DOMAIN:PRIVACY:COOKIE_CONSENT

OWNER: julian
ALSO_USED_BY: aimee, eric, victoria
UPDATED: 2026-03-26
SCOPE: cookie and tracking consent for all web-facing client projects

---

OVERVIEW

Cookie consent is one of the most actively enforced areas of EU privacy law.
SHEIN: EUR 150M fine. Google France: EUR 100M fine. Dutch DPA warning 50+ organisations in 2025.
97% of EU apps still had dark patterns in cookie consent in 2024.

LEGAL_BASIS: ePrivacy Directive (2002/58/EC) + national implementations
NOTE: ePrivacy Regulation was withdrawn Feb 2025 — Directive remains the law.
NATIONAL_IMPLEMENTATION (NL): Telecommunicatiewet (Art. 11.7a)
GDPR: applies alongside ePrivacy for consent requirements and enforcement.

---

LEGAL FRAMEWORK

ePRIVACY DIRECTIVE (Art. 5(3))

RULE: storing or accessing information on user's terminal equipment requires:
1. clear and comprehensive information about the purpose
2. prior consent of the user

EXCEPTIONS: strictly necessary cookies (functional, session, security)

EDPB (Guidelines 02/2023): almost every form of tracking requires consent.
There is no "analytics exception" in the Directive itself.

GDPR INTERSECTION

CONSENT_STANDARD: GDPR Art. 7 requirements apply to ePrivacy consent
LAWFUL_BASIS: consent for cookies is ePrivacy consent, but must meet GDPR standard
ENFORCEMENT: DPAs can enforce under both ePrivacy and GDPR simultaneously

ePrivacy REGULATION — STATUS

WITHDRAWN: European Commission formally withdrew the proposal Feb 2025.
CONSEQUENCE: ePrivacy Directive remains in force indefinitely.
IMPACT: enforcement variation across Member States continues.

---

COOKIE CATEGORIES

STRICTLY NECESSARY (no consent required)

DEFINITION: essential for the service explicitly requested by the user.
EXAMPLES:
- session cookies (maintaining login state)
- shopping cart cookies
- load-balancing cookies
- security cookies (CSRF tokens)
- user-input cookies (form data during multi-step process)
- cookie consent preference cookies

NOT_STRICTLY_NECESSARY: analytics, advertising, social media, A/B testing, personalisation.

FUNCTIONAL / PREFERENCE

DEFINITION: enable enhanced functionality or personalisation.
EXAMPLES: language preference, region selection, font size, UI theme
CONSENT_REQUIRED: yes (not strictly necessary)
IMPACT_IF_DECLINED: degraded user experience but core service functional

ANALYTICS / PERFORMANCE

DEFINITION: collect data about how visitors use the website.
EXAMPLES: page views, session duration, bounce rate, device type
CONSENT_REQUIRED: yes (with limited exceptions — see below)

FIRST-PARTY ANALYTICS EXEMPTION (country-specific):
FRANCE (CNIL): first-party analytics exempt IF all conditions met:
- purpose limited to anonymous audience measurement
- no cross-site tracking
- no user profiling
- no data shared with third parties
- cookie duration max 13 months
- data retention max 25 months
- IP anonymisation (at minimum last octet)

SPAIN (AEPD): similar exemption under comparable conditions.
ITALY (Garante): similar exemption with 2-year cookie duration limit.
GERMANY (TTDSG): NO exemption — consent required for all analytics.
UK (ICO): NO exemption — analytics always require consent.
NETHERLANDS: Dutch DPA position less explicit — safer to require consent.

STANDARD_GOOGLE_ANALYTICS: does NOT qualify for exemption anywhere.
DATA goes to Google's servers and enters their ecosystem.
EVEN with IP anonymisation enabled.

MARKETING / ADVERTISING

DEFINITION: track users across websites for advertising purposes.
EXAMPLES: retargeting cookies, ad network cookies, social media pixels
CONSENT_REQUIRED: always — no exceptions
SCOPE: includes all third-party advertising trackers, conversion pixels, remarketing tags

---

CONSENT REQUIREMENTS

MANDATORY RULES

CHECK: no cookies set before consent — zero pre-consent tracking
CHECK: granular categories — user can accept analytics but reject marketing
CHECK: accept and reject buttons equally prominent (same size, colour, position)
CHECK: no pre-checked checkboxes (Planet49 CJEU ruling)
CHECK: consent logged with timestamp + policy version + specific categories
CHECK: withdrawal as easy as giving consent (accessible settings, not buried)
CHECK: no cookie wall — site must be functional without optional cookies (CJEU Planet 49)
CHECK: third-party scripts blocked until relevant category consented
CHECK: consent refreshed periodically (most DPAs recommend 6-12 months)
CHECK: consent mechanism accessible on every page (not just first visit)

DARK PATTERNS — PROHIBITED

PROHIBITED: misleading button colours (green accept, grey reject)
PROHIBITED: oversized accept button vs tiny reject link
PROHIBITED: requiring multiple clicks to reject vs one click to accept
PROHIBITED: "legitimate interest" toggle hidden in second layer
PROHIBITED: "accept all" prominent, "manage preferences" hidden
PROHIBITED: language designed to discourage rejection ("you'll miss out!")
PROHIBITED: countdown timers or urgency on consent banners
PROHIBITED: implied consent through continued browsing

ENFORCEMENT_EXAMPLES:
- SHEIN: EUR 150M — ad cookies before consent
- Google France: EUR 100M — rejection harder than acceptance
- Dutch DPA: 50 organisations warned Apr 2025, 3-month remediation, plans for 500/year

---

CONSENT MANAGEMENT PLATFORMS (CMPs)

REQUIREMENTS FOR CMP

CHECK: blocks all non-essential cookies before consent
CHECK: provides granular category control
CHECK: stores consent records with timestamp and policy version
CHECK: integrates with tag manager to enforce consent choices
CHECK: provides "withdraw consent" functionality
CHECK: generates consent string (TCF if programmatic advertising)
CHECK: accessible (WCAG 2.1 AA compliant banner)
CHECK: responsive (works on mobile devices)

COMMON CMPs

TOOL: Cookiebot (Usercentrics) — EU-based, auto-scanning, TCF certified
TOOL: OneTrust — enterprise, comprehensive, expensive
TOOL: CookieYes — budget option, adequate for small sites
TOOL: Klaro — open-source, self-hosted option
TOOL: Osano — mid-range, good UX

CMP PITFALLS

TRAP: CMP configured but tag manager still fires before consent.
TRAP: CMP scans cookie list once, never updated as new scripts added.
TRAP: CMP categorises analytics cookies as "functional" to avoid consent.
TRAP: CMP dark pattern templates selected by default.
TEST: disable all consent → verify zero non-essential cookies set (browser DevTools).

---

TCF 2.2 → 2.3

IAB TRANSPARENCY AND CONSENT FRAMEWORK

PURPOSE: standardised consent signal for programmatic advertising ecosystem
SCOPE: publishers, advertisers, ad tech vendors in IAB ecosystem
NOT_REQUIRED_IF: no programmatic advertising on client platform

TCF 2.2 (current baseline)

STATUS: compliance table stakes for ad tech since 2023
KEY_FEATURES: vendor-level consent, per-purpose consent, legitimate interest options

TCF 2.3 (mandatory from Mar 1, 2026)

LAUNCHED: Apr 2025
ADOPTION_DEADLINE: Feb 28, 2026 (implementation)
ENFORCEMENT: Mar 1, 2026 (TC strings without disclosedVendors segment = non-compliant)

KEY_CHANGES:
- disclosedVendors section becomes mandatory in TC string
- legitimate interest removed as legal basis for Purposes 3, 4, 5, 6
(ad/content personalisation) — consent only
- tighter vendor disclosure requirements

PURPOSE_DEFINITIONS (relevant):
- Purpose 1: Store/access information on a device
- Purpose 2: Select basic ads
- Purpose 3: Create personalised ads profile (consent only under v2.3)
- Purpose 4: Select personalised ads (consent only under v2.3)
- Purpose 5: Create personalised content profile (consent only under v2.3)
- Purpose 6: Select personalised content (consent only under v2.3)
- Purpose 7-11: Measure ad/content performance, market research, develop products

ACTION: if client uses programmatic advertising, ensure CMP supports TCF v2.3 by Feb 2026.

---

SERVER-SIDE ANALYTICS ALTERNATIVES

THE SHIFT

Regulatory pressure is pushing analytics toward server-side, first-party approaches.
EU Digital Omnibus (proposed Nov 2025): cookies for "aggregated audience measurement for controller's own use" may become consent-exempt EU-wide.
NOT YET LAW — needs Parliament and Council approval.

QUALIFYING ARCHITECTURE

To qualify for first-party analytics exemption (where available):

CHECK: data stays on your own infrastructure (not sent to third-party)
CHECK: no cross-site tracking capability
CHECK: no user profiling (only aggregate statistics)
CHECK: no data sharing with any third party
CHECK: IP anonymisation (remove at minimum last octet)
CHECK: cookie duration max 13 months
CHECK: server-side processing only — no client-side fingerprinting

COMPLIANT TOOLS

TOOL: Matomo (self-hosted) — can be configured for consent-free use (CNIL approved)
TOOL: Plausible — privacy-focused, no cookies, EU-hosted
TOOL: Fathom — privacy-focused, no personal data processing
TOOL: Umami — open-source, self-hosted, no cookies
TOOL: PostHog (self-hosted) — can be configured for first-party only

GOOGLE ANALYTICS — STATUS

GA4: sends data to Google servers — NOT consent-exempt anywhere.
GOOGLE_CONSENT_MODE_V2: widely adopted but 67% of implementations fail compliance.
ADVANCED_MODE: legality uncertain — may fire tags without consent (data modelling).
BASIC_MODE: only fires tags after consent — safer but limited data.
RECOMMENDATION: use self-hosted alternative for consent-exempt analytics.
KEEP GA4 behind consent wall for advertising measurement only.

---

GOOGLE CONSENT MODE v2

HOW IT WORKS

Consent Mode sends consent signals to Google tags.
Tags adjust behaviour based on consent state.

TWO MODES

BASIC_MODE: tags only fire after consent granted — no data without consent.
ADVANCED_MODE: tags fire without consent but send cookieless pings for modelling.

LEGAL_RISK: Advanced Mode may violate ePrivacy (accessing device information without consent).
CNIL: has not explicitly approved Advanced Mode.
DUTCH_DPA: no explicit guidance yet.
SAFE_CHOICE: Basic Mode only.

IMPLEMENTATION

CHECK: consent mode configured before any Google tags load
CHECK: default state = denied for all parameters
CHECK: update state only after explicit user consent
CHECK: test with Tag Assistant to verify no tags fire before consent

---

IMPLEMENTATION CHECKLIST

PRE-LAUNCH:
CHECK: cookie audit completed (full inventory of all cookies and tracking)
CHECK: cookies categorised (necessary, functional, analytics, marketing)
CHECK: CMP configured and tested
CHECK: all non-essential scripts blocked before consent
CHECK: accept and reject equally prominent
CHECK: consent log mechanism active
CHECK: cookie policy published (linked from banner and footer)
CHECK: privacy policy updated with cookie information
CHECK: withdrawal mechanism accessible

POST-LAUNCH:
CHECK: regular cookie audits (monthly — new scripts may introduce new cookies)
CHECK: CMP configuration reviewed after each release
CHECK: consent rates monitored (unusually high accept = possible dark pattern)
CHECK: DPA guidance monitored for country-specific changes

---

READ_ALSO: domains/privacy/index.md, domains/privacy/gdpr-implementation.md, domains/privacy/pitfalls.md