GDPR consent management is not just about showing a cookie banner. It is a comprehensive system for obtaining, recording, managing, and respecting user choices about how their personal data is processed. Since the GDPR came into force, enforcement has intensified year over year. In 2025 alone, data protection authorities across Europe issued over 2 billion euros in fines, with consent violations being among the most common reasons. Cookie banner enforcement actions have been brought against companies of all sizes, from tech giants to small businesses.

The problem is that most website owners either have no consent mechanism at all, or they have a cookie banner that does not actually meet GDPR requirements. A banner that says “By continuing to browse, you accept cookies” is not valid consent. A banner with only an “Accept All” button and a tiny, hard-to-find reject option is not valid consent. Pre-checked boxes are not valid consent. These patterns are still everywhere in 2026, and they are all non-compliant.

This guide explains what valid consent actually means under GDPR, how to implement it properly, and how to choose and configure a consent management platform that keeps you compliant.

What Counts as Valid Consent Under GDPR

Article 7 and Recital 32 of the GDPR define consent as “any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” Each of these words matters:

Freely Given

Consent must be a genuine choice. The user must be able to refuse consent without any detriment. This means you cannot block access to your website if a user declines cookies (the so-called “cookie wall”). You cannot bundle consent for tracking with consent for a service that does not require tracking. And you cannot make acceptance of non-essential cookies a condition of using your website. The European Data Protection Board (EDPB) has been clear that cookie walls are generally not compliant because they do not provide a free choice.

Specific

Consent must be given for each specific purpose. A single “Accept All” button that covers analytics, advertising, personalisation, and social media tracking in one click does not satisfy the specificity requirement unless the user also has the option to consent to each purpose individually. Your consent mechanism must allow granular choices — users should be able to accept analytics cookies while rejecting advertising cookies, for example.

Informed

Before giving consent, the user must be told clearly who is processing their data, for what purposes, what types of cookies or tracking technologies are used, and how long the cookies persist. This information must be accessible before the user makes their choice — not buried on a separate page they are unlikely to visit. The language must be clear and plain, not legalese.

Unambiguous

Consent requires a clear affirmative action. Scrolling, continuing to browse, or failing to interact with a banner do not constitute consent. Pre-ticked checkboxes do not constitute consent (the Planet49 ruling made this explicit). The user must actively click a button, toggle a switch, or take some other deliberate action that clearly signals their agreement.

What Requires Consent and What Does Not

Not everything on your website requires consent. Understanding the distinction is critical for implementing consent management correctly. The ePrivacy Directive (which works alongside GDPR for cookies) distinguishes between essential and non-essential cookies:

No Consent Required (Essential / Strictly Necessary)

Session cookies — Keeping a user logged in during their visit
Shopping cart cookies — Remembering items in an e-commerce cart
Security cookies — CSRF tokens, fraud prevention, rate limiting
Load balancing cookies — Distributing traffic across servers
User preference cookies — Language selection, accessibility settings (when directly requested by the user)
Consent management cookies — The cookie that records the user's consent choice itself

These cookies are exempt from the consent requirement because they are strictly necessary for the website to function or to provide a service the user has explicitly requested. However, you should still disclose them in your cookie policy for transparency.

Consent Required (Non-Essential)

Analytics cookies — Google Analytics, Plausible, Fathom, Mixpanel, Hotjar, etc.
Advertising and targeting cookies — Google Ads, Facebook Pixel, retargeting pixels, conversion tracking
Social media cookies — Facebook Like buttons, Twitter embeds, LinkedIn tracking pixels
Personalisation cookies — Cookies that track behaviour to personalise content or recommendations
Third-party cookies — Any cookie set by a domain other than your own (with limited exceptions)
Fingerprinting and non-cookie tracking — Device fingerprinting, local storage tracking, and similar technologies require consent just as cookies do

A common mistake is assuming that “anonymised” analytics tools do not require consent. Under the ePrivacy Directive, consent is required for accessing the user's device (setting or reading a cookie), regardless of whether the resulting data is anonymised. Some data protection authorities have carved out narrow exceptions for purely statistical analytics with no cross-site tracking, but this varies by country and is not safe to rely on without careful analysis.

