# Cookie Consent and Tracking
Definition
Cookie consent and tracking law governs the placement of tracking technologies on end users' devices, the collection of behavioral data through those technologies, and the conditions under which such activities are lawful. The regulatory basis spans two overlapping frameworks: the ePrivacy Directive (2002/58/EC, amended by 2009/136/EC), which requires informed consent before placing non-essential cookies; and GDPR (2016/679/EU), which governs what constitutes valid consent and how personal data derived from tracking may be processed.
A cookie is a small text file placed by a web server on a user's browser that persists across sessions and allows the server to identify returning visitors. The cookie itself is a neutral mechanism. What matters legally is what the cookie does: whether it enables tracking of user behavior across websites, whether it enables the identification of individuals, and whether the data it generates is used to profile people, target advertising, or share behavioral data with third parties.
Beyond cookies in the narrow sense, the tracking ecosystem includes browser fingerprinting (identifying users by their browser and device characteristics without placing a file), local storage and IndexedDB (browser-side storage mechanisms that function like cookies but are not covered by the same user-accessible deletion path), session recording tools (Hotjar, FullStory, which capture user interaction on a page), and server-side tracking (first-party data collection that does not rely on browser-side files at all).
Within the Planetary Defense Model, cookie consent and tracking sits at the intersection of RGA (Risk Governance and Assurance) and DPS (Data Protection and Sovereignty). RGA governs the compliance posture that makes tracking lawful: consent records, CMP configuration, and the ongoing processes that keep consent management current as tracking technologies change. DPS governs the personal data that tracking generates: where it is stored, how long it is retained, who has access to it, and how it moves to third parties. Organizations that deploy analytics and advertising technology without addressing both layers carry regulatory, reputational, and contractual risk that compounds over time.
How It Works
The ePrivacy Directive: The Original Cookie Law
Directive 2002/58/EC, the Privacy and Electronic Communications Directive, predates GDPR and operates alongside it. Article 5(3) of the Directive (as amended) requires that storing information, or gaining access to information stored, in the terminal equipment of a subscriber or user is only allowed if the subscriber or user has given their prior consent, having been provided with clear and comprehensive information about the purposes of the processing, and offered the right to refuse.
The exceptions are narrow: prior consent is not required for cookies that are strictly necessary to provide a service explicitly requested by the user. A session cookie that keeps you logged in to your bank account is strictly necessary. A cookie that tracks which products you viewed so the marketing team can retarget you on other websites is not.
The ePrivacy Directive predates the GDPR consent standard and historically left room for weaker forms of consent (implied consent, browser settings). The Court of Justice of the European Union resolved this ambiguity in Planet49 (Case C-673/17, October 2019), holding that pre-ticked checkboxes do not constitute valid consent and that cookie consent must meet the GDPR standard: freely given, specific, informed, unambiguous, and expressed through a clear affirmative action.
A replacement Regulation (the ePrivacy Regulation, intended to replace the Directive and directly apply across the EU in the same way GDPR does) has been under negotiation since 2017 and remains pending as of 2026. The Directive therefore continues to apply, interpreted in light of the GDPR consent standard and CJEU case law.
GDPR's Consent Standard Applied to Tracking
GDPR Article 4(11) defines consent as any freely given, specific, informed, and unambiguous indication of the data subject's wishes, expressed through a clear affirmative action. GDPR Article 7 sets out conditions for consent: it must be demonstrably recorded, it must be as easy to withdraw as to give, and it must not be a condition of service if the processing is not necessary for that service.
Applied to cookie consent, these requirements have specific operational implications. "Freely given" means that accepting cookies cannot be a condition of accessing the website if the website can function without the cookies. A "consent wall" (access denied until you accept all cookies) is generally unlawful for non-essential processing. "Specific" means consent to analytics cookies is separate from consent to advertising cookies: a single checkbox for "all non-essential cookies" does not satisfy specificity. "Informed" means the user must understand what they are consenting to before they consent: the information must be provided before consent is captured, not after. "Unambiguous and expressed through a clear affirmative action" means that scrolling past a banner, continuing to use a website, or clicking anywhere other than an explicit consent button does not constitute consent.
"Withdrawable" means that a user who accepted cookies last month must be able to revoke that consent as easily as they granted it, and that revocation must take effect for all downstream processing. A consent withdrawal that stops new tracking but preserves data already collected and continues to use it does not satisfy Article 7(3).
What Requires Consent
The categories requiring consent include: analytics cookies and scripts (Google Analytics, Adobe Analytics, Matomo with default settings) because they track behavioral data across sessions and can be linked to individual users; advertising cookies (Google Ads, Meta Pixel, programmatic advertising tags) because they build profiles for behavioral targeting; social media pixels (Facebook Pixel, LinkedIn Insight Tag, Twitter Pixel) because they enable cross-site tracking and profile enrichment; session recording tools (Hotjar, FullStory, Microsoft Clarity) because they capture keystrokes, mouse movements, and form interactions that can reveal sensitive information; and retargeting tags, which track identified users across third-party sites to serve personalized advertising.
