What Is Cookie Compliance? A Practical Guide for Website Owners

Learn what cookie compliance means, which laws require it, and the 8-step checklist to make your website compliant with GDPR and CCPA.


by Riad Us Salehin • 3 July 2026


Cookie compliance is the practice of aligning your website's use of cookies and trackers with privacy laws like the GDPR and CCPA. It means informing visitors, getting valid consent before non-essential cookies load, and keeping a record of that consent.

Below: what the laws require, the step-by-step checklist to get compliant, how to check your status, and the mistakes that trigger lawsuits.

What Is Cookie Compliance?

Cookie compliance is the ongoing process of using cookies only in ways privacy laws permit. That means informing visitors what you track, getting their consent before non-essential cookies load, and documenting that consent. It rests on what cookie consent is and the conditions that make consent legally valid.

A cookie is a small text file a website stores in a visitor's browser to remember preferences or track behavior. Not every cookie needs permission. Strictly necessary cookies, like the ones that keep a shopping cart working, are exempt. Analytics, advertising, and tracking cookies are not.

Compliance is not a one-time setup. Cookies change every time you add a new script, embed, or ad tag. The rules under the ePrivacy Directive and the GDPR require you to keep auditing and updating your setup as your site evolves.

Who Needs to Be Cookie Compliant (and Who Is Responsible)?

Any website that sets non-essential cookies (analytics, advertising, embeds) and is reachable by visitors in a regulated region needs to be cookie compliant. The organization behind the website is legally responsible, even when it relies on developers, agencies, or third-party tools to build the site.

The GDPR and the UK's ePrivacy rules apply to any website handling data from EU or EEA visitors. This holds regardless of where the website itself is hosted or operated. A US-based blog with European readers is in scope. A US-only e-commerce store selling exclusively to Americans is not covered by EU law. It may still fall under CCPA or another US state privacy law.

You do not automatically need a cookie banner. The split between essential and non-essential cookies decides what needs consent. A purely static site that uses only strictly necessary cookies, no analytics, no ad tags, no embeds, has nothing to get consent for. The moment you add Google Analytics, a Facebook pixel, or a YouTube embed, you need a consent mechanism.

Outsourcing your build does not transfer legal responsibility. The responsibility sits with the organization behind the website, whether the work goes to an in-house team, an external developer, or a website platform.

Which Laws Require Cookie Compliance?

Two main legal models govern cookie compliance. The EU and UK use an opt-in standard under the ePrivacy Directive and the GDPR. The US uses an opt-out standard led by California's CCPA and CPRA. The ePrivacy Directive, not the GDPR, is technically the "cookie law," but the GDPR sets the consent standard both regimes now reference.

Law or regionConsent modelWhat it requiresWho it affects
GDPR + ePrivacy Directive / PECR (EU and UK)Opt-inInform visitors, get freely given consent before non-essential cookies, document consent, allow access if refusedAny site reachable by EU, EEA, or UK visitors
CCPA / CPRA + US state lawsOpt-outProvide a way to refuse the sale or sharing of data (a "Do Not Sell or Share" link), honor opt-out signalsCalifornia residents and residents of other US states with similar laws
Other laws (PIPEDA, Quebec Law 25, LGPD, and more)Consent-or-noticeConsent or clear notice, depending on the specific regimeVisitors in Canada, Quebec, Brazil, and other covered regions

GDPR and the ePrivacy Directive (EU and UK)

Under the ePrivacy Directive and the GDPR, a website must inform visitors and get freely given, informed, opt-in consent before setting non-essential cookies. The UK's PECR mirrors this standard for UK visitors.

To comply, you must:

  • Get consent before using any cookies except strictly necessary ones
  • Explain what each cookie tracks and why, in plain language, before consent
  • Document and store the consent each visitor gives
  • Let visitors use your site even if they refuse non-essential cookies
  • Make withdrawing consent as easy as giving it

CCPA, CPRA, and US State Laws

The US has no single federal cookie law. California's CCPA and CPRA, along with a growing list of state laws, use an opt-out model. You must give visitors a way to refuse the sale or sharing of their data. This often takes the form of a "Do Not Sell or Share My Personal Information" link. It does not require upfront opt-in consent.