Implementing a Cookie Consent Banner

Your cookie consent banner is the user-facing component of your consent management system. It must be designed carefully to meet GDPR requirements. Here are the essential design and functional requirements:

First Layer: The Initial Banner

The first thing the user sees should be a concise banner that:

States that the website uses cookies (or other tracking technologies)
Briefly explains the categories of cookies used (e.g., analytics, advertising)
Provides an “Accept All” button
Provides a “Reject All” or “Only Essential” button with equal visual prominence as the Accept button
Provides a “Manage Preferences” or “Customise” button to access granular controls
Links to your full cookie policy for more information

The “Reject All” button is critical and was the subject of major enforcement actions in 2022-2024. The French data protection authority (CNIL) fined Google and Facebook/Meta for making it significantly harder to refuse cookies than to accept them. The “Reject All” option must be just as easy to find and click as the “Accept All” option. This means same visual treatment — same size, same colour prominence, same location on the banner.

Second Layer: Granular Preferences

When the user clicks “Manage Preferences,” they should see a detailed view where they can:

See each category of cookies (essential, analytics, advertising, personalisation, social media)
Read a description of what each category does
Toggle each category on or off individually
See which specific cookies are in each category (names, purposes, expiry times)
See which third parties set cookies in each category
Save their preferences

Essential cookies should be listed but should not have a toggle — they are always active and this should be explained. All non-essential categories should default to “off” (not pre-selected). The user must actively opt in to each category.

No Cookies Before Consent

This is the most commonly violated requirement. Your website must not set any non-essential cookies or run any tracking scripts until the user has given consent. This means your Google Analytics script, your Facebook Pixel, your advertising tags, and any other tracking code must be blocked from executing until the user clicks “Accept” for the relevant category.

Technically, this requires your consent management system to control the loading of these scripts. Most consent management platforms (CMPs) do this by wrapping tracking scripts in conditional code that only executes after consent is recorded, or by modifying the script tags to prevent them from loading until consent is given.

Consent Management Platforms (CMPs)

A consent management platform is a tool that handles the entire consent lifecycle for your website. Rather than building your own consent system, most website owners use a CMP. Here is what to look for and the leading options in 2026:

What a Good CMP Should Do

Block scripts before consent — Prevent non-essential cookies from being set until the user consents
Show a compliant banner — With Accept, Reject, and Customise options of equal prominence
Provide granular controls — Allow users to consent to individual categories or even individual cookies
Record consent — Store a timestamped record of each user's consent choice
Allow consent withdrawal — Users must be able to change their preferences at any time, just as easily as they initially gave consent
Auto-scan your site — Detect all cookies and tracking technologies on your site
Support TCF 2.2 — If you run advertising, support the IAB Transparency and Consent Framework
Generate consent reports — Provide audit-ready logs of consent events
Handle multi-jurisdiction compliance — Adapt the banner based on the user's location (e.g., show consent banner for EU users, do-not-sell notice for California users)

Popular CMPs in 2026

Cookiebot (Usercentrics) — One of the most established CMPs. Offers automatic cookie scanning, TCF 2.2 support, and geolocation-based banner display. Free tier available for small websites (up to 100 pages).
OneTrust — Enterprise-grade CMP with comprehensive privacy management features. Popular with larger organisations. More expensive but very feature-rich.
Osano — User-friendly CMP with a focus on simplicity. Offers a free tier. Known for its consent monitoring across the web.
CookieYes — Affordable CMP with good coverage of GDPR requirements. Popular with small and medium businesses. Free tier available.
Termly — Offers both cookie consent management and policy generation. Straightforward pricing and easy setup.
iubenda — Italian-based CMP with strong European compliance focus. Offers cookie consent management alongside privacy policy and terms generation.

When choosing a CMP, consider your website's tech stack (some CMPs integrate better with certain frameworks like Next.js, WordPress, or Shopify), your budget, the number of domains you need to cover, and whether you need TCF 2.2 support for advertising.

The IAB Transparency and Consent Framework (TCF 2.2)

If your website runs programmatic advertising (Google AdSense, header bidding, or other ad networks), you likely need to implement the IAB Transparency and Consent Framework version 2.2. TCF is an industry standard that provides a structured way for publishers to collect and communicate user consent to advertisers, ad exchanges, and other participants in the advertising supply chain.

What TCF 2.2 Requires

Purposes — TCF defines specific purposes for data processing (e.g., store and access information on a device, use limited data for ad selection, measure advertising performance). Users must be able to consent to or reject each purpose individually.
Vendors — TCF maintains a Global Vendor List of companies that participate in the framework. Your CMP must present the relevant vendors to users and allow them to consent to or reject each vendor.
TC String — When a user makes their consent choices, the CMP generates a “TC String” — an encoded representation of the user's choices that is shared with advertisers and ad tech platforms so they know what they are allowed to do.
Legitimate interest — TCF 2.2 allows some purposes to be based on legitimate interest rather than consent. However, users must still be able to object to legitimate interest processing.

