If you run a website, you’ve probably come across the term cookie consent, but understanding what’s required can get confusing.
It’s understandable to feel overwhelmed, taking into consideration the number of evolving privacy laws, different types of cookies and variations between essential and non-essential cookies, and their technical setup.
In this article, I describe the cookie consent requirements for website owners, which laws apply, and what steps you need to take to meet today’s obligations.
What is Cookie Consent?
Cookie consent is the permission websites ask from visitors before placing non-essential cookies on their devices.
These cookies might track user behavior and preferences, collect data for analytics, or deliver targeted ads.
While cookies can help improve the user experience and marketing efforts, they also raise privacy concerns; this is where consent becomes vital.
Cookie consent ensures that users have control over whether and how their data is collected through cookies and typically includes the following:
- A pop-up cookie consent banner,
- A link to an accurate and transparent cookie policy,
- Buttons for the user to click to accept or deny cookies or part of it,
- A link to a preference center where users can change their minds at any time.
As a website owner, you’re responsible for informing all visitors of your website about what cookies you use and why you use them.
But you must also explain how they can manage their cookie consent and withdraw or opt out of them, irrespective whether they are registered users or anonymous website visitors.
Cookie Consent Requirements for Websites
To meet cookie consent requirements and respect user privacy, you’ll need to implement certain features and practices that align with global standards.
Below are some core elements every website owner should consider when setting up a privacy-conscious cookie consent experience.
Present Cookie Banner Upon Users’ First Visit
One of the most important steps is showing a cookie banner as soon as a user lands on your site before any non-essential cookies are set.
In other words, you are not allowed to place the cookies on the device of the website visitor before the latter gives you consent for it, with the exception of strictly necessary cookies.
Your cookie consent banner should explain that your site uses cookies, outline their purpose, and allow users to accept or reject them.
To be legally valid, consent must be:
- Informed: Users should know what types of cookies you’re using, what is their purpose, duration and whether you are sharing it with another third-party.
- Freely Given: Do not force user acceptance by restricting access to content.
- Specific and Granular: Allow users to choose separately which categories of cookies they accept (e.g. analytics, marketing, etc.).
- Unambiguous: Obtained through clear and affirmative action, without pre-checked boxes or implied consent via vague messages such as “by continuing to use this site”.
Access to a Cookie Preference Center
In addition to your cookie consent banner, you should offer users access to a cookie preference center.
This is a dedicated interface where they can review and change their cookie choices anytime.
A cookie preference center helps ensure that you:
- Maintain ongoing user control over tracking technologie
- Support legal requirements for consent withdrawal
- Improve transparency and user trust as a result
Your preference center should be easy to find, like linked to your site’s footer or settings menu.
Consent Logs and Tracking User Consent
It’s not enough to collect consent; you also must prove you obtained it in a legally sound way.
That’s where consent logs come in.
Consent logs show when and how a user gave (or withdrew) consent and what they agreed to at the time, including:
- The exact timestamp of consent
- Cookie categories explicitly accepted or declined
- User location or IP (where legally permitted)
- The consent mechanism used (e.g. banner, preference center etc.)
- The version of the banner or preference tool shown
- Evidence of the consent withdrawal, if applicable
Storing this information helps demonstrate compliance if a supervisory authority audits your website or your company.
Use tools like our Consent Management Platform to help automate this process for you.
Cookies and Universal Opt-Out Mechanisms
Some privacy laws, particularly in the U.S., now require businesses to honor universal opt-out mechanisms.
UOOMs are browser-based signals users can send from their browser to opt out of tracking automatically across multiple sites when they arrive on it.
One example is the Global Privacy Control (GPC), which works with supported browsers to communicate a user’s privacy preference.
Incorporating support for universal opt-outs shows your users that you take privacy seriously and aligns your website with requirements outlined by laws like the CCPA.
By honoring browser-based signals like GPC, you’re giving users a seamless, proactive way to exercise their rights without forcing them to dig through settings or banners each time they arrive on a new website.
What Laws Require Consent for Cookies?
Several data privacy laws worldwide require websites to get user consent before setting certain types of cookies — especially those used for tracking, analytics, and advertising.
It’s vital for you to understand which laws apply to your audience so you can collect data responsibly and avoid potential penalties.
Below I summarize some major regulations affecting cookie consent.
General Data Protection Regulation (GDPR)
The GDPR is a sweeping privacy law that applies across the European Union (EU) and European Economic Area (EEA) and to any businesses around the world that target and collect data from EU/EEA users, even if you’re registered elsewhere.
If your website reaches individuals located in the EU, you’ll need to follow these GDPR standards to ensure your cookie consent practices are legally sound.
ePrivacy Directive (EU Cookie Law)
The ePrivacy Directive, often called the “EU Cookie Law,” is a regulation that specifically targets electronic communications and the use of technologies like cookies.
