Cookie ComplianceGDPRCCPAPrivacyBy Gregor Emm· 4 min read

What Is Cookie Compliance? A Plain-English Guide for Website Owners

Cookie compliance is a term you've probably seen in privacy discussions, but what does it actually mean for your website? This guide explains it without legal jargon.

Cookie compliance means your website follows the privacy laws that govern how you use cookies and tracking technologies. The main regulations are:

  • GDPR (EU) and UK GDPR — require opt-in consent before non-essential cookies
  • ePrivacy Directive (EU) — the specific "cookie law" that GDPR builds on
  • CCPA/CPRA (California) — require opt-out mechanisms for tracking cookies
  • LGPD (Brazil), POPIA (South Africa), PDPA (Thailand) — regional equivalents

If your website has visitors from any of these jurisdictions — and if you have a website, it almost certainly does — these rules apply.

Cookie compliance isn't just about having a cookie banner. Here's what the regulations actually require:

1. Consent Before Tracking

Under GDPR, you must get user consent before setting any non-essential cookies. This means analytics trackers, advertising pixels, and social media widgets should not load until the user clicks "Accept."

We scan hundreds of websites and the most common violation is exactly this — cookies firing on page load before any consent interaction.

2. A Functional Consent Banner

Your consent banner must:

  • Be visible and clear — no dark patterns, pre-checked boxes, or hidden reject buttons
  • Offer a genuine choice — "Accept" and "Reject" must be equally prominent
  • Allow granular control — users should be able to accept analytics but reject advertising cookies
  • Not block content — cookie walls (blocking access until consent) are generally not compliant under GDPR

3. Actually Blocking Cookies

This is where most websites fail. Having a consent banner that says "we use cookies" but still loads Google Analytics, Meta Pixel, and TikTok Pixel before consent is not compliant. The banner must actually control whether those scripts fire.

4. A Cookie Policy

Your cookie policy must list every cookie your site uses, what it does, who sets it (first-party vs. third-party), and how long it lasts. Generic language doesn't cut it.

5. Consent Withdrawal

Users must be able to change their cookie preferences at any time — not just when the banner first appears. This usually means a persistent "Cookie Settings" link in the footer.

6. Consent Records

For GDPR, you need to store proof of when and how each user consented. This is a technical requirement most consent management platforms handle, but many custom-built banners miss entirely.

At Tag Leak, we score websites 0-100 on cookie compliance. The score is based on:

  • Pre-consent tracking — do cookies and scripts fire before the user consents? (biggest impact on score)
  • Consent banner presence — is there a functional consent mechanism?
  • Google Consent Mode v2 — is GCM v2 implemented correctly? (required for Google Ads in the EEA)
  • IAB TCF v2.2 — is the Transparency and Consent Framework in place?
  • Security headers — are headers like Content-Security-Policy and Strict-Transport-Security set?
  • Post-rejection behavior — after clicking "Reject," do tracking cookies actually stop?

The average score across the 250+ websites we've indexed shows that even major brands frequently fail on pre-consent tracking.

Three things have changed in the past year:

  1. Google Consent Mode v2 is now required for personalized advertising in the EEA. Without it, your Google Ads campaigns lose data. This made cookie compliance a marketing concern, not just a legal one.

  2. Enforcement is accelerating. EU data protection authorities are issuing more fines, more frequently, to smaller companies. It's no longer just Meta and Google getting fined.

  3. Browsers are changing. Third-party cookie deprecation in Chrome, Safari's ITP, and Firefox's Enhanced Tracking Protection mean the technical landscape is shifting. Proper consent architecture prepares you for these changes.

| Aspect | EU (GDPR/ePrivacy) | US (CCPA/CPRA) | |---|---|---| | Default | Cookies blocked until consent | Cookies allowed by default | | User action | Must opt in | Must opt out | | Banner required | Yes, before cookies fire | No, but opt-out link required | | Consent record | Must store proof | Not explicitly required | | Enforcement | DPAs (CNIL, ICO, etc.) | CPPA, state AGs |

Most websites targeting both markets need to implement the stricter EU model anyway, since an EU-compliant setup automatically satisfies US requirements.

The quickest way is to run a free scan:

  1. Go to tagleak.com
  2. Enter your URL
  3. Get your compliance score in 60 seconds

The scan checks pre-consent tracking, consent banner detection, Google Consent Mode v2 implementation, security headers, and more. No signup required.

If you want to compare your score against competitors, use the Compliance Index to see how other websites in your industry perform.

Based on scanning hundreds of websites:

  1. Banner present, cookies not blocked — The #1 issue. The banner is cosmetic but doesn't actually prevent tracking.
  2. No reject option — The banner has "Accept" but no way to decline.
  3. Analytics assumed "strictly necessary" — Google Analytics is not strictly necessary. It requires consent.
  4. Cookie policy is a copy-paste template — Doesn't list your actual cookies.
  5. GCM v2 not implemented — Running Google tags without Consent Mode means they fire with full tracking regardless of consent.

Next Steps

Share

Frequently Asked Questions

What is cookie compliance?

Cookie compliance means following privacy regulations (GDPR, CCPA, ePrivacy Directive) that govern how websites use cookies and tracking technologies. This includes getting user consent before setting non-essential cookies, providing clear information about what cookies you use, and giving users control over their cookie preferences.

Do I need cookie compliance on my website?

If your website uses cookies beyond those strictly necessary for basic functionality — including analytics, advertising, or social media cookies — and you have visitors from the EU, UK, or California, you need to comply with cookie regulations. Most websites with any traffic from these regions need compliance measures.

What happens if my website isn't cookie compliant?

Non-compliance can result in fines (up to 4% of global revenue under GDPR, or $7,500 per violation under CCPA/CPRA), legal action from consumers, and reputational damage. Enforcement is increasing — in 2024 alone, EU data protection authorities issued over 2 billion euros in GDPR fines.

How do I check if my website is cookie compliant?

Use a cookie compliance scanner like Tag Leak to audit your website for free. It checks whether cookies fire before consent, whether you have a consent banner, Google Consent Mode v2 implementation, and security headers — then gives you a score out of 100.

What's the difference between cookie compliance and having a cookie banner?

A cookie banner is just one part of cookie compliance. Full compliance also requires actually blocking cookies until consent is given, providing granular cookie categories, allowing users to withdraw consent, maintaining a cookie policy, and properly implementing consent signals like Google Consent Mode.

Related articles

Privacy Enforcement News — Latest Fines & Rulings (2026)

Track the latest privacy enforcement actions worldwide: GDPR fines, CCPA penalties, and global privacy rulings that affect your website's compliance obligations.

EU Data Privacy News — Latest GDPR Enforcement & Fines

Latest EU data privacy enforcement actions, GDPR fines, and regulatory updates from CNIL, ICO, DPC, and national DPAs. Updated regularly.

Should You Accept Cookies? What Actually Happens When You Click Accept

What happens when you accept cookies on a website? Learn what cookies do, which ones track you, when to accept or reject, and how to protect your privacy online.

Tag Leak · Free Tool

Is your site leaking data before consent?

Paste your URL and get a full compliance report in 60 seconds — no signup required. Detects pre-consent tag firing, GCM v2 score, and security headers.

Scan your site free