EU rules can still apply to a US-based site if it has EU or UK visitors. Operating from California does not exempt you from GDPR if your audience is international. To handle US opt-out requests consistently, many sites add opt-out preference signals alongside their cookie banner.

Other Privacy Laws (PIPEDA, Law 25, LGPD, and More)

Many other regions enforce their own cookie and consent rules, including Canada's PIPEDA, Quebec's Law 25, and Brazil's LGPD. Most follow a consent-or-notice model close to either the GDPR or the CCPA. A site already compliant with both usually covers most of the gap.

What Happens If You Are Not Cookie Compliant?

Non-compliance carries two distinct risks: regulatory fines from a data protection authority, and, increasingly for US sites, private lawsuits over trackers that fire before consent. The GDPR's top penalty tier reaches up to 20 million euros or 4% of global annual turnover, whichever is higher.

Regulatory fines apply when a data protection authority investigates and finds a violation. The GDPR's two-tier fine structure reserves its highest penalties, up to 20 million euros or 4% of worldwide revenue, for violations of core consent requirements. Most small sites never see a regulator investigation, but the exposure is real for any business handling EU visitor data.

The more immediate 2026 risk for US site owners is private litigation, especially under the California Invasion of Privacy Act (CIPA). Site owners on Reddit report demand letters over Meta Pixel and analytics scripts that fired before consent. Some received them even on sites that had a cookie banner installed. A banner does not protect you if the tracking code loads before the visitor clicks anything: that is the exact fact pattern these suits target.

Multiple independent threads describe the same trigger: a pixel or analytics tag running before consent, then a settlement demand. Whether cookies count as personal data is what brings the law into play in the first place. Treat specific dollar figures and lawsuit counts as directional. The core pattern, trackers firing before consent then a demand letter, is corroborated across sources, even where settlement amounts vary by case.

How to Make Your Website Cookie Compliant: A Step-by-Step Checklist

You become cookie compliant in four moves. Audit every cookie, categorize each one, add a banner that blocks non-essential cookies until approval, and document every choice. The UK's ICO built this into a five-part framework: understand, audit, inform, get consent, and document.

  1. Audit your cookies. Scan your entire site to find every cookie, tracker, script, and iframe, and confirm what each one does. A manual cookie audit or an automated cookie scanner both work; scanning tools catch third-party scripts that load without your direct knowledge.
  2. Categorize your cookies. Sort each one into cookie categories such as strictly necessary, analytics, or advertising. These categories cut across the main types of cookies, from session to third-party, so identify which are exempt from consent under the strictly necessary rule.
  3. Add a compliant consent banner. Give visitors Accept, Reject, and Manage Preferences with equal visual prominence in a compliant cookie banner. No pre-ticked boxes, no "accept all by default." Rejecting must be exactly as easy as accepting.
  4. Block non-essential cookies before consent. This is the step most sites skip, and the one that triggers CIPA suits. Analytics, ad, and tracking scripts must stay blocked until the visitor actively consents, not until they close the banner.
  5. Publish a cookie policy. List every cookie you use, its provider, its purpose, and how long it lasts, then keep the cookie policy updated as your tracking changes.
  6. Record consent. Log every visitor's consent choice with a timestamp so you can prove compliance during an audit.
  7. Let visitors withdraw consent anytime. A revisit or preferences link should let a visitor change their mind as easily as they gave consent in the first place.
  8. Re-scan and review on a schedule. New tools add new cookies. The ICO's own checklist calls for building in a review period, not a one-time setup.

Sites running Google Analytics or Google Ads need one more step. Configure Google Consent Mode v2 so measurement tags respect the visitor's choice instead of firing regardless. A consent management platform automates steps 1, 3, 4, 6, and 8, where most of the manual risk lives.

How to Check If Your Website Is Already Cookie Compliant

You can check your compliance in two ways. Scan your site with a free cookie checker, or open your browser's developer tools to see which cookies and trackers load before you consent. Then compare the results against the checklist above.

A passing result has four traits.

  • No non-essential cookies or scripts load before consent
  • The Reject button is present and as easy to click as Accept
  • Your cookie policy is live, accurate, and lists every cookie in use
  • Consent records are being logged with a timestamp for every visitor choice

Free cookie checker tools scan a URL and return a report of every cookie, tracker, and script detected, categorized by type. Your browser's own developer tools show the same data manually, in the Application or Storage tab in Chrome and Firefox. That is useful for a quick spot check without installing anything.

