GDPR, Cookies, and Consent: What Your Website Actually Needs

What GDPR says about cookies

GDPR doesn't specifically mention cookies — but it does require a legal basis for processing personal data. Most cookies used for analytics, advertising, and tracking qualify as personal data processing, which means they require either a legitimate interest justification or explicit consent.

In practice, for non-essential cookies, consent is the required basis. That means your cookie banner needs to meet the GDPR standard for valid consent.

What counts as valid consent?

Under GDPR, consent must be:

• Freely given — the user must be able to say no without it affecting their ability to use your site
• Specific — consent for analytics cookies is separate from consent for marketing cookies
• Informed — users must understand what they're consenting to
• Unambiguous — pre-ticked checkboxes don't count; there must be a clear affirmative action

The most common mistakes

In our experience scanning thousands of websites, these are the most frequent consent issues:

• No reject option — showing "Accept" but no easy way to decline is not valid consent
• Loading trackers before consent — Google Tag Manager firing before the user has made a choice is a violation
• Pre-selected categories — analytics or marketing categories ticked by default are not valid
• No privacy policy link — the banner must link to a readable privacy policy
• Cookie-wall patterns — requiring consent to access content is generally not considered freely given

What to do

Implement a consent banner that gives users a genuine choice. Block non-essential scripts until consent is given. Log consent decisions with a timestamp and the config version that was shown. Make it easy to withdraw consent.

Passvera scans for all of these patterns automatically and flags violations with specific recommendations.