A cookie consent violation is any banner that sets or fails to block non-essential cookies before the visitor freely agrees. Regulators and privacy groups detect it by scanning the banner and the network requests behind it. It becomes a fine under the GDPR, the ePrivacy Directive, or a US state law.
Below: the specific defects that make a banner illegal, how noyb and data protection authorities catch them. Also covered: the enforcement pipeline from complaint to penalty, and what these violations actually cost.
What Counts as a Cookie Consent Violation?
A cookie consent violation is any banner that fails one of four validity tests. It is also any banner that sets non-essential cookies before the visitor agrees at all. Under GDPR Recital 32, consent must be freely given, specific, informed, and unambiguous. A banner that misses any one of those tests is non-compliant. So is a banner whose scripts fire before the visitor clicks anything, regardless of whether a banner exists on the page.
That last point trips up most site owners. Having a cookie banner and having a compliant cookie banner are different things. A banner that displays but does not actually block scripts is a common gap, not an edge case. Cookie Information's dark-pattern research found that 72% of sites studied used at least one manipulative banner pattern (Cookie Information, 2024). Most banners fail at least one test.
This page covers the specific defects and how they get caught. For the opposite side, what a fully compliant banner looks like step by step, see what a compliant cookie banner must do. For the underlying legal mechanics, see how consent is collected and blocked before scripts fire.
The Most Common Cookie Consent Violations (and Why Each One Is Illegal)
Eight defects account for nearly every cookie consent fine on record. Each one maps to a specific legal requirement. The table below names each violation, the law it breaks, and how regulators typically spot it.
| Violation | What breaks | How it is typically caught |
|---|---|---|
| Firing cookies before consent | ePrivacy Art 5(3), GDPR lawful basis | Network-request scan on first page load |
| No reject on the first layer | GDPR Art 7(3) | Manual review, individual complaint |
| Unequal prominence | GDPR Art 5(1)(a) fairness | Automated dark-pattern scanning |
| Pre-ticked boxes | GDPR Recital 32, ECJ Planet49 | Banner-configuration audit |
| Misclassified essential cookies | ePrivacy Art 5(3) | Cookie categorization review |
| Cookie walls / pay or okay | Freely-given-consent test | DPA scrutiny, noyb complaints |
| No withdrawal mechanism | GDPR Art 7(3) | User complaint, banner audit |
| No consent records | GDPR Art 5(2), Art 7(1) | Regulatory audit request |
Firing Cookies Before the Visitor Consents (Pre-Consent Tracking)
Pre-consent tracking is the single most common cookie violation. Non-essential cookies or scripts load on page arrival, before the visitor clicks anything. ePrivacy Directive Article 5(3) requires consent before a site stores or accesses information on a device, not after. A banner that displays while a Google Analytics tag or a Meta Pixel already fired underneath it does not satisfy that requirement.
Regulators and researchers catch this by loading a page fresh and capturing every network request in the first few seconds. They watch what fires before any click occurs. That is the same evidence method noyb uses for its mass-scanning system. It is also the method US plaintiff firms use when sending demand letters over analytics tags. If a marketing pixel appears in that first capture, the site has a pre-consent-tracking violation, regardless of what the banner text says.
A cookie banner that "informs but doesn't block" is the most common version of this defect. The banner is visible and legally worded. The underlying scripts run anyway. Visibility is not the legal requirement. Blocking is.
No "Reject All" Button on the First Layer
A banner that buries its reject option inside a settings sub-menu violates GDPR Article 7(3), while "Accept All" sits on the surface. Withdrawing or declining consent must be as easy as giving it. The UK Information Commissioner's Office states this plainly. A compliant banner needs a clear "Reject All" button next to "Accept All," both visible on the first layer. No extra clicks should be required to decline.
One Reddit thread on keeping banners compliant put the standard directly. The top reply: making reject harder to select than accept is still not compliant. That holds even if a reject path technically exists somewhere on the site. A regulator does not credit a reject option that a visitor has to hunt for.
