Cookie compliance is one of the most visible and frequently assessed aspects of privacy compliance today. Regulators often review websites to determine whether they meet cookie consent requirements, including how they deploy cookies, obtain consent, and manage third-party cookies.
Because organisations widely use cookies for analytics, advertising, and tracking, they can quickly violate cookie consent rules and unlawfully process data, making cookie banners a key indicator of overall compliance with privacy and ePrivacy laws. Regulatory reviews on cookie consent typically examine the cookie banner, evaluate the choices offered to users, and check whether websites set non-essential cookies only after obtaining valid consent. Read on to learn more.
Why consent is a key component of regulatory cookie consent reviews
Cookies are small text files that websites store on a user’s device. Websites use internet cookies to enable basic functions, analyse traffic, personalise content, and support advertising and tracking.
There are mainly two types of cookies:
- Strictly necessary cookies: Allow websites to function and do not require user consent.
- Non-essential cookies: Analytics cookies, advertising cookies, and third-party cookies often collect personal data such as device identifiers.
Cookie consent requirements differ by region. In the EU and UK, laws such as the GDPR and the ePrivacy Directive follow an opt-in model, which means websites must obtain valid user consent before placing non-essential cookies.
In contrast, several US privacy laws, including the CCPA, follow an opt-out model, where websites may use certain cookies but must give users a clear and effective way to opt out of tracking and data sharing.
Common cookie compliance failures during cookie consent reviews include:
- Placing non-essential or third-party cookies before consent
- Making cookie rejection harder than acceptance in the cookie banner
- Using pre-checked boxes or implied consent
- Continuing to track users after they refuse or withdraw consent
Because cookies enable tracking, profiling, and data sharing, regulators treat cookie consent as an early indicator of privacy compliance. Weak cookie consent practices often point to broader issues with transparency, user choice, and accountability, which is why cookie banners and consent mechanisms are a frequent focus in enforcement actions.
In 2024, the highest data protection fine under GDPR in the hospitality and accommodation sector was for cookie consent violation.
What non-compliant cookie practices do regulators look for?
Below are some of the most commonly reviewed cookie consent factors in regulatory assessments.
#1 Non-essential cookies firing before consent
Regulators in regions requiring opt-in consent for non-essential cookies, such as the European Union and Brazil, examine whether websites place non-necessary cookies before a user has given their choice.
This includes advertising, analytics, and tracking cookies that are not strictly required for the website to function. If these cookies load automatically when the page opens, consent is already invalid, even if a banner appears seconds later.
Several high-profile enforcement actions have been based on this issue alone. Regulators have repeatedly stated that consent obtained after tracking has already started is not meaningful consent. From their perspective, this is a clear and objective violation.
In 2024, the French data protection authority CNIL fined ORANGE for continuing to read cookies even after users withdrew their consent.
The CNIL held that Article 82 of the French Data Protection Act prohibits reading cookies after a user withdraws consent, even if the controller does not later use the data.
#2 Providing a clear opt-out option for users
In some jurisdictions, cookie compliance focuses on opt-out rights rather than prior consent. In the United States, laws such as California’s CCPA require businesses to provide users with a clear way to opt out of the sale or sharing of personal information, including through third-party cookies used for cross-site tracking.
To comply, websites should provide a visible Do Not Sell or Share My Personal Information option and implement technical controls that stop advertising or tracking cookies from operating once a user opts out.
Regulatory cookie consent reviews focus not only on whether an opt-out mechanism exists, but on whether it actually limits data collection in practice. Therefore, if cookies continue to collect or share data despite an opt-out, the business will be considered non-compliant, even if a notice or link is present.
In May 2025, the California Privacy Protection Agency took enforcement action against Todd Snyder, Inc. for failing to provide an effective opt-out from the sale or sharing of personal information. Misconfigured cookie preference tools prevented users from opting out of third-party tracking, and opt-out signals were not recognised.