What does not require consent: strictly necessary cookies (authentication session tokens, shopping cart cookies, CSRF protection tokens, load balancing cookies), cookies that are used solely to carry out the transmission of a communication over an electronic communications network, and first-party analytics cookies configured to operate without cross-site tracking or persistent identification, provided their scope is strictly limited and they do not feed into third-party data sharing.
The boundary between "analytics" and "strictly necessary" is contested. Some organizations attempt to classify their analytics as "performance cookies" and argue these are necessary for operating the service. Supervisory authority guidance, including the CNIL's (French data protection authority's) cookie guidelines and the ICO's guidance, is clear that analytics cookies used for optimizing the website are not strictly necessary and require consent.
Consent Management Platforms (CMPs)
A Consent Management Platform is software that implements the consent banner, records consent choices, signals consent status to downstream tracking tools, and maintains an auditable consent log. The CMP is the technical infrastructure that makes a consent program operational rather than cosmetic.
Leading CMPs include OneTrust (enterprise market leader with deep regulatory mapping capabilities), CookiePro (OneTrust subsidiary, widely used for mid-market implementations), Cookiebot (widely used in Europe, strong focus on automatic cookie scanning and classification), Osano (US-focused, strong on CCPA and US state law compliance), Quantcast Choice (free tier with IAB TCF integration, widely used in media and publishing), and Usercentrics (European-focused, strong GDPR and ePrivacy coverage).
All enterprise CMPs provide: an automatic cookie scanner that discovers tracking technologies deployed on the site (including those added by third-party scripts, which are a common source of compliance gaps), a consent banner builder that can be configured to meet applicable regulatory requirements, a consent record database that stores timestamped proof of each user's consent choices, and an API or tag manager integration that signals consent status to Google Tag Manager, Adobe Launch, or directly to tracking tools.
The IAB (Interactive Advertising Bureau) Europe's Transparency and Consent Framework (TCF), now at version 2.2, provides a standardized protocol for communicating consent between publishers, CMPs, and ad tech vendors in the programmatic advertising ecosystem. TCF-compatible CMPs transmit a Transparency and Consent String (TC String) that encodes the user's consent choices and is read by downstream vendors. Participation in TCF is relevant primarily for publishers and companies operating in the programmatic advertising supply chain.
CCPA/CPRA: The US Framework
California's consumer privacy framework takes a different structural approach. Rather than requiring opt-in consent before placing tracking technologies, CCPA as amended by CPRA grants consumers the right to opt out of the "sale" or "sharing" of their personal information. Behavioral data from cookies and pixels shared with advertising networks constitutes "sharing" under CPRA's expanded definition, triggering the opt-out right even if no money changes hands.
The Global Privacy Control (GPC) is a browser-level signal, implementable as a browser extension or native browser setting, that communicates a consumer's preference not to have their data sold or shared. Under CPRA, businesses must honor GPC as a valid opt-out signal. As of 2024, the California Attorney General has enforced against businesses that failed to honor GPC signals, treating non-compliance as a violation of the opt-out right.
US state privacy laws in Connecticut (CTDPA), Colorado (CPA), Virginia (VCDPA), and a growing list of states have adopted opt-out-of-sale-or-sharing provisions modeled on CCPA/CPRA. The resulting patchwork requires US organizations to maintain consent management infrastructure that addresses both the European opt-in model and the American opt-out model, often simultaneously for global websites.
Technical Implementation: Loading Tracking Only After Consent
The core technical requirement for compliant consent implementation is conditional script loading: tracking scripts must not execute until the user has given consent for the applicable category. A consent banner that displays after Google Analytics has already loaded and collected data is not a compliant consent implementation. The tracking ran without consent.
In Google Tag Manager, this is implemented through consent mode triggers that gate tag firing on the CMP's consent signal. Google Consent Mode v2 (required for Google Analytics 4 and Google Ads from March 2024) provides a framework for communicating consent status to Google's tracking infrastructure and using modeled conversion data for analytics and ad measurement in cases where consent was not granted.
Meta's Conversions API (CAPI) is a server-side implementation of the Facebook Pixel that sends conversion events from the web server to Meta's API rather than through a browser-side pixel. This approach reduces reliance on browser-side cookies (which are increasingly blocked by browsers and ad blockers) and can improve measurement accuracy, but it also moves data transmission to the server layer where consent management must be enforced at the application level rather than through tag manager.
