AI QA Monkey
AI Security Intelligence
Compliance Guide

Cookie Consent & GDPR Compliance Guide for Websites

Published Feb 19, 2026 14 min read By AI QA Monkey Security Team
Table of Contents
  1. GDPR Cookie Requirements Overview
  2. Cookie Categories Explained
  3. How to Audit Your Cookies
  4. Building a Compliant Cookie Banner
  5. Implementation Guide
  6. Consent Management Platforms
  7. Managing Third-Party Scripts
  8. Testing Compliance
  9. FAQ

Since GDPR enforcement began, EU regulators have issued over €4 billion in fines — and cookie consent violations are among the most common triggers. The French CNIL fined Google €150 million and Facebook €60 million specifically for cookie consent failures.

This guide covers everything you need to implement compliant cookie consent — from auditing your cookies to building a banner that satisfies regulators.

Related Compliance Guides

Also see: GDPR Technical Controls, PCI DSS Compliance Checklist, Security Headers Checklist 2026, and Shopify Security Hardening Checklist.

GDPR Cookie Requirements Overview

Under GDPR (Article 6) and the ePrivacy Directive (Article 5(3)), websites must:

  • Obtain consent before setting non-essential cookies — no cookies until the user actively agrees
  • Provide clear information — what cookies you use, why, and for how long
  • Offer genuine choice — rejecting must be as easy as accepting
  • Allow granular control — users should consent per category, not all-or-nothing
  • Enable withdrawal — users must be able to change their consent at any time
  • Keep records — store proof of when and how consent was given

Cookie Categories Explained

Essential Cookies (No Consent Required)

  • Session cookies for login state
  • Shopping cart cookies
  • Security cookies (CSRF tokens)
  • Load balancer cookies
  • Cookie consent preference cookie itself

Analytics Cookies (Consent Required)

  • Google Analytics (_ga, _gid, _gat)
  • Hotjar, Mixpanel, Plausible (if using cookies)
  • A/B testing tools (Optimizely, VWO)

Marketing/Advertising Cookies (Consent Required)

  • Facebook Pixel (_fbp, _fbc)
  • Google Ads (_gcl_au, conversion tracking)
  • LinkedIn Insight Tag, Twitter Pixel
  • Retargeting and remarketing cookies

Functional Cookies (Consent Required)

  • Language/region preferences (if using cookies, not URL-based)
  • Chat widget cookies (Intercom, Drift)
  • Video player preferences (YouTube, Vimeo embeds)

How to Audit Your Cookies

# Method 1: Browser DevTools
# Open Chrome DevTools > Application > Cookies
# List all cookies, their domain, expiry, and purpose

# Method 2: Command line with curl
curl -sI https://yourdomain.com | grep -i "set-cookie"

# Method 3: JavaScript in browser console
document.cookie.split(';').forEach(c => console.log(c.trim()));

For each cookie, document:

  1. Name — e.g., _ga
  2. Provider — first-party or third-party (e.g., Google)
  3. Purpose — analytics, marketing, essential
  4. Duration — session or persistent (with expiry)
  5. Category — essential, analytics, marketing, functional

A GDPR-compliant banner must include:

  • Equal-weight buttons — "Accept All" and "Reject All" must be equally prominent (same size, color, position)
  • Granular options — a "Manage Preferences" link to toggle categories individually
  • No pre-checked boxes — all non-essential categories must be off by default
  • No cookie walls — don't block content until the user consents
  • Clear language — avoid legal jargon; explain in plain terms
  • Link to cookie policy — detailed information about each cookie

Implementation Guide

HTML Structure

<div id="cookie-banner" role="dialog" aria-label="Cookie consent">
  <div class="cookie-banner__content">
    <p>We use cookies to analyze traffic and improve your experience.
       <a href="/cookie-policy">Learn more</a></p>
    <div class="cookie-banner__actions">
      <button id="cookie-reject" class="btn btn--secondary">Reject All</button>
      <button id="cookie-manage" class="btn btn--secondary">Manage Preferences</button>
      <button id="cookie-accept" class="btn btn--primary">Accept All</button>
    </div>
  </div>
</div>