#3 Whether users can refuse cookies as easily as they can accept
Regulators care not only about offering a choice but also about how websites present that choice.
If users can accept cookies with one click but must take multiple steps, such as navigating hidden menus or scrolling through settings, to reject them, regulators are unlikely to consider the consent freely given.
Authorities consistently expect cookie refusal to be just as easy and visible as acceptance.
This includes:
- A clear reject option at the first layer of the banner
- No visual bias that nudges users toward acceptance
- No language that frames refusal as harmful or inconvenient
In enforcement notices, regulators have described unequal choice design as misleading and manipulative, even when refusal is technically possible.
A recent Austrian Administrative Court decision confirmed enforcement action against a website whose cookie banner made it easier to accept cookies than to refuse them.
In this case, users could accept cookies with one click on the first screen, while rejecting cookies required extra steps and navigating to another layer. The court held that this design violated consent requirements because refusal and withdrawal must be just as simple and visible as acceptance.
#4 Pre-selected options and implied consent
Another red flag in cookie consent is pre-enabled toggles or language suggesting that continued browsing equals consent.
Regulators have been explicit that consent must be an active, affirmative action. Pre-ticked boxes, default-on analytics switches, or statements like “By continuing to use this site, you agree” fail this standard.
Courts and data protection authorities have confirmed that silence, inactivity, or passive behaviour does not amount to valid consent.
In countries requiring opt-in consent, if a user must opt out rather than opt in for cookies, the consent mechanism is already flawed.
#5 Clarity and completeness of information
Regulators do not expect long legal explanations in a cookie banner, but they do expect clarity and conciseness.
They typically assess whether the organisation provides the following information:
- Types of cookies and their purposes
- Whether third parties are involved
- How long cookies last
- Where more detailed information can be found (cookie/privacy policy)
Problems arise when banners use vague phrases like “improve your experience” without explaining what that means, or when they fail to clearly disclose third-party advertising partners.
Technical jargon and incomplete or ambiguous information undermine the “informed” element of consent, and regulators frequently cite these issues in enforcement decisions.
#6 Ability to withdraw consent easily
Consent is not a one-time event. Regulators actively check whether users can change their consent choices anytime.
A compliant setup allows users to withdraw consent as easily as they gave it. This usually means:
- A settings link or widget
- No requirement to search through policies
- Immediate effect when consent is withdrawn
If cookies continue to run after a user withdraws consent, or if withdrawal is buried deep within the site, regulators consider this a serious failure.
CNIL fined Yahoo 10 million Euros after finding that cookies were placed on users’ devices without valid consent and that users faced obstacles when trying to withdraw from cookie-based tracking.
The authority concluded that consent is ineffective if users cannot withdraw it easily or if tracking continues after withdrawal. This case highlights that businesses must ensure that withdrawal works in practice and immediately stops non-essential cookies.
#7 Respecting user choices in practice
Closely linked to withdrawal is whether the website actually respects the user’s decision.
If tracking cookies still appear after rejection, or if rejected categories quietly reload on subsequent pages, consent is effectively meaningless.
This issue has featured prominently in large fines, where organisations offered a reject option but continued tracking regardless. From a regulatory perspective, this shows a lack of accountability and technical governance.
Respect your user’s consent choices
Sign up to CookieYes and start your user-friendly consent management experience today!
Try for free14-day free trialCancel anytime
#8 Use of dark patterns and manipulative design
Design choices matter more than many organisations realise. Authorities are now explicitly examining whether cookie banners use dark patterns, such as:
- Bright accept buttons and muted reject links
- Multiple accept buttons but a single reject option
- Extra friction added to the refusal of cookies
- Use of ambiguous language
Even subtle nudging can invalidate consent if it undermines user freedom. Regulators have made it clear that compliance is not just about legal text, but about fairness in how choices are presented.
In a 2025 decision, a German court confirmed that a cookie banner is unlawful if it pushes users toward accepting cookies. In this case, the banner showed a clear “Accept” option on the first screen but made rejection harder by hiding it behind multiple steps.