Enforcement: Specific Cases
The enforcement record is extensive. The CNIL (French DPA) fined Google 150 million EUR and Meta 60 million EUR in January 2022 for making it easier to accept cookies than to refuse them. The consent flows required multiple clicks to refuse cookies, while a single click accepted all. The CNIL found this violated the requirement that withdrawal be as easy as acceptance.
The CNIL followed these fines with enforcement actions against TikTok (5 million EUR, January 2023) for the same structural problem: easy accept, difficult refuse. The pattern across these cases is consistent: regulators are specifically targeting the user experience design of consent flows, not just whether a banner exists.
The IAB Europe was fined 250,000 EUR by the Belgian DPA in February 2022 for its role as a data controller in the TCF framework. The decision found that the TC String (the consent record encoded in TCF) itself constituted personal data because it could be used to re-identify individuals, and that IAB Europe had not established adequate legal grounds for its processing as a framework provider.
Dark patterns in consent interfaces are a specific enforcement priority. Pre-ticked boxes, nudge colors (accept button prominently styled, reject option visually de-emphasized), consent "walls" that deny access to content unless all cookies are accepted, misleading language that implies cookies are required when they are not, and designs that require users to navigate through multiple layers to refuse are all specifically prohibited. The EDPB published Guidelines on Dark Patterns in Social Media Platforms (Guidelines 3/2022) that apply to consent flows across all contexts, not just social media.
Why It Matters
The regulatory exposure from non-compliant consent management is direct and well-evidenced. The CNIL, ICO, German DPAs, Belgian DPA, and Italian Garante have all issued substantial fines for cookie consent failures. These are not large-company-only risks: the CNIL fines of 3,000 EUR and 10,000 EUR issued to smaller organizations for persistent non-compliance after warning are well-documented in French DPA enforcement records.
Beyond regulatory fines, cookie consent failures generate complainant-driven investigations. Privacy advocacy organizations including NOYB (None Of Your Business), led by Max Schrems, file systematic complaints with European DPAs against organizations with non-compliant consent flows. These complaints trigger investigations that consume legal and engineering resources even when they do not result in fines.
The reputational dimension is increasingly relevant as privacy becomes a consumer preference signal. Browser vendors have made cookie blocking and tracking protection a competitive feature: Safari's Intelligent Tracking Prevention (ITP) has blocked third-party cookies since 2017. Firefox's Enhanced Tracking Protection (ETP) does the same. Google Chrome's deprecation of third-party cookies (deferred multiple times, with Privacy Sandbox as the intended replacement) will, when completed, eliminate the technical basis for much of the existing cookie-based tracking infrastructure.
Organizations that have not invested in first-party data strategies, server-side tracking, and consent-based marketing infrastructure will face both regulatory and technical disruption simultaneously. The compliance investment is also an infrastructure modernization investment.
Technical Details
Consent Records and Auditability
A compliant consent management implementation must produce an auditable consent record for every user interaction with the consent interface. This record must capture: the version of the consent notice displayed, the timestamp of the consent event, the user's choices (categories accepted and refused), the identifier used to link the consent record to downstream processing (cookie ID, user ID, or session ID), and the method of revocation if consent was subsequently withdrawn.
These records must be retained for as long as the organization relies on the consent as its legal basis for processing the associated data. They must be producible on demand to demonstrate compliance to a supervisory authority. The CMP's consent database is the system of record for this documentation, and its integrity must be maintained: organizations that rotate cookie IDs without maintaining linkage to historical consent records have gaps in their auditable record.
First-Party Data and Consent Mode
The trajectory of the tracking ecosystem is toward first-party data and server-side infrastructure. First-party data (data collected directly from users through authenticated interactions, form submissions, and explicit data sharing) is not subject to the same third-party cookie restrictions and provides a durable basis for personalization and measurement. Building first-party data assets requires consent, but it requires it at the relationship level (newsletter subscription, account registration) rather than the session level.
Google Analytics 4 is designed to operate with consent-based modeling: when consent is not granted, GA4 uses statistical modeling to estimate behavior from the users who did consent. This approach reduces the measurement gap from consent-not-granted users without processing their data without consent, but it produces modeled rather than observed data and must be understood as an approximation.
CDA Perspective
CDA's Perpetual Compliance Assurance (PCA) methodology treats cookie consent as a continuous compliance requirement, not a one-time implementation project. The enforcement record makes clear why: organizations that implement a consent banner, certify compliance, and then move on, accumulate compliance debt as their tracking technology stack changes. New tools added by marketing teams, new tag manager container versions, new advertising platform integrations, each carries its own tracking footprint that may not be covered by the existing CMP configuration or consent records.