TCF 2.2 was a significant update from TCF 2.0. The key change is that legitimate interest can no longer be used as a legal basis for certain purposes, specifically for storing and accessing information on a device. This purpose now requires explicit consent. Google adopted TCF 2.2 as a requirement for its advertising products in the EEA, making it effectively mandatory for any website running Google ads in Europe.

Consent Records and Accountability

Under GDPR, you are not just required to obtain consent — you are required to demonstrate that you obtained it. Article 7(1) states: “Where processing is based on consent, the controller shall be able to demonstrate that the data subject consented to processing of his or her personal data.” This means you need robust consent records.

What to Record

For each consent event, your records should include:

Who consented — An identifier for the user (this can be a cookie ID or session ID; you do not need to identify them by name)
When they consented — A precise timestamp
What they consented to — The specific categories or purposes they accepted and rejected
How they were informed — A reference to or snapshot of the consent banner and information that was displayed at the time
The version of your consent interface — If you change your banner, you should be able to show which version a particular user saw

How Long to Keep Consent Records

GDPR does not specify a retention period for consent records, but you need to keep them for as long as you are processing data on the basis of that consent, plus a reasonable period afterward in case of regulatory inquiry or dispute. Most organisations retain consent records for 3 to 5 years. Your CMP should handle consent record storage automatically, but verify that your chosen platform provides adequate record keeping and that you can export records if needed.

Withdrawing Consent

Article 7(3) of GDPR states that it must be as easy to withdraw consent as it was to give it. This requirement is frequently overlooked. If a user can give consent with a single click on a banner, they must be able to withdraw consent with comparable ease. This means:

Your website must have a persistent, easily accessible way for users to change their consent preferences after the initial banner interaction. Common approaches include a small floating icon (often a cookie or shield icon) in the corner of the page, a “Cookie Settings” link in the footer, or both.
When a user withdraws consent, you must stop processing their data for the withdrawn purposes immediately. This means unloading or disabling the relevant tracking scripts and deleting or disabling the corresponding cookies.
The withdrawal mechanism must not require the user to create an account, send an email, or take any action that is disproportionately difficult compared to the original consent action.

Practical Implementation Steps

Here is a step-by-step process for implementing GDPR-compliant consent management on your website:

Step 1: Audit Your Website

Before configuring any consent management tool, you need to know exactly what cookies and tracking technologies your website uses. Run a thorough audit:

Use a cookie scanning tool (most CMPs include one) to identify all cookies set by your website
Check your source code and tag manager for all third-party scripts (analytics, advertising, social media, chat widgets, A/B testing tools, heatmaps)
Document each cookie and tracker: name, domain, purpose, duration, and whether it is first-party or third-party
Categorise each item: essential, analytics, advertising, personalisation, social media

Step 2: Choose and Install a CMP

Select a consent management platform that fits your needs and budget. Install it on your website according to the provider's instructions. Most CMPs require adding a script tag to the head of every page, typically before any other scripts. For Next.js sites, this usually means adding the CMP script to your root layout or using the CMP's official React component if available.

Step 3: Configure Cookie Categories

Set up the cookie categories in your CMP, assigning each cookie or tracker to the appropriate category. Configure the CMP to block non-essential scripts until the user consents to the relevant category. Test thoroughly to ensure that no non-essential cookies are set before consent.

Step 4: Design Your Banner

Customise the consent banner to match your website's design while meeting all GDPR requirements. Ensure the Reject/Decline button has equal visual prominence to the Accept button. Include a link to your full cookie policy. Make the second-layer granular preferences accessible in one click.

Step 5: Write Your Cookie Policy

Your cookie policy (which can be a section of your privacy policy or a standalone document) should list every cookie and tracker your site uses, organised by category. For each, state its name, purpose, provider, type (first-party or third-party), and expiry period. Explain how users can manage their preferences and withdraw consent.

Step 6: Update Your Privacy Policy

Your privacy policy must reference your consent management practices. It should explain the legal basis for different types of data processing (consent for cookies, legitimate interest for essential operations), describe the consent mechanism, and link to your cookie policy. If you use a CMP, name it in your privacy policy.