#9 Accountability and consent logs
Organisations are expected to demonstrate that consent was obtained, recorded, and applied correctly. This includes:
- Logs of consent choices
- Timestamped records
- Alignment between consent and cookie behaviour
While regulators may not always request this evidence at the first stage, the absence of reliable records becomes a serious issue once an investigation begins. Therefore, maintaining cookie consent logs is important during regulatory cookie consent reviews.
What this means for businesses
Regulators are not looking for perfection. They are looking for honesty, fairness, and control.
Most cookie consent enforcement actions arise from basic, preventable issues rather than complex legal interpretations. The common thread is a gap between what the banner promises and what the website actually does.
For businesses, the message is clear: cookie consent should enable users to make independent cookie choices. When consent is genuine, transparent, and technically enforced, regulatory scrutiny becomes far less risky.
Cookie consent is no longer just about avoiding fines. It is about demonstrating respect for user choice at the very first interaction.
Create a custom cookie banner for your website
Sign up to CookieYes and start your user-friendly consent management experience today!
Try for free14-day free trialCancel anytime
Preparing for regulatory cookie consent reviews: Compliance checklist
Cookie compliance is a core requirement under privacy and ePrivacy laws worldwide. The checklist below highlights the key points websites should address to reduce the risk of cookie consent violations and demonstrate responsible handling of user choices.
- Conduct regular cookie scans to identify all cookies and similar technologies used on the website, including third-party cookies.
- Clearly distinguish between essential and non-essential cookies.
- Do not place non-essential cookies before the user has given valid consent if opt-in laws apply.
- Provide a “Do not sell or share” option for US visitors.
- Use clear, plain language to explain what cookies are used for and why.
- Avoid vague purposes such as “improving user experience” without explanation.
- Provide an equal and visible option to accept and reject cookies on the first layer of the banner.
- Ensure rejecting cookies is as easy as accepting them, with the same number of clicks.
- Do not use pre-checked boxes, default toggles, or implied consent.
- Avoid dark patterns such as misleading buttons, visual nudging, or confusing labels.
- Allow users to consent separately to different categories of cookies where required.
- Clearly disclose the use of third-party cookies and data sharing with partners.
- Ensure consent is recorded and stored securely for accountability purposes.
- Make consent withdrawal as simple and accessible as giving consent.
- Stop setting and reading non-essential cookies immediately after refusal or withdrawal.
- Ensure third-party vendors respect user consent and opt-out signals.
- Do not require identity verification or extra information for cookie opt-outs.
- Recognise browser-based opt-out signals where legally required.
- Review cookie practices regularly to reflect legal or technical changes.
- Document cookie compliance decisions and technical controls internally.
- Link your cookie policy from the banner for detailed information.
FAQs: How regulators review cookie consent
Cookie consent reviews are conducted by a range of privacy and consumer protection authorities worldwide. In the EU and UK, this includes Data Protection Authorities (DPAs) such as the CNIL (France), ICO (UK), Garante (Italy), AEPD (Spain), and other supervisory authorities enforcing the GDPR and ePrivacy laws.
In the United States, cookie and tracking practices may be reviewed by the California Privacy Protection Agency (CPPA) as well as state Attorneys General, who enforce state privacy and consumer protection laws. Other global regulators with similar enforcement powers may also review cookie consent practices under local data protection or digital privacy frameworks.
Common cookie banner violations include pre-ticked consent boxes, misleading banner designs, lack of a reject option, cookie walls, vague cookie purposes, and placing tracking cookies before user consent.
Businesses can prepare by conducting regular cookie audits, using a compliant consent management platform (CMP), aligning banner design with regulatory guidance, maintaining consent records, and monitoring updates from relevant regulators.
Safna is the resident data privacy writer at CookieYes, where she breaks down privacy laws into actionable insights for businesses. The rest of her time is a mix of music, movies, and hot chocolate.
