Cookies and the GDPR — How to Implement a Legally Compliant Cookie Banner

Cookies are one of the areas where the gap between common practice and legal requirements is the widest. Most websites in Poland and across Europe use cookie banners, but a significant proportion of them fail to comply with the GDPR and the ePrivacy Directive — either because they do not give the user a genuine choice, or because analytics and marketing cookies are loaded before consent is obtained.

This article explains the legal framework governing cookies, how to properly implement a consent mechanism, the most common mistakes, and the fines that may result from non-compliance.

What Laws Govern Cookies?

The use of cookies is regulated by two legal instruments in parallel:

Directive 2002/58/EC (the ePrivacy Directive) — Article 5(3) requires the user’s consent before cookies are stored on or read from their device. In Poland, the ePrivacy Directive is implemented by Article 173 of the Telecommunications Act of 16 July 2004.

The GDPR — applies to the processing of personal data collected through cookies. If cookies enable the identification of a user (and most analytics and marketing cookies do), they involve the processing of personal data subject to the GDPR.

In practice, this means that the use of cookies requires compliance with both sets of rules simultaneously — obtaining consent to store the cookie (ePrivacy/Telecommunications Act) and having a legal basis for processing the personal data collected through it (GDPR).

Types of Cookies and Their Legal Classification

Not all cookies require consent. The key distinction is between:

Strictly necessary cookies — absolutely essential for the website to function. Examples: session cookies enabling login, cookies remembering shopping cart contents, security cookies (e.g., CSRF protection). These cookies do not require consent — they may be used based on the controller’s legitimate interest and are necessary to provide the service requested by the user.

Analytics cookies — used to collect information about how the website is used (number of visits, popular pages, time spent on site). Examples: Google Analytics, Matomo, Hotjar. These cookies require consent before they are activated.

Marketing / advertising cookies — used to track the user for advertising purposes, profiling, and displaying personalised ads. Examples: Facebook Pixel, Google Ads remarketing, ad network tracking pixels. These cookies require consent — and their use carries the highest legal risk.

Functional cookies (preferences) — remember user preferences (language, region, font size). Depending on implementation, they may or may not require consent — if they collect data that enables identification, consent is required.

What Does Valid Cookie Consent Look Like?

Consent for cookies must meet the same requirements as consent for personal data processing under the GDPR (Article 7) and the ePrivacy Directive. The EDPB and European supervisory authorities have repeatedly clarified what valid consent entails:

Freely given — the user must have a genuine, free choice. They must not be forced to accept cookies to access the website (a so-called cookie wall). The EDPB in Guidelines 05/2020 indicated that making website access conditional on cookie acceptance does not, in principle, constitute freely given consent.

Specific — consent should relate to defined purposes and categories of cookies. The user should be able to consent separately to analytics cookies and separately to marketing cookies — not just via a single “accept all” button.

Informed — the user must know what they are consenting to. The banner should state what types of cookies are used, for what purposes, who the data controller is, and how long the cookies will be stored. A link to the full cookie policy should be easily accessible.

Unambiguous — consent requires an active action by the user (clicking a button). Continued browsing, scrolling, closing the banner with an “X,” or inaction do not constitute valid consent. Pre-ticked checkboxes are inadmissible — this was confirmed by the CJEU in the Planet49 case (C-673/17).

Withdrawable — the user must be able to withdraw consent at any time, as easily as it was given. In practice, this means the website should have a permanently accessible link or button allowing the user to change their cookie settings (e.g., “Manage cookies” in the footer).

Most Common Cookie Banner Mistakes

Based on decisions by European supervisory authorities (particularly the French CNIL, which has imposed the highest fines for cookie violations) and UODO audits, the most common mistakes are:

No reject option — the banner offers only an “Accept” button without an equivalent “Reject” or “Necessary only” option. The user has no real choice.

Asymmetric design — the “Accept all” button is large and prominent, while the reject option is hidden, requires additional clicks, or is written in fine print. The CNIL found this to be a violation — both options should be equally accessible (the principle of symmetry).

Loading cookies before consent — analytics and marketing cookies fire immediately upon entering the site, before the user has expressed consent. This is one of the most serious violations — consent must be prior.

Pre-ticked boxes — checkboxes in advanced settings are checked by default. The user would have to actively uncheck them to refuse. The CJEU in the Planet49 case unequivocally held that this does not constitute valid consent.

Cookie wall — the website requires acceptance of all cookies as a condition for accessing content. The EDPB has generally found this to violate the requirement of freely given consent (though discussion continues in some jurisdictions about possible exceptions).

No option to withdraw consent — after accepting cookies, the user has no way to change their decision because the site lacks a link to cookie management settings.

Incomplete information — the banner contains a generic statement such as “this site uses cookies” without information about the types of cookies, their purposes, or the controller.

No cookie policy — the website uses cookies but lacks a document describing in detail the cookies used, their purposes, retention periods, and management options.

How to Properly Implement a Cookie Banner — Step by Step

1. Conduct a cookie audit — identify all cookies used on your website. Use tools such as: built-in browser tools (DevTools → Application → Cookies), Cookiebot Scanner, or Cookie-Script Scanner. For each cookie, determine: the name, provider, purpose, category (necessary/analytics/marketing/functional), and retention period.