PCA integrates consent management into the compliance operations cycle through a quarterly tracking technology audit. This audit scans the website (using the CMP's built-in scanner or a dedicated tool like Cookiebot's scan or a manual crawl) to identify every cookie and tracking technology deployed across the site, including those loaded by third-party scripts. Any newly identified technology is classified (strictly necessary, analytics, advertising, functional), and the CMP configuration is updated to require appropriate consent before that technology fires.
This audit is particularly important for organizations that use a tag management system (Google Tag Manager, Tealium) with delegated access for marketing teams. Marketing teams with tag manager access can deploy new tracking tags without engaging the privacy or security function. Without a regular scan, new tracking technologies accumulate silently, creating compliance gaps that are invisible until a supervisory authority investigation.
The RGA governance layer includes consent management metrics in the compliance dashboard: consent acceptance rate by category (useful for understanding user preferences and CMP UX performance), consent revocation rate (an indicator of user satisfaction with the consent experience), and the mean time from tracking technology deployment to CMP classification (a measure of the gap between marketing activity and compliance coverage).
From the DPS perspective, the data generated by tracking technologies is personal data under GDPR when it can be linked to individuals directly or through combination with other data. This means the data governance requirements of SDP apply: retention limits, access controls, data subject rights workflows, and processor contracts. An organization that treats consent as a banner UX question and never connects it to its data governance program has implemented the form of compliance without its substance.
Key Takeaways
- Cookie consent requires prior consent under the ePrivacy Directive for all non-essential cookies, interpreted in light of the GDPR standard: freely given, specific, informed, unambiguous, and easily withdrawable. Pre-ticked boxes, consent walls, and difficult-to-navigate refusal flows are unlawful.
- Categories requiring consent include analytics scripts (Google Analytics, Adobe Analytics), advertising and retargeting pixels (Meta Pixel, Google Ads), social media tracking tags (LinkedIn Insight, Twitter Pixel), and session recording tools (Hotjar, FullStory). Authentication session cookies, CSRF tokens, and shopping cart cookies are strictly necessary and do not require consent.
- Consent Management Platforms (OneTrust, Cookiebot, Osano, Quantcast Choice) implement consent banners, store timestamped consent records, and signal consent to downstream tools. Compliant implementation requires conditional script loading: tracking tools must not fire before consent is granted.
- CNIL fined Google 150 million EUR and Meta 60 million EUR in January 2022 for making cookie acceptance easier than refusal. IAB Europe was fined 250,000 EUR for the TCF framework's data processing. Enforcement is focused on consent flow design, not just banner existence.
- CCPA/CPRA requires businesses to honor opt-out-of-sale-or-sharing requests including the Global Privacy Control (GPC) browser signal. Organizations with global websites must address both the European opt-in model and the US opt-out model simultaneously.
- CDA's PCA methodology requires quarterly tracking technology audits to identify new cookies and pixels deployed since the last audit, ensuring CMP configuration stays current as the marketing technology stack evolves.
Related Articles
- Perpetual Compliance Assurance (PCA) [CDP-PCA]
- Privacy Impact Assessment (DPIA) [RGA-privacy-impact-assessment-dpia]
- Data Subject Access Requests (DSARs) [DPS-data-subject-access-requests-dsars]
- GDPR for Cybersecurity Teams [F-gdpr-for-cybersecurity-teams]
- ISO 27701 Privacy Information Management [F136]
Sources
- European Parliament and Council. Directive 2002/58/EC (ePrivacy Directive, as amended by 2009/136/EC), Article 5(3). Official Journal of the European Union, 2009.
- Court of Justice of the European Union. Planet49 GmbH v. Bundesverband der Verbraucherzentralen, Case C-673/17. CJEU, October 2019. https://curia.europa.eu/juris/document/document.jsf?docid=218462
- CNIL (Commission Nationale de l'Informatique et des Libertés). Deliberation No. SAN-2022-001 (Google, 150M EUR) and SAN-2022-002 (Meta, 60M EUR). CNIL, January 2022. https://www.cnil.fr/en/cookies-cnil-fines-google-150-million-euros-and-facebook-60-million-euros-failing-give-french-users
- Belgian Data Protection Authority. Decision 21/2022 in Case TF 2019-01977 (IAB Europe TCF). APD-GBA, February 2022. https://www.gegevensbeschermingsautoriteit.be/publications/beslissing-ten-gronde-nr.-21-2022-van-2-februari-2022.pdf
- European Data Protection Board. Guidelines 03/2022 on Dark Patterns in Social Media Platforms. EDPB, March 2023. https://edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-032022-dark-patterns-social-media-platform-interfaces_en
- California Attorney General. Global Privacy Control Technical Specification and Enforcement Guidance. State of California DOJ, 2024. https://oag.ca.gov/privacy/ccpa
- CDA, LLC. Risk Governance and Assurance Domain Reference. CDA Canon, 2026.