European data protection authorities have issued hundreds of millions of euros in GDPR-related fines since 2018. A significant share of these penalties concerns failures in collecting cookie consent. Yet the majority of cookie banners across European websites contain compliance defects. An audit by Cookiebot in 2023 across 2.3 million European sites revealed that 65% of cookie banners did not meet GDPR requirements. Cookie banner GDPR compliance is not simply about displaying a pop-up: it determines the legality of your data collection and the reliability of your analytics.
What GDPR Requires for Cookies: The Rules Summarised
The GDPR (General Data Protection Regulation), in effect since May 2018, governs the collection of personal data. The ePrivacy Directive specifically regulates the use of cookies and trackers. National data protection authorities across Europe have published detailed guidelines that serve as the reference for any site targeting EU users.
The legal framework imposes several non-negotiable requirements. Consent must be freely given, specific, informed, and unambiguous. Concretely, the user must be able to accept or refuse cookies with equal ease. A prominent "Accept" button paired with a discreet "Settings" link in small text does not satisfy the symmetry requirement. Multiple sites have been sanctioned on this precise point.
Strictly necessary cookies (session cookies, shopping cart, display preferences) are exempt from consent. All others, notably analytics cookies (Google Analytics, Hotjar) and advertising cookies (Meta Pixel, Google Ads), require prior consent. No non-essential cookie may be placed before the user has expressed their choice. Scrolling or continuing to browse does not constitute consent.
Consent must be withdrawable at any time, as easily as it was given. A permanent link to cookie settings (in the footer or via a floating icon) satisfies this obligation. Proof of consent must be retained by the data controller, including the date, the content of the choice, and the banner version.
Compliance Errors That Put Your Site at Risk
Certain practices remain widespread despite their illegality. The "cookie wall" (blocking content until the user accepts cookies) has been ruled non-compliant by authorities except in very specific cases where a cookie-free alternative is offered. Conditioning content access on tracker acceptance violates the principle of freely given consent.
Placing cookies before the user's choice is a frequent violation. A simple test: open your site in a private browsing window, open developer tools (Application tab > Cookies), and observe the cookies set before any interaction with the banner. If Google Analytics, Facebook, or advertising cookies already appear, your implementation is non-compliant.
Consent renewal is often neglected. Guidelines specify that consent expires after 13 months maximum. After this period, the banner must reappear. Many CMPs store consent indefinitely in a cookie that never expires.
Approximate cookie categorisation creates a distinct problem. Classifying Google Analytics as a "strictly necessary cookie" to avoid the drop in analytics traffic does not withstand regulatory scrutiny. GA4 is a third-party analytics tracker that requires consent, except under a specific anonymised configuration (no data transmission to Google, no cross-referencing with other Google services, limited cookie lifetime).
Choosing the Right CMP: Criteria and Comparison
A CMP (Consent Management Platform) manages the collection, storage, and transmission of the consent signal. The CMP choice impacts legal compliance, user experience, and analytics data quality. Two solutions dominate the European SME market.
Cookiebot (Usercentrics) offers an automatic scan of cookies present on the site, assisted categorisation, and native integration with Google Consent Mode. Paid plans start around 12 euros per month for sites with up to 100 pages. Multi-domain management is available on higher plans. Key strength: the most comprehensive cookie database on the market, which automatically identifies and categorises detected trackers.
Axeptio distinguishes itself through polished design and a refined user experience. Consent rates measured with Axeptio regularly exceed those of more austere banners, which translates to a lower impact on your GA4 data. Pricing starts around 19 euros per month. Integration with GTM and Consent Mode works via a dedicated template.
Selection criteria go beyond price. Verify compatibility with Google Consent Mode v2 (mandatory since March 2024 for Google Ads advertisers). Ensure the CMP handles TCF 2.2 (Transparency and Consent Framework) if you run programmatic advertising. Check the quality of the cookie scan: an incomplete scan leaves trackers uncategorised, therefore not covered by consent.
For businesses operating across borders, dual compliance with GDPR and local data protection laws adds a layer of complexity. Both Cookiebot and Axeptio offer multi-regulatory configurations, but the setup requires particular attention to geolocation rules and the legal texts displayed.