2. Classify cookies — assign each cookie to one of the categories (necessary, analytics, marketing, functional). Be conservative — if you are unsure whether a cookie is “necessary,” classify it in a category that requires consent.

3. Choose a Consent Management Platform (CMP) — a CMP displays the cookie banner, collects and stores consent, and blocks cookies until consent is obtained. Popular solutions: Cookiebot (paid, excellent for European compliance), Cookie-Script, Complianz (WordPress plugin), Osano, OneTrust (for large organisations). Choose a solution that actually blocks scripts before consent (so-called prior blocking) — not one that merely displays a banner.

4. Configure the banner in accordance with requirements:

First layer (banner): information about cookies + three equivalent buttons: “Accept all,” “Reject” (or “Necessary only”), and “Settings” (or “Manage”).

Second layer (settings panel): list of cookie categories with descriptions, the ability to check/uncheck each category, and a “Save settings” button. The “necessary” category may be pre-checked and locked (cannot be unchecked).

5. Ensure prior blocking — configure the CMP so that analytics and marketing cookie scripts do not load until consent is obtained. This is the critical element — a banner without script blocking is worthless.

6. Prepare a cookie policy — a separate document (or a section in the privacy policy) describing: what cookies are, what cookies your site uses (a table with names, purposes, retention periods, and providers), how to manage cookies in the browser, and the controller’s contact details.

7. Add a “Manage cookies” link — place a permanent link in the website footer that allows the user to reopen the cookie management panel. The user must be able to change their decision at any time.

8. Document consent — the CMP should store evidence of consent (who consented, when, and to what). This is necessary in the event of an audit.

Google Analytics and the GDPR — Key Considerations

Google Analytics deserves a separate mention as the most popular analytics tool and a frequent source of legal controversy.

Google Analytics 4 (GA4) — the current version — processes users’ personal data (cookie identifiers, IP addresses, behavioural data). In 2022, several European supervisory authorities (Austrian, French, Italian) found that the use of Google Analytics violated the GDPR due to data transfers to the US.

The situation partially changed after the adoption of the EU-US Data Privacy Framework in 2023 — Google LLC is covered by this framework, which provides a mechanism for data transfers to the US. However, the long-term stability of this framework remains uncertain (a potential Schrems III challenge).

What to do to use Google Analytics in compliance with the GDPR?

Obtain user consent before loading GA4 — Google Analytics uses analytics cookies that require consent.

Verify IP anonymisation in GA4 — in GA4, anonymisation is enabled by default, but it is worth confirming.

Consider setting data retention to the minimum — in GA4, you can set the data retention period to 2 months (instead of the default 14 months).

Configure Google Consent Mode v2 — a mechanism that adjusts the behaviour of Google tags based on the user’s decision in the cookie banner.

Consider alternatives — Matomo (open source, can be self-hosted, configurable without cookies), Plausible, Fathom — privacy-focused tools that, in the right configuration, may not require consent.

Conduct a Transfer Impact Assessment (TIA) — if you use GA4, document a risk assessment for data transfers to the US.

Fines for Cookie Violations

European supervisory authorities are imposing increasingly substantial fines for improper cookie practices. Fines primarily target the absence of consent, loading cookies before obtaining consent, and asymmetric banners.

The French CNIL has imposed some of the highest fines in this area — multimillion-euro penalties on major companies for loading advertising cookies without prior user consent and for cookie banners that made it difficult to refuse.

In Poland, UODO has so far imposed lower fines in this area, but the European trend is clear — fines for cookie violations are rising and will continue to do so.

The Upcoming Change — The ePrivacy Regulation

It is worth noting that the European Union has been working for years on the ePrivacy Regulation, intended to replace the current ePrivacy Directive from 2002. The new regulation aims to harmonise cookie rules across the entire EU (currently each country implements the directive differently), clarify the relationship between ePrivacy and the GDPR, and potentially simplify the rules for certain categories of cookies.

Work on the regulation has been ongoing since 2017 and has repeatedly stalled in the Council of the EU. There is currently no certain date for its entry into force, but organisations should already apply the highest standards — as the regulation is more likely to tighten than relax the requirements.

Checklist — Legally Compliant Cookies

1. Conduct a cookie audit on your website.
2. Classify cookies (necessary, analytics, marketing, functional).
3. Implement a CMP with prior blocking capability.
4. Ensure equivalent “Accept” and “Reject” options in the banner.
5. Do not use pre-ticked boxes.
6. Do not use a cookie wall.
7. Add a “Manage cookies” link in the website footer.
8. Prepare a cookie policy with a cookie table.
9. Configure Google Consent Mode v2 (if using Google Analytics/Ads).
10. Document consent and store evidence.
11. Regularly update the cookie list (new plugins, scripts, and tools may add cookies).

Need a Cookie Audit?

An improper cookie banner is one of the most easily detectable GDPR violations — simply visiting a website is enough to assess whether the consent mechanism is functioning correctly. UODO and European supervisory authorities are increasingly conducting ex officio audits in this area.

At the Law Office of Dr Joanna Maniszewska-Ejsmont, we conduct comprehensive cookie audits — from identifying all cookies on the website, through assessing banner compliance, to implementing a proper consent mechanism and preparing a cookie policy.