Common Cookie Compliance Mistakes

Most cookie compliance failures come down to a handful of repeated mistakes, each with a specific fix.

  • Trackers fire before consent. The banner loads, but analytics and ad pixels already ran. Fix: block every non-essential script until the visitor opts in. This is the single most common trigger behind CIPA lawsuits.
  • No real reject option, or pre-ticked boxes. "Accept all by default" banners and pre-checked consent boxes are not valid consent. Fix: give Accept and Reject equal visual weight, and require a clear positive action either way.
  • Treating compliance as one-and-done. Cookies change every time you add a tool, plugin, or ad platform. Fix: re-scan your site and review your policy on a recurring schedule.
  • Assuming only EU sites are affected. US state laws apply to US visitors, and EU and UK rules reach any site with EU or UK visitors regardless of where it's hosted. Fix: check your actual visitor geography, not just your business address.
  • Missing or outdated cookie policy, or no consent records. A stale policy or a missing consent log leaves you unable to prove compliance if challenged. Fix: publish an accurate, current cookie policy and log every consent choice.

See GDPR cookie consent examples of banners that get equal options and prior blocking right.

How Consently Makes Your Website Cookie Compliant

Consently runs the whole checklist from one dashboard. It scans your site for every cookie and tracker, then blocks non-essential ones until the visitor consents. It also shows a compliant banner with equal Accept and Reject options, records every choice, and generates your cookie policy.

The auto-scanning feature runs an initial scan plus weekly scheduled scans, so new trackers get caught automatically instead of during a manual review. Consently's banner ships with GDPR opt-in and CCPA opt-out templates built in, so the consent model matches the visitor's region without separate configuration.

Consent logs are exportable for audit proof. The policy generator produces your cookie policy, privacy policy, and terms and conditions from the same setup. Sites running Google Analytics or Ads get built-in Google Consent Mode v2 and IAB TCF support. Both pass the visitor's consent choice to Google's tags automatically.

For teams managing more than one site, a full consent management platform extends this same setup across every domain from a single account. Try Consently free with a 14-day trial, no credit card required.

FAQs

What does it mean to be cookie compliant?

Being cookie compliant means using cookies only in ways privacy laws allow: informing visitors, getting valid consent before non-essential cookies load, and documenting that consent.

Who is responsible for cookie compliance?

The organization behind the website is accountable, even when it uses developers, agencies, or third-party tools to build and run the site.

Do I need a cookie banner to be compliant?

Yes, if your site sets any non-essential cookies, including analytics, advertising, or embedded content. A static site using only strictly necessary cookies does not need a banner.

Can a website be GDPR compliant without a cookie banner?

Yes, but only if you avoid all non-essential cookies and use privacy-friendly or cookieless analytics instead. Any site using standard analytics, ads, or tracking cookies needs a consent banner.

How do I check if my website is cookie compliant?

Scan your site with a free cookie checker, or open your browser's developer tools to see what loads before consent. Then compare the results against the compliance checklist above.

Does the US require cookie compliance?

Yes, through state opt-out laws led by California's CCPA and CPRA, not a single federal opt-in law. EU rules also apply if your site has EU or UK visitors.

Is Google Analytics cookie compliant by default?

No. Google Analytics sets non-essential analytics cookies, so it requires visitor consent, and you should configure Google Consent Mode v2 to respect that choice.

How much can you be fined for cookie non-compliance?

GDPR fines can reach up to 20 million euros or 4% of global annual turnover for the most serious violations. Many US site owners instead face private CIPA lawsuits, with settlement demands reported in the tens of thousands of dollars.

AUTHOR

Riad Us Salehin is the content lead at Dorik. He is a passionate content creator who lets the work speak for itself. Focused on taking brands and causes to the next level.

Read More

Subscribe to Consently
Newsletter

Subscribe to our newsletter to stay updated with latest articles from our blog.

Built with ❤️ by the team @ Dorik.com 

GET IN TOUCH

Any questions? Feel free to chat with us or reach out to us at

For any queries:
support@consently.net

Follow us:


©2026 Dorik, Inc. All rights reserved.