GDPR fines for cookie consent violations have exceeded €4 billion since enforcement began in 2018. Regulators have fined companies of every size — from solo bloggers to Google and Meta. Yet many website owners still do not know whether their cookie banner is actually compliant. This guide explains exactly what GDPR requires for cookie consent, what a compliant banner looks like, and how to check any website including your own in seconds.
What GDPR Actually Requires for Cookies
The General Data Protection Regulation, read together with the ePrivacy Directive, sets five requirements for cookie consent that are often misunderstood:
- Consent must be freely given — users must be able to decline cookies just as easily as they can accept them. A banner with a large green Accept button and no visible reject option is not compliant.
- Consent must be specific — users must consent to each category of cookie separately. A single Accept All button without category breakdown is not compliant for granular consent.
- Consent must be informed — users must know what they are consenting to before they consent. Cookie categories must be explained in plain language.
- Consent must be unambiguous — pre-ticked boxes, implied consent ("by continuing to use this site you agree"), and consent banners that disappear without a choice are all non-compliant.
- Consent must be withdrawable — users must be able to withdraw consent as easily as they gave it, at any time. A link to cookie settings in the footer satisfies this requirement.
What Makes a Cookie Banner Non-Compliant
The most common compliance failures found in cookie consent banners:
| Issue | Why It Is Non-Compliant |
|---|---|
| No reject option visible without clicking | Consent must be as easy to refuse as to give |
| Consent implied by scrolling or continued use | Consent must be an affirmative action |
| Pre-ticked boxes for non-essential cookies | Consent must be actively given, not assumed |
| No category breakdown | Consent must be specific per cookie purpose |
| Tracking fires before consent is given | Non-essential cookies require prior consent |
| No way to withdraw consent later | Withdrawal must be as easy as giving consent |
| Banner only on first visit, not persistent | Consent records must be maintained and renewable |
Google Consent Mode v2 — What It Is and Why It Matters
Since March 2024, Google requires all websites using Google Ads or Google Analytics in the European Economic Area to implement Consent Mode v2. Without it, Google's measurement and conversion tracking stops working correctly for EEA users — even if the user consents to analytics cookies.
Consent Mode v2 works by sending signals to Google about whether the user has consented to analytics and advertising, allowing Google to model the behaviour of non-consenting users using aggregate data rather than individual tracking. It requires integration between your Consent Management Platform (CMP) and your Google tag setup — typically through Google Tag Manager.
The Anonymiz Cookie Consent Checker specifically checks for Google Consent Mode v2 signals alongside the standard CMP detection.
The Major Consent Management Platforms (CMPs)
A CMP is the software that powers your cookie consent banner. The most widely used ones:
- Cookiebot (Usercentrics) — one of the most popular in Europe. Strong GDPR compliance features, automatic cookie scanning, IAB TCF 2.0 support. Paid plans only above a small free tier.
- OneTrust — enterprise-grade CMP used by large organisations. Comprehensive but complex. Expensive for small sites.
- Osano — simpler interface, strong compliance features, used heavily in the US market. CCPA and GDPR coverage.
- CookieYes — popular with WordPress sites. Lower price point, reasonable compliance features for small to medium sites.
- Quantcast Choice — free CMP with IAB TCF 2.0 support. Good option for publishers using programmatic advertising.
- No CMP — running tracking without any consent mechanism. Non-compliant if tracking non-essential cookies for EEA users.
How to Check Any Website's Cookie Consent
The Anonymiz Cookie Consent Checker analyses any URL and reports on its consent mechanism. It checks for:
- Whether a known CMP is present and which one
- Google Consent Mode v2 implementation
- Whether tracking scripts are deferred until after consent
- The overall compliance signal level
To use it: go to anonymiz.com/cookie-consent-checker, enter any URL including your own website, and click Check. Results appear within seconds.
Important note: Some cookie banners load via JavaScript after the initial page render, which means static analysis tools may not detect them even when they are present. If your site uses a JavaScript-loaded CMP and the checker shows no banner detected, this is likely the reason — not necessarily a compliance problem. Browser-based testing using the actual user experience is always the most accurate assessment.
CCPA — The US Equivalent
California's Consumer Privacy Act (CCPA) and its amendment CPRA require California residents to be offered the ability to opt out of the sale or sharing of their personal data. Unlike GDPR, CCPA does not require opt-in consent for cookies — but it does require a "Do Not Sell or Share My Personal Information" link clearly visible on the homepage and in the footer for covered businesses. Covered businesses are those with annual gross revenue over $25M, those that buy/sell data on 100,000+ consumers annually, or those that derive 50%+ of revenue from selling personal data.
Frequently Asked Questions
Do I need a cookie banner if my site uses Google Analytics?
If your site has visitors from the EU, yes. Google Analytics sets cookies that track individual users across sessions and is classified as non-essential analytical tracking under GDPR. You must obtain consent before firing Google Analytics for EEA users, and implement Google Consent Mode v2 if using Google Ads.
Does GDPR apply to me if I am not in the EU?
GDPR applies based on where your users are, not where you are. If your website is accessible to and used by EU residents, GDPR applies to your processing of their personal data regardless of where your business is incorporated or hosted.
What is the penalty for non-compliant cookie consent?
GDPR fines for cookie-related violations can reach up to €20 million or 4% of global annual turnover, whichever is higher. In practice, most enforcement actions against small sites result in warnings or moderate fines rather than maximum penalties — but enforcement has increased significantly since 2022 and smaller companies are increasingly included in actions.
Can I use a free CMP?
Yes. Quantcast Choice is free and IAB TCF 2.0 compliant. CookieYes has a free tier for small sites. WordPress users can use the GDPR Cookie Compliance plugin free. Free options have limitations — automatic cookie scanning and advanced reporting typically require paid plans — but a properly configured free CMP is better than no CMP.