This is also the exact pattern an individual reporter described on r/gdpr. The banner had no first-layer reject button. Declining required a click into a settings window. That description matches what CNIL and noyb both flag as a textbook violation.
"Accept" and "Reject" Are Not Equally Easy (Unequal Prominence)
Unequal prominence breaks GDPR Article 5(1)(a)'s fairness principle. A bright "Accept All" button against a low-contrast or text-only "Reject" visually steers the choice instead of presenting it neutrally. CNIL's December 2024 formal notice against multiple publishers named this pattern specifically: font size, color, and styling that disproportionately emphasize acceptance over rejection.
Cookie Information's dark-pattern research found that 31% of cookie banners studied used misleading button designs to nudge users toward acceptance. CNIL's formal notice also flagged banners where the accept option appears multiple times while reject appears only once. That repetition is another version of the same asymmetry.
Pre-Ticked Boxes and Consent Assumed by Default
A cookie category pre-checked as "on" before the visitor makes any choice is not consent. GDPR Recital 32 states it directly. Silence, pre-ticked boxes, or inactivity do not constitute consent under the law. The European Court of Justice settled this in its Planet49 ruling in October 2019. The court held that pre-checked boxes do not amount to valid, active consent under the ePrivacy Directive.
The ruling is six years old, but Cookie Information's research found that 45% of banners studied still had preselected options consenting to all cookies. A visitor must take an affirmative action for consent to count, such as ticking a box or clicking accept. A default-on toggle the visitor never touched fails that test, even if the visitor never noticed or objected.
Misclassifying Tracking Cookies as "Essential"
Labeling an analytics or advertising cookie as "strictly necessary" lets a site skip the consent banner for it entirely. That mislabeling is the violation. ePrivacy Article 5(3) exempts only cookies genuinely necessary for the site to function, like a shopping cart session or a login token. It does not exempt cookies that measure traffic or serve ads.
One recurring answer in the r/webdev thread on compliant banners put the actual exemption correctly. A site that only runs cookies strictly needed to work does not need a consent banner at all. The exemption is narrow by design. Sites that mislabel analytics or advertising tools as essential to dodge the banner requirement are miscategorizing, not exempting.
Cookie Walls and "Pay or Okay" Banners
A cookie wall blocks site access entirely unless the visitor accepts tracking. Some cookie walls offer a paid subscription as the only alternative to acceptance. noyb has scrutinized this model directly. Providers of "pay or okay" banners claim consent rates above 99% under this setup, noyb notes. That number itself signals the choice is not free. GDPR consent must be freely given. A visitor choosing between accepting tracking, paying money, or leaving the site is not making a free choice in the way the law requires.
Data protection authorities continue to examine cookie walls case by case. The model remains a recurring subject of noyb complaints and regulatory scrutiny, not a settled safe harbor.
No Way to Withdraw Consent Later
GDPR Article 7(3) requires that withdrawing consent be as easy as giving it. A visitor needs a persistent, findable way to reopen their cookie choices after the first visit. A banner with no revisit button and no footer link to reopen preferences fails this requirement, even if the original consent was collected correctly.
A floating preference button or a "Manage Cookie Preferences" footer link satisfies the requirement. Its absence does not.
No Consent Records to Prove Compliance
GDPR's accountability principle places the burden of proof on the site. Under Articles 5(2) and 7(1), a controller must be able to demonstrate that consent was actually obtained, when, and for what. A site with no consent logs cannot produce that proof during a regulatory audit. That gap is itself a violation, independent of whether the banner was compliant on the front end.
How Regulators and Privacy Groups Detect These Violations
Cookie consent violations are caught three ways. Automated mass-scanning systems catch most of them. Individual complaints filed with a data protection authority catch others. In the US, plaintiff-firm network-request captures used to support demand letters catch a third category. Each route relies on the same core evidence: what actually loads before the visitor consents.
noyb runs the most active automated detection system in the category. It built a mass-scanning tool that automatically identifies unlawful cookie banners and generates complaints. Each flagged site gets a grace period to fix the banner before the complaint moves to the responsible data protection authority. noyb has stated that dark patterns push more than 90% of users to click "agree" on cookie banners. Independent research shows only about 3% of users actually want to accept cookies. That gap is what its scanning system exists to close.
