Cookie Consent

Cookie consent is a user’s explicit permission to store or read non-essential cookies and similar trackers on their device. It exists so websites comply with privacy laws that require a clear opt-in before any tracking begins. The request usually appears as a cookie consent banner the moment a visitor lands on a page.
Why Cookie Consent Matters
Cookie consent is a legal requirement across much of the world, not a courtesy. In the EU, the ePrivacy Directive combined with the GDPR requires prior, informed consent before any non-essential cookie loads. Fines for non-compliance reach up to 4% of global annual revenue under GDPR.
The rules also shape data quality. When users reject tracking, analytics and advertising cookies never fire, so reports undercount real traffic. Marketers who understand consent can plan for that gap instead of trusting inflated numbers.
Consent covers more than cookies. It applies to pixels, local storage, device fingerprinting, and any technology that reads or writes data on a user’s device for tracking. The word “cookie” is shorthand for the whole category.
What Cookie Consent Covers
Most consent tools sort trackers into four standard categories. Users can usually accept or reject each one:
- Strictly necessary. Cookies required for the site to function, such as login sessions and shopping carts. These do not need consent.
- Functional or preferences. Cookies that remember choices like language or region.
- Statistics or analytics. Cookies used by tools like Google Analytics to measure traffic.
- Marketing or advertising. Cookies used for retargeting and cross-site ads, often set by third-party cookies.
Only the strictly necessary category is exempt. Everything else requires an affirmative opt-in under GDPR.
How Cookie Consent Works
A compliant setup blocks non-essential scripts until the user acts. The sequence looks like this:
- A visitor arrives. A cookie consent banner appears before any tracking cookie loads.
- The banner explains what data is collected and offers clear choices: Accept All, Reject All, or customize by category.
- The user makes a choice. The site stores that decision, usually in a first-party cookie that lasts 6 to 12 months.
- Scripts fire only for the categories the user approved. Rejected trackers stay blocked.
Valid consent under GDPR must be freely given, specific, informed, and unambiguous. Pre-ticked boxes do not count. The Court of Justice of the EU confirmed this in the 2019 Planet49 ruling.
Cookie Consent Banner Requirements
A cookie consent banner must give equal weight to accepting and rejecting. Regulators have been strict on this. France’s CNIL fined Google 150 million euros and Facebook 60 million euros in 2022 because rejecting cookies took more clicks than accepting them.
A compliant banner should:
- Offer a Reject All button as prominent as Accept All.
- Explain what each cookie category does in plain language.
- Load no non-essential cookies before the user consents.
- Let users withdraw consent as easily as they gave it.
Scrolling, continuing to browse, or ignoring the banner does not equal consent. Silence or inactivity cannot be treated as approval.
Cookie Consent and Campaign Tracking
Rejected cookies break cookie-based tracking, but they do not erase every signal. UTM parameters live in the page URL, not in a cookie, so they still identify which campaign sent a visitor even when tracking cookies are declined.
Google addresses the gap with Consent Mode, which adjusts how tags behave based on a user’s choice and models conversions from the traffic that consents. Advertisers running Google Ads in the EEA have needed Google Consent Mode v2 since March 2024. Because UTM tags survive cookie rejection, they remain a reliable layer of campaign attribution alongside consent-based measurement.
Common Cookie Consent Mistakes
The most frequent error is showing a banner while letting cookies load anyway. A banner with no script blocking behind it is not compliance; it is decoration.
Other common mistakes:
- Using only an “Accept” button with no way to reject.
- Setting analytics or ad cookies before the user clicks anything.
- Treating a scroll or a page click as implied consent.
- Never letting users change their choice after the first visit.
Frequently Asked Questions
What is cookie consent?
Cookie consent is a user’s permission to store non-essential cookies and trackers on their device. It is required by privacy laws like the GDPR and ePrivacy Directive. Sites request it through a banner that appears on the first visit, before any tracking cookie loads.
What is a cookie consent banner?
A cookie consent banner is the pop-up or bar that asks visitors to accept or reject cookies. It must explain what data is collected and give a Reject All option as easy to use as Accept All. Compliant banners block non-essential cookies until the user chooses.
Is cookie consent legally required?
In the EU, EEA, and UK, cookie consent is required for all non-essential cookies under the GDPR and ePrivacy Directive. California’s CCPA uses an opt-out model instead, with a “Do Not Sell My Personal Information” link. Requirements vary by region, so many sites apply the strictest standard globally.
Does rejecting cookies stop all tracking?
No. Rejecting cookies blocks cookie-based tracking, but URL-based signals like UTM parameters still work because they sit in the link, not a cookie. Tools like Google Consent Mode also model some conversions from users who do consent.
To keep campaign attribution accurate even when visitors reject cookies, tag your links with UTM parameters.