JavaScript: Block Scripts Until Consent

// Store scripts that need consent as type="text/plain"
// <script type="text/plain" data-category="analytics" src="..."></script>

function loadConsentedScripts(categories) {
  document.querySelectorAll('script[data-category]').forEach(script => {
    if (categories.includes(script.dataset.category)) {
      const newScript = document.createElement('script');
      newScript.src = script.src;
      newScript.async = true;
      document.head.appendChild(newScript);
    }
  });
}

function setConsent(categories) {
  const consent = {
    timestamp: new Date().toISOString(),
    categories: categories,
    version: '1.0'
  };
  localStorage.setItem('cookie_consent', JSON.stringify(consent));
  loadConsentedScripts(categories);
}

// Accept All
document.getElementById('cookie-accept').addEventListener('click', () => {
  setConsent(['essential', 'analytics', 'marketing', 'functional']);
  hideBanner();
});

// Reject All
document.getElementById('cookie-reject').addEventListener('click', () => {
  setConsent(['essential']);
  hideBanner();
});

Consent Management Platforms

If you prefer a ready-made solution, these CMPs handle compliance automatically:

  • Cookiebot — auto-scans cookies, generates policy, IAB TCF 2.2 compliant
  • OneTrust — enterprise-grade, supports GDPR, CCPA, LGPD
  • CookieYes — affordable, auto-categorizes cookies
  • Osano — simple setup, monitors regulatory changes
  • Klaro — open-source, self-hosted, no third-party dependencies

Managing Third-Party Scripts

# Google Analytics — load only after consent
<script type="text/plain" data-category="analytics">
  (function(i,s,o,g,r,a,m){...})(window,document,'script',
  'https://www.google-analytics.com/analytics.js','ga');
  ga('create', 'UA-XXXXX-Y', 'auto');
  ga('send', 'pageview');
</script>

# Google Tag Manager — use consent mode
gtag('consent', 'default', {
  'analytics_storage': 'denied',
  'ad_storage': 'denied',
  'wait_for_update': 500
});

# After user consents:
gtag('consent', 'update', {
  'analytics_storage': 'granted',
  'ad_storage': 'granted'
});

Testing Compliance

  1. Clear all cookies and visit your site in incognito mode
  2. Check DevTools — no non-essential cookies should exist before consent
  3. Click "Reject All" — verify only essential cookies remain
  4. Click "Accept All" — verify analytics/marketing scripts load
  5. Withdraw consent — verify cookies are deleted and scripts stop
  6. Run a security scan with AI QA Monkey to detect third-party cookies and missing consent mechanisms

Check Your Cookie Compliance

Free scan — detect third-party cookies, missing consent banners, and GDPR compliance gaps.

Scan Your Site Now

Frequently Asked Questions

Do I need a cookie consent banner?

Yes, if your website uses non-essential cookies and serves visitors in the EU/EEA or UK. Essential cookies (session, security, cart) do not require consent but must be disclosed in your cookie policy.

What makes a cookie banner GDPR compliant?

It must appear before non-essential cookies are set, provide equal-weight Accept and Reject buttons, allow granular consent by category, avoid dark patterns, and let users withdraw consent easily.

What is the penalty for GDPR non-compliance?

Fines can reach €20 million or 4% of annual global turnover. Cookie-specific fines have reached €150 million (Google, by French CNIL).

How do I audit cookies on my website?

Use browser DevTools (Application > Cookies), run a free security scan, or use dedicated cookie scanning tools. Document each cookie's name, purpose, duration, and provider.

Check Your Website Right Now

Run a free automated security scan — 75 checks in 60 seconds. No signup required.

Run Free Security Scan →

Related security guides