Individual visitors can also trigger enforcement directly. One r/gdpr thread described exactly this path. A visitor spotted a banner with no first-layer reject button and asked how to report it. The top answer pointed to filing directly with the supervisory authority in the company's country, or with the visitor's own authority, which forwards the complaint. noyb's own Article 77 guide and the ICO's complaint template both offer this same route.
In the United States, a newer detection pattern has emerged around plaintiff firms rather than regulators. One agency reported four clients receiving demand letters in a matter of months. Each letter was built from screenshots of network requests showing a specific analytics feature firing before consent. The evidence method is the same one noyb uses. Capture what loads, then show it happened before the visitor agreed to anything.
Regulatory sweeps add a fourth layer on top of complaints. Authorities like CNIL and the ICO periodically run their own scans across an industry or region. These sweeps run independent of any single complaint, and they issue formal notices to every site that fails.
How a Violation Becomes a Fine: The Enforcement Pipeline
A cookie consent violation becomes a fine through a staged pipeline, not a single event. Detection comes first. A formal notice with a cure window follows, then a decision, then the penalty. The penalty often compounds daily until the site fixes it. Understanding the stages matters because most violations are still fixable before the fine stage.
- Detection: a complaint (from noyb, an individual, or a competitor) or a regulatory sweep flags the banner.
- Formal notice: the authority gives the site a fixed window to correct the defect. The UK ICO's published process allows 30 days from a warning before enforcement proceeds. CNIL's December 2024 formal notice against publishers using dark patterns gave a one-month window to fix the banner.
- Decision: if the site does not cure the defect in time, the authority issues a formal decision finding a violation.
- Fine, often with a daily penalty: the decision can carry a fine plus an ongoing daily penalty for continued non-compliance. CNIL has used daily penalties in prior enforcement actions to pressure faster fixes.
The gap between step 2 and step 4 is the actual opportunity. A site that corrects its banner during the cure window generally avoids the fine stage entirely. Sites that ignore the formal notice are the ones that reach a published decision.
What Cookie Consent Violations Actually Cost
Cookie consent fines range from the low hundreds of thousands to hundreds of millions of dollars. The statutory ceilings behind them run even higher. The table below lists confirmed enforcement actions and the legal penalty caps that apply.
| Who | Regulator | Date | Defect | Penalty |
|---|---|---|---|---|
| CNIL (France) | Sep 2025 | Ad cookies served without consent in Gmail; unclear consent condition at account creation | EUR 325,000,000 | |
| American Honda Motor Co. | CPPA (California) | Mar 2025 | Banner offered only "Allow All"; opt-out required navigating to a hidden settings menu | USD 632,500 |
| GDPR statutory ceiling | EU-wide | Ongoing | Any qualifying violation | Up to 4% of global annual turnover or EUR 20,000,000, whichever is higher |
| CCPA/CPRA statutory ceiling | California | Ongoing | Any qualifying violation | USD 2,500 per violation; USD 7,500 per intentional violation |
Consent violations are not a minor category inside privacy enforcement. Piano.io's research puts it plainly:
Consent violations, cookie drops, unclear consent, and refusal made harder than acceptance are the single most common fine category across all years.
The Honda case shows the ceiling is not theoretical for smaller operators either. A banner defect, not a data breach or a security failure, produced a $632,500 penalty.
For the full record of major penalties, see the biggest GDPR fines and what caused each one. Track new actions as they land in the GDPR enforcement tracker.
Cookie Consent Violations Outside the EU: CCPA and US Wiretap Claims
No US federal or state law requires a website to run a cookie banner. But the same underlying defects still create liability under CCPA/CPRA and, increasingly, under state wiretap statutes like CIPA. Two triggers are enough on their own: a California resident's ignored opt-out request, or an analytics tag that fires before any consent mechanism runs. Either one creates state-law exposure with no banner mandate required.
