to read
- Clear labeling of each cookie category
- Accessible to screen readers and keyboard navigation
Technical Implementation
Use a consent management approach that:
- Stores consent preferences in a first-party cookie
- Conditionally loads third-party scripts based on consent
- Provides an API for checking consent status
- Sends consent signals to analytics platforms (e.g., Google Consent Mode)