Impact of the Cookie Banner on Your Analytics Data
The consent rate determines the volume of data GA4 receives. Across Europe, cookie acceptance rates range between 55% and 75% depending on the sector, banner design, and site type. Each percentage point of consent gained directly represents an additional data point in your reports.
A poorly designed banner (text too long, low-contrast colours, "Decline" button hidden behind an extra click) can push the consent rate below 50%. Analytics traffic halves, advertising audiences shrink, and Google Ads automated bidding algorithms work with impoverished signals.
Optimising the consent rate involves concrete levers. Concise text that clearly explains the purpose of cookies (one sentence, not three legal paragraphs). A symmetrical design where "Accept" and "Decline" carry equal visual weight. A banner position that does not obstruct the main content. A/B tests on wording and design, within the bounds of compliance.
Google's Consent Mode v2 provides a technical response to data loss. When a user refuses cookies, Consent Mode sends anonymised pings to Google. This modelled data allows GA4 and Google Ads to partially fill the statistical gap created by consent refusals. The CMP must correctly transmit the ad_storage, analytics_storage, ad_user_data, and ad_personalization signals for this mechanism to work.
Technical Setup: GTM and Consent Mode
The technical implementation of the cookie banner revolves around Google Tag Manager and Consent Mode. The standard flow breaks down into four steps.
The CMP loads first, before any other tag. In GTM, the CMP tag uses the "Consent Initialization" trigger, which fires before "All Pages." This timing ensures no tag executes before the CMP has checked the consent status.
Consent Mode is configured in GTM via the consent settings of each tag. The GA4 tag depends on analytics_storage. The Google Ads tag depends on ad_storage and ad_user_data. The Meta Pixel tag depends on ad_storage. By default (before the user's choice), these consent values are set to "denied." The CMP updates these values when the user makes their choice.
Verification happens in GTM's Preview mode. Open your site in Preview mode and observe the event timeline. The CMP tag should appear first, followed by the "Consent Update" event when the user interacts with the banner. GA4 and advertising tags should only fire after this event, and only if the corresponding consent has switched to "granted."
A frequent trap: configuring Consent Mode in GTM without connecting it to the CMP. Consent Mode then stays permanently on "denied" (or permanently on "granted" if the default value is misconfigured). The two systems must communicate. Most CMPs provide a GTM template that ensures this connection. Install your CMP's official template and verify in Preview mode that consent values actually change after the banner interaction.
Compliance Audit: The 10-Point Checklist
A cookie banner compliance audit covers the following points. These checks are performed in private browsing, on both desktop and mobile, with developer tools open.
- No non-essential cookies placed before the user's choice
- "Accept" and "Decline" buttons of equal size and legibility
- Correct categorisation of each cookie (essential, analytics, marketing, preference)
- Permanent access to cookie settings (footer or floating icon)
- Clear, concise banner text without excessive legal jargon
- Consent expiration configured (13 months maximum)
- Proof of consent stored and exportable
- Consent Mode v2 functional (verification in GTM Preview)
- No third-party script loading before consent (verification in Network tab)
- Banner functional on mobile (no inaccessible buttons, no overlapping elements)
Browser developer tools (Application tab > Cookies and Network tab) allow complete manual verification. For a thorough audit, solutions like the Cookiebot scanner identify present trackers and their categorisation.
Compliance and Performance: Finding the Balance
GDPR compliance is not an obstacle to analytics performance. Businesses that treat the cookie banner as a strategic element (rather than an endured legal obligation) achieve consent rates above 70%. This result comes from careful design, transparent wording, and rigorous technical implementation.
Consent Mode v2 complements this approach by modelling data from users who refuse consent. GA4 uses these signals to estimate the behaviour of non-consenting visitors, reducing the gap between collected data and actual traffic. Google Ads exploits the same signals to maintain the quality of its automated bidding.
Investing in compliance also protects your business long-term. GDPR fines no longer target only large corporations: SMEs and associations have received formal notices. The cost of achieving compliance (a few hours of configuration and a CMP subscription of 12 to 50 euros per month) remains negligible compared to the financial and reputational risk of a penalty.