Step 7: Test Everything

Before going live, test your consent implementation thoroughly:

Clear all cookies and visit your site — verify that no non-essential cookies appear before you interact with the banner
Reject all cookies — verify that no analytics or advertising scripts load
Accept only analytics — verify that only analytics cookies are set, not advertising ones
Accept all, then withdraw consent via the preference centre — verify that the relevant cookies are deleted and scripts stop running
Test on different browsers and devices
Use browser developer tools to monitor network requests and cookie storage during each scenario

Step 8: Monitor and Maintain

Consent management is not a set-and-forget task. You need to:

Re-scan your site periodically (monthly or whenever you add new features or third-party integrations) to catch new cookies
Update your cookie policy when new cookies are added
Review your CMP's consent analytics to understand opt-in and opt-out rates
Keep your CMP software updated — regulations evolve and CMPs release updates to stay compliant
Re-request consent if you add new processing purposes that were not covered by the original consent

Common Consent Management Mistakes

These are the most frequent compliance failures that data protection authorities flag and fine:

Setting cookies before consent. Loading Google Analytics, Facebook Pixel, or any non-essential script before the user has interacted with the consent banner. This is the single most common violation.
No “Reject All” option. Only providing “Accept All” and “Manage Preferences” forces users who want to decline into a multi-step process, while those who accept can do so in one click. This imbalance violates the “freely given” and “as easy to withdraw as to give” requirements.
Dark patterns. Making the Accept button large and colourful while the Reject button is small, grey, or styled as a text link. Using confusing language like “Manage cookies” instead of a clear “Reject.” Placing the Accept button in a prominent position while hiding Reject behind a toggle or extra click.
Pre-checked boxes. Having non-essential cookie categories toggled on by default in the preference centre. All non-essential categories must default to off.
Cookie walls. Blocking access to the website if the user does not accept cookies. Most data protection authorities consider this non-compliant because it means consent is not freely given.
Ignoring consent withdrawal. Not providing an accessible way for users to change their preferences after the initial banner, or not actually stopping data collection when consent is withdrawn.
No consent records. Not keeping records of what users consented to and when. If a regulator asks you to prove you had consent, you need these records.
Treating implied consent as valid. “By continuing to use this site, you agree to our use of cookies” is not valid consent under GDPR. It has never been valid, and regulators have been explicit about this for years.

Consent Management for Different Jurisdictions

If your website has a global audience, you need to handle consent differently depending on where your visitors are located. The most sophisticated CMPs support geolocation-based banner configuration:

EU/EEA and UK — Full GDPR consent requirements as described in this guide. Consent required before any non-essential cookies.
California (CCPA/CPRA) — Different model. CCPA uses an opt-out approach rather than opt-in. You must provide a “Do Not Sell or Share My Personal Information” link and honour opt-out requests. You can set analytics and advertising cookies by default but must allow users to opt out.
Other US states — Privacy laws in Colorado, Connecticut, Virginia, Texas, Oregon, Montana, and others have varying requirements. Most follow an opt-out model similar to CCPA, but some have consent requirements for sensitive data.
Brazil (LGPD) — Similar to GDPR in many respects. Consent is one of several legal bases. Cookie consent requirements are emerging through regulatory guidance.
Rest of world — Many countries now have privacy laws with consent requirements. A GDPR-compliant consent implementation will satisfy most of them.

A practical approach for most website owners: implement a fully GDPR-compliant consent mechanism for all users (this satisfies the strictest requirements globally), and add a CCPA-specific “Do Not Sell” mechanism for California users if applicable.

The Relationship Between Consent Management and Your Privacy Policy

Your consent management system and your privacy policy must work together. The privacy policy provides the detailed, comprehensive explanation of your data practices. The consent banner provides the immediate, actionable interface for users to exercise their choices. They must be consistent.

Your privacy policy should:

Explain that you use cookies and tracking technologies, with a link to your cookie policy
State that you use consent as the legal basis for non-essential cookies
Describe how users can give, manage, and withdraw consent
List the categories of cookies you use and their purposes
Name the third parties that set cookies on your site
Name your consent management platform
Explain that consent preferences are stored and how long they persist

If your privacy policy says one thing and your consent banner does another, you have a compliance problem. For example, if your privacy policy says you only use analytics cookies, but your consent banner also lists advertising as a category, the inconsistency undermines trust and could attract regulatory scrutiny.

Generate Your GDPR-Compliant Privacy Policy

Consent management is one part of a broader GDPR compliance strategy. Your privacy policy is the foundation — it sets out your data practices, legal bases, and user rights in a comprehensive document that supports your consent mechanism, satisfies GDPR requirements, and builds user trust.

A privacy policy that properly addresses consent management should cover your cookie usage and categories, your legal basis for different types of processing, how users can manage their consent, your data retention practices, and your obligations under GDPR, CCPA, and other applicable privacy laws. Writing this from scratch is time-consuming and error-prone. Getting it wrong can undermine your entire consent management implementation.

GDPR Consent Management: Complete Guide for Website Owners