Cookie Consent Requirements

Cookie Compliance, Consent Management, GDPR, and CCPA are just some of the buzzwords people in the tech space are discussing. After Amazon was fined over a billion dollars for violating GDPR cookie consent rules in 2020 and 2021, compliance has been a big concern for many businesses. So, it’s time we discussed this whole deal with cookies and what you need to do about it. 

What is a Cookie?

Let’s get the most basic definition out of the way. A cookie is a text file a website stores on your device to identify you the next time you visit that site. 

Why Do Websites Store Cookies?

Now, why does a website need to identify you? A website may use your geolocation to determine your language preference. If it’s a shopping site, it may need the previously stored cookies to remember what you left in your cart. These are all examples of essential cookies that websites use to provide you with a better and more personalised experience. 

However, there are also non-essential cookies primarily used for advertising. For example, you’re reading news on a website and you see ads for products that you wishlisted on a shopping site. That’s because both websites stored identifiers in their cookies so that they can track you across different sites. Non-essential cookies can also look into your search history and learn your online behaviour. 

What is Cookie Consent? 

Cookie consent is the process of asking for a visitor’s permission before storing cookies. Usually, essential cookies are stored either way, but many laws require explicit permission from a user before a website can store non-essential cookies. So, if you’ve ever visited a website that showed you a banner or a pop-up asking your permission to store cookies or a prompt giving you a “do not sell my data” option, that is a cookie consent banner. You may see a slightly different banner based on where you are and what laws apply to the website you’re visiting.

Why is Cookie Consent Required?

Legislation like GDPR and ePrivacy require websites serving European users to ask for user consent before storing many of these non-essential cookies. If a website does not comply with these laws, it could be charged a hefty fine. It’s not just Europe; many other regions have adopted similar laws. For example, websites serving Californian visitors but have a “do not sell my data” prompt under the CCPA regulations. 

While these are legal requirements, there is another big reason to have a cookie consent banner on your website. That is to build user trust. By adopting cookie consent, a website gives user control of their data. As websites are also required to categorise, announce, and explain those cookies and how they are used, this helps with transparency. 

What Are The Requirements For Cookie Consent?

Cookie consent requirements vary based on different laws. EU’s General Data Protection Regulation (GDPR) and UK-GDPR have the same requirements. However, if a website must comply with the Interactive Advertising Bureau (IAB) standards for online advertising and marketing, it must meet some additional requirements. Californian regulations, such as CCPA/CPRA, use different mechanisms for cookie consent, which means it has a different set of requirements.

The whole thing boils down to location. Where the business is located and where the visitors are from. If your business and its users and visitors are in the EU, you must comply with GDPR. In the US, there are different state laws. So, businesses in California and Virginia must comply with different laws. A US-based business must also comply with specific GDPR rules if it processes data of EU-based users. Let’s move on to the actual requirements now. 

Cookie Consent Requirements Under GDPR

If your website caters to visitors from the European Union (EU) or processes data from EU users, you’re bound by the General Data Protection Regulation (GDPR). The GDPR is one of the strictest privacy laws globally, and cookie consent is critical. Compliance under GDPR doesn’t end at just asking for consent. A website must adhere to a comprehensive set of requirements to ensure transparency and user control. What you’re getting here is a summarised version of it. 

  • Inform users about cookies in straightforward, accessible language. Avoid confusing jargon that might make it hard for users to understand what they agree to.
  • Until a user explicitly consents, all third-party cookies must remain blocked.
  • Consent must involve an explicit affirmative action, like clicking an “Accept” button. Pre-ticked boxes or implied consent won’t cut it.
  • Users should be able to pick and choose cookie categories they want to allow. For instance, they might agree to essential cookies but opt out of advertising cookies.
  • Consent preferences aren’t a one-and-done deal. Users must be able to withdraw or change their consent settings anytime.
  • Keep detailed logs of user consent as proof of compliance for audits. 
  • GDPR recommends renewing user consent at specific intervals to ensure ongoing compliance.
  • Include easy-to-spot links to your privacy and cookie policies within the consent banner or pop-up.
  • Users should be able to dismiss the cookie banner without being forced to consent. 
  • The cookie banner should automatically adjust to the visitor’s preferred language.

Cookie Consent Requirements Under CCPA and VCDPA

CCPA (California) and VCDPA (Virginia) are not as strict as GDPR and have fewer requirements, instead of an opt-in mechanism like GDPR, where all non-essential cookies are blocked until the user’s explicit consent, CCPA and VCDPA take an opt-out approach. This means instead of a cookie banner, websites are required to have a “do not track” or “do not sell my data” button. A website can keep collecting user data until a user chooses to opt-out.

However, both laws require websites to disclose detailed information about cookie usage. Prior consent is required to collect data from children under 16 in California and 13 in Virginia.

Cookie Compliance Requirements Under IAB

The Interactive Advertising Bureau (IAB) is responsible for setting a global standard for online advertising. Its Transparency and Consent Framework (TCF), now in version 2.2, is designed to ensure transparency and accountability in data processing while aligning with GDPR standards. The IAB TCF establishes guidelines for websites, vendors, and Consent Management Platforms (CMPs) to handle user data responsibly.

For compliance, websites must transparently collect and manage user consent and legitimate interest signals. Legitimate interest is an alternative legal basis to consent, allowing businesses or their partners to process personal data for purposes like marketing or security. However, legitimate interest comes with limits; it requires transparency about what data is collected, why, and how long it will be retained. Businesses must ensure they don’t violate user privacy rights, offer clear opt-outs, and respect restrictions.

The IAB TCF also mandates CMPs to provide users with up-to-date vendor lists and user-friendly explanations of data collection purposes. Vendors, in turn, must disclose what data they collect and ensure they have a legal basis (either consent or legitimate interest) for processing. Websites must allow users to accept, reject, or modify cookie preferences through intuitive, interactive buttons.

Cookie Consent Solutions

Based on the long list of GDPR requirements, we wouldn’t blame you if you find cookie compliance to be a bit overwhelming, especially when dealing with multiple privacy laws across regions like GDPR, CCPA, and more. Thankfully, there are consent management platforms (CMPs) that can simplify the process. CMPs like CookieYes, CookieFirst, and Cookiebot streamline compliance by automating cookie scanning and categorisation, consent collection, and privacy policy generation.

If you want to learn more about CMPs, check out our guide to the Top 5 Best Consent Management Platforms in 2025

Wrapping Up

Cookie consent management is a lot of work, especially when you factor in compliance with multiple laws that can change over time. However, investing time and subscribing to a CMP can go a long way. It will help build user trust and save you from a hefty fine for violating laws. 

Frequently Asked Questions

What is the main difference between GDPR and CCPA in cookie consent rules?

The main difference is in the consent approach. GDPR requires an opt-in approach where non-essential cookies can’t be stored without explicit user consent. CCPA follows an opt-out mechanism where data can be collected until users explicitly ask to opt out, often via a “Do Not Sell My Data” option.


How do I make my website compliant with both GDPR and CCPA?

You can easily make your website GDPR and CCPA-compliant by investing in a good consent management platform (CMP) like CookieYes, CookieFirst, or Cookiebot. These platforms automate cookie categorisation, manage user consent, generate policies, and ensure your website meets the requirements of multiple privacy laws.