Should websites block all cookies until consent?

In most cases, yes.
Under the GDPR, websites should block all non-essential cookies until the user gives explicit consent. Only strictly necessary cookies required for core website functionality, such as shopping carts or security, may be set without consent.

This “consent-or-block” approach helps prevent unlawful data processing and reduces the risk of regulatory penalties. For non-EU visitors, lighter frameworks such as the CCPA may allow implied consent, but blocking non-essential cookies by default remains a widely accepted best practice for compliance and user trust.