Cookie consent requirements continue to evolve as privacy regulations tighten and browser technologies change. This guide covers what you need to know to ensure your website complies with GDPR, ePrivacy Directive, CCPA, and emerging privacy laws in 2026.

GDPR Cookie Requirements

1. Prior Consent Required

Under GDPR and the ePrivacy Directive, you must obtain explicit consent before setting non-essential cookies. This means:

  • Cookies cannot be set when a user first lands on your site
  • Consent must be obtained before any non-essential cookies are placed
  • Users must be able to reject cookies as easily as accept them
  • The default must not have pre-checked checkboxes

2. Granular Consent Options

GDPR requires consent to be granular. Users must be able to:

  • Accept all cookies
  • Reject non-essential cookies
  • Select specific cookie categories (analytics, marketing, functional)
  • Change their preferences at any time

3. Clear Cookie Information

Your cookie banner and policy must include:

  • Purpose of each cookie category
  • Types of data collected by cookies
  • Third parties who receive cookie data
  • Retention period for cookie data
  • How to withdraw consent

4. Consent Records

You must maintain records of consent:

  • What the user consented to
  • When consent was given
  • How consent was obtained
  • User's preferences at that time
  • Ability to demonstrate consent if challenged

CCPA/CPRA Cookie Requirements

Opt-Out Rights

California's CCPA and CPRA focus on the right to opt out of "sale" or "sharing" of personal information, which includes cookies used for advertising:

  • Must provide a clear "Do Not Sell My Personal Information" link
  • Must honor opt-out requests within 15 days
  • Cannot require account creation to opt out
  • Must stop selling/sharing upon opt-out request
  • Must disclose cookie use in privacy policy

Important

CCPA applies to for-profit businesses meeting revenue thresholds ($25M+), data thresholds (100k+ consumers), or deriving 50%+ revenue from selling data. CPRA applies to businesses meeting modified thresholds including 100k+ household data.

Consent Best Practices

Cookie Banner Design

  • Keep it non-intrusive but noticeable
  • Use clear, jargon-free language
  • Provide easy access to full policy
  • Include clear Accept/Reject buttons
  • Offer preference center link

Cookie Categories

  • Essential/Strictly Necessary
  • Analytics/Performance
  • Functional/Preferences
  • Advertising/Targeting
  • Social Media

Consent Management

  • Store consent with timestamp
  • Respect consent across sessions
  • Allow easy preference changes
  • Re-prompt after 12 months
  • Document all consent changes

Third-Party Cookies

  • Disclose all third-party vendors
  • Require consent for each category
  • Review vendor privacy policies
  • Monitor for policy updates
  • Maintain vendor agreements

Cookie Compliance Checklist

Implementation

  • Cookie banner implemented
  • Consent management in place
  • Cookie policy created/updated
  • Cookie categories defined
  • Preference center built
  • Third-party vendors documented

Legal

  • GDPR requirements met
  • CCPA opt-out in place
  • Consent records maintained
  • Policy linked in banner
  • 12-month re-consent cycle
  • Right to delete honored

Technical

  • Cookies blocked until consent
  • Consent stored properly
  • Preference changes working
  • Opt-out signals honored
  • Cookie audit completed
  • Server-side consent option

Pro Tip

Consider implementing a consent management platform (CMP) that supports multiple regulations and provides automatic updates as laws change. Many CMPs also handle Google's evolving third-party cookie phase-out requirements.

Frequently Asked Questions

Are analytics cookies GDPR compliant?

Analytics cookies can be considered essential or non-essential depending on how they're implemented. If they collect IP addresses or create pseudonymous profiles, they typically require consent. Anonymized analytics without consent may be permissible in some jurisdictions.

Can I use a cookie wall that blocks content?

Cookie walls that block all access until consent are generally not GDPR compliant because consent must be freely given. Users must be able to access your site without accepting non-essential cookies. Consider a warning rather than a hard block.

How often do I need to re-request consent?

GDPR guidance suggests refreshing consent at least every 12 months or when your data processing changes significantly. CCPA doesn't require re-consent but does require disclosure if purposes change.

What about cookie banners on mobile apps?

Mobile apps require consent for the same reasons as websites. In-app tracking consent (iOS App Tracking Transparency) is required for apps distributed through the App Store meeting certain thresholds.

Check Your Cookie Compliance

PolicyLens can audit your website for cookie consent compliance and identify issues with your banner, policy, and tracking implementations.

Run Free Cookie Audit