While it works in tandem with the GDPR, as lex specialis, it focuses more narrowly on how information can be stored and accessed on users’ devices.
Like GDPR, it requires active user consent for non-essential cookies and emphasizes transparency, user choice, and the ability to withdraw consent.
If you use cookies to track EU users, this directive — with the GDPR — helps shape what you can do and how you must inform your users.
UK GDPR & Privacy and Electronic Communications Regulations (PECR)
After Brexit, the UK retained its own version of the GDPR and continues to enforce cookie rules through PECR. These laws mirror the EU’s approach and apply to websites collecting data from UK users.
If your audience includes UK users, you’ll need to meet both PECR and UK GDPR expectations.
California Consumer Privacy Act (CCPA) & California Privacy Rights Act (CPRA)
The CCPA and its expansion, the CPRA, give California residents greater control over how their personal data is collected and shared — especially for advertising purposes.
Unlike the GDPR, the CCPA does not require prior explicit consent before setting any cookies.
However, the CCPA does require transparency through a clear notice at or before data collection and gives users the right to opt out of the sale or sharing their personal information with any third parties.
If your website targets or collects data from California residents, you’ll need to build cookie practices that support transparency and respect user opt-out rights.
Other state-level privacy laws — like the Virginia Consumer Data Protection Act (VCDPA), Colorado Privacy Act (CPA), and Connecticut Data Privacy Act (CTDPA) — include similar requirements around transparency and opt-out rights.
Personal Information Protection and Electronic Documents Act (PIPEDA)
PIPEDA, one of Canada’s fundamental privacy laws, requires organizations to obtain meaningful consent before collecting personal data, including through cookies.
Organizations must clearly explain cookie usage, provide easily accessible opt-out methods, and maintain transparent cookie or privacy policies.
If you have Canadian users, make sure your cookie consent practices are transparent and easy to manage.
What Cookies Require Consent from Website Visitors?
As a general rule, you must obtain informed consent from your users before placing any cookies on their browsers that are not strictly necessary for your website to function.
Essential Cookies (No Consent Required)
Essential cookies, also known as strictly necessary cookies, help your website function properly and help with basic features, like:
- Keeping users logged in
- Enabling secure authentication
- Remembering items in a shopping cart
- Navigating between pages or sessions.
Because these cookies don’t typically involve the collection or processing of personal data, you don’t typically need to request consent to use them.
However, you must still disclose your use of them in your cookie policy.
Non-Essential Cookies (Consent Required)
Non-essential cookies aren’t required for your site to operate but are often used to improve performance or support business goals.
These cookies typically process personal information and include:
- Analytics cookies that track user behavior to help improve site or services functionality.
- Advertising cookies that power personalized ads based on browsing activity.
- Some functional cookies that store preferences and enhance usability but are not required for core operations.
- Social media cookies that enable sharing features or third-party embedded content.
Before placing these types of cookies, you’ll need to inform users and get their consent before placing them, especially if your site is subject to laws like the GDPR.
What are the Penalties for Not Complying with Cookie Consent Requirements?
Failing to comply with cookie consent regulations can result in financial penalties and reputational damage.
Under the GDPR, organizations can face fines of up to €20 million or 4% of their annual global turnover, whichever is higher, for serious violations.
For example, in 2023 the French Data Protection Authority fined TikTok €5 million for violating GDPR standards.
The platform made it difficult for its users to refuse cookies, requiring them to make several targeted clicks to refuse all cookies, ultimately leading to them accepting all.
Under CCPA and CPRA, fines for unintentional violations can be up to $2,500 per incident, and up to $7,500 for each severe or intentional incident.
In March 2025, the California Privacy Protection Agency (CPPA) fined American Honda Motor Co. $632,500 for multiple violations of the CCPA, including:
- Collecting excessive personal information.
- Designing consent banners that made opting out more difficult than opting in.
- Sharing personal data without proper contracts.
These enforcement actions underscore a growing global focus on user privacy.
But beyond the financial consequences, failing to meet cookie consent standards can erode trust and harm your reputation.
Transparent, user-friendly practices are more than a legal requirement — they’re a key part of building a privacy-conscious.
Want to simplify cookie compliance? Termly’s Consent Management Platform makes it easier to meet legal requirements and build user trust.
More about the author
Written by Teodor Stanciu, CIPP/E, CIPM
Teo is a Data Privacy Specialist and experienced Data Protection Officer (DPO) who is passionate about helping companies meet their data protection obligations. He has an experience of more than seven years as a DPO for an international organization active in 50 countries and based in Brussels, Belgium. Teo is a Certified Information Privacy Professional/Europe (CIPP/E) and Certified Information Privacy Manager (CIPM) with the International Association of Privacy Professionals (IAPP).
More about the author