The CPPA's Honda enforcement is the clearest example. The violation was a cookie and consent interface that made accepting easy and opting out hard. That is the exact pattern GDPR enforcement also targets, prosecuted under California's own statute rather than GDPR.
A second, separate US theory has emerged around wiretap law. Plaintiff firms increasingly reframe pre-consent tracking as a violation of California's wiretapping law. Their argument: a tracking script capturing visitor activity without consent intercepts a communication under the statute's original wording. The Meta Pixel lawsuits are the most litigated example of this theory in practice. The same theory drives website wiretapping claims more broadly, and session-replay lawsuits over analytics tools that record on-page behavior. One agency reported four demand letters in a short window. Each was built from network-request screenshots of a single analytics feature. That pattern is active now, not theoretical.
Common Misconceptions About Cookie Consent Violations
Four beliefs keep otherwise careful site owners exposed. Each one is contradicted directly by how enforcement actually works.
- "I have a banner, so I'm compliant." A banner that displays but does not block non-essential cookies until consent is the single most common violation pattern found in enforcement actions. Having a banner and having a compliant banner are not the same claim.
- "Scrolling past the banner counts as consent." GDPR requires an explicit affirmative action. Recital 32 rules out silence and inactivity by name. Scrolling is inactivity with extra steps, not a click.
- "I'm too small, or not in the EU, so I'm not at risk." Jurisdiction follows the visitor, not the site owner. A single EU visitor triggers GDPR and ePrivacy exposure. US state laws like CCPA and CIPA apply regardless of company size.
- "Legitimate interest lets me skip consent for analytics." Data protection authorities have consistently rejected legitimate interest as a lawful basis for tracking or advertising cookies. ePrivacy Article 5(3) requires consent specifically, and legitimate interest does not substitute for it.
Unsure of your baseline obligations before checking your banner? Start with whether your site needs a cookie policy.
FAQs
Is it illegal to force users to accept cookies?
Yes, for non-essential cookies. GDPR and the ePrivacy Directive require consent to be a free choice. A banner offering only "Accept to continue," with no working reject option, is a violation regardless of how the banner is worded.
Can I be fined if I have a cookie banner but it is set up wrong?
Yes. Most enforcement actions target misconfigured banners: no reject button, cookies firing before consent, or dark-pattern styling. They do not target the complete absence of a banner. Having a banner does not protect a site if it does not actually block tracking until consent is given.
Is a small or non-EU website really at risk of a cookie fine?
Jurisdiction follows the visitor, not the business. A site with even one EU visitor is subject to GDPR and ePrivacy. US state laws like CCPA and CIPA add exposure too, regardless of where the company is based or how small it is.
What is the single most common cookie consent violation?
Firing non-essential cookies before the visitor consents. This is a banner that displays without actually blocking the scripts underneath it. Piano.io's fine-tracking research identifies consent violations broadly as the most common privacy-fine category across every year studied.
How do I know if my own cookie banner is compliant?
Check five things. Does any script fire before a click? Does "Reject All" sit on the first layer next to "Accept All"? Are the two buttons equally prominent? Is any category pre-ticked? Can visitors reopen preferences later? The requirements guide linked earlier in this article walks through the full build-out.
Can an individual report a non-compliant cookie banner?
Yes. Any visitor can file a complaint with their own country's data protection authority, which forwards it to the company's supervisory authority. A visitor can also use noyb's Article 77 complaint guide. No special legal standing is required to report a banner.
What happens if I ignore a regulator's warning about my banner?
A formal notice typically gives a cure window to fix the defect. The UK ICO's process allows around 30 days. CNIL's December 2024 formal notice pattern gave one month. Ignoring that window escalates to a formal decision, a fine, and in some cases a daily penalty until the banner is corrected.
Understanding these violation patterns is the first step to fixing them before a complaint or a scan finds them first. Consently's cookie scanner auto-blocks non-essential cookies until a visitor actually consents. It pairs an equally prominent accept and reject button on the first layer, and it keeps a consent log for every visitor choice. See how automatic cookie blocking closes the #1 violation to check where your own banner stands.

