GDPR cookie consent checklist

The GDPR, read with the ePrivacy rules that each EU country transposes locally, sets a high bar for cookies. Consent must be freely given, specific, informed and unambiguous, and it must come before the tracker runs. A banner that simply announces cookies, or that lets analytics fire on page load, fails the test no matter how polished it looks.

This checklist walks through the concrete requirements. Treat each item as something you can verify in a browser or in your records, not just a setting you toggled once and forgot.

Prior blocking is the foundation. Until the visitor opts in, every non-essential script must stay inert: analytics, advertising pixels, social embeds, heatmaps and chat widgets. Only strictly necessary cookies, the ones needed to deliver the page or keep a session, may run without consent.

Verify this by loading your site in a private window and watching the Network tab before clicking anything. If you see calls to tracking domains before consent, you are not compliant, regardless of what the banner says.

Regulators in Germany, France and across the EU have been explicit that rejecting must be no harder than accepting. That means an Accept and a Reject button at the same level, with the same visual weight, on the first layer of the banner. Hiding Reject behind a Manage preferences screen while Accept is one click is a recognized dark pattern.

France's CNIL in particular has fined large sites for exactly this imbalance. If your design makes saying no slower or less obvious than saying yes, fix it first.

Consent must be specific, so bundle trackers into clear categories such as analytics, marketing and personalization, and let the visitor choose per category. Nothing may be pre-ticked or pre-enabled. A single Accept all is fine as long as a single Reject all is equally available and the granular controls exist for those who want them.

Pre-selected boxes have been ruled invalid by the Court of Justice of the EU, so an unticked default is not optional.

Consent that cannot be withdrawn is not freely given. Visitors need a persistent and obvious way to change their mind later, such as a small floating control or a link that reopens the preference center. Withdrawal must be as easy as the original consent, and once withdrawn the trackers must stop.

A common gap is offering withdrawal only on a buried privacy page. Keep the re-open trigger visible on every page.

If a regulator asks, you must be able to show what a given visitor agreed to and when. That means a record per consent event capturing the choice, the timestamp, and ideally the exact version of the notice the visitor saw. Tamper-evident receipts that bind the policy version and a hash to each record turn this from a claim into evidence.

Without records, you are relying on the regulator to take your word for it, which is not a position you want to be in during an audit.

Germany applies the GDPR alongside the federal BDSG and the TDDDG, which transposes the ePrivacy storage rule, and German authorities reject continued browsing as consent. France enforces through the CNIL, which publishes detailed guidance on banner design and has acted on Reject-all imbalance and unclear choices.

If you operate across the EU, design to the strictest interpretation. A banner that satisfies German and French regulators will generally satisfy the rest of the bloc.