GDPR Cookie Compliance Checklist (2026) — Everything Your Website Needs

Before you can comply with GDPR, you need to know exactly which cookies your site sets — including third-party cookies from analytics, advertising, and embedded widgets. Run a thorough scan to catalogue every cookie by name, provider, duration, and category. Without this baseline, any compliance claim is guesswork.

GDPR requires you to classify cookies into accepted categories: strictly necessary (no consent needed), functional/preferences, analytics/statistics, and marketing/advertising. Misclassifying a marketing pixel as "functional" is a common violation that regulators actively look for. Each category must be disclosed accurately in your consent UI.

Non-essential cookies — analytics, advertising, social media trackers — must not load until the user has given explicit, informed consent. This is one of the most frequently violated rules: pre-ticking consent boxes or loading Google Analytics before consent is given both constitute violations. Your tag manager or cookie script must enforce this gate.

GDPR requires freely given, specific, informed, and unambiguous consent. Pre-checked boxes or opt-out banners ("we use cookies, continue browsing to accept") do not meet this standard. Marketing and advertising cookies require a clear affirmative action — a user clicking "Accept" or toggling on a category.

Users must be able to accept or decline individual cookie categories, not just accept-all or reject-all. Bundling consent for analytics with consent for advertising removes the "specific" element required by GDPR. Your consent banner must expose at minimum the major categories as separate toggles.

GDPR Article 7(3) requires that users can withdraw consent at any time, as easily as they gave it. This means a persistent link or widget — often a floating button or footer link — that reopens the consent preferences panel. Burying the withdrawal mechanism in a 3-click privacy settings page fails this requirement.

Regulators across the EU have issued fines specifically for dark patterns in cookie banners: making the "Reject All" button smaller or greyed-out, hiding it behind additional clicks, or using confusing language like "I agree to necessary cookies only" when it actually means accept-all. The accept and reject options must be equally prominent.

Your privacy or cookie policy must list every cookie your site uses: its name, provider, purpose, duration, and whether it's first-party or third-party. The policy must be linked from your consent banner and easily accessible from every page (typically in the footer). Vague policies like "we use cookies to improve your experience" are insufficient.

Each cookie should only persist for as long as necessary for its stated purpose. Regulatory guidance suggests analytics cookies should expire within 13 months; advertising cookies even sooner. Setting all cookies to 2-year expiration regardless of purpose is a risk signal. Review and justify each cookie's max-age or expires attribute.

GDPR's accountability principle (Article 5(2)) requires you to demonstrate compliance. This means logging a timestamped record of each user's consent: what they accepted, when, which banner version was shown, and their IP region. Without these logs you cannot respond to a regulator's audit or a user's deletion request. Most CMPs handle this automatically.

Cookies set by third-party scripts you embed (analytics tools, chat widgets, ad networks, social sharing buttons) are your responsibility under GDPR. You must identify these in your data processing register, include them in your cookie policy, and ensure they are blocked until consent is given. Many site owners are unaware of the full extent of third-party cookies on their pages.

When third-party services process personal data via cookies on your site (Google Analytics, Meta Pixel, Hotjar, etc.), you must have a Data Processing Agreement (DPA) in place with each vendor. These agreements define how data is processed, stored, and protected. Most major vendors offer standard DPAs — ensure you've accepted them in the vendor's settings.

Many popular cookie-based services (Google Analytics, Meta) transfer data to servers in the United States. Post-Schrems II, you must have a legal basis for these transfers — Standard Contractual Clauses (SCCs) are the most common mechanism. EU regulators in Austria, France, Italy, and Denmark have all found Google Analytics violations on this specific ground.

GDPR's cookie requirements (technically from the ePrivacy Directive) apply to all cookies and similar tracking technologies regardless of device. Mobile web browsers are fully in scope. Mobile apps that use device identifiers (IDFA, AAID) for tracking require equivalent consent. Don't assume compliance on desktop covers your mobile experience.

Cookie landscapes change: new integrations get added, third-party services update their tracking pixels, and regulatory guidance evolves. A compliance setup that was correct 6 months ago may no longer be after a marketing team adds a new ad platform. Schedule quarterly cookie audits and update your consent banner and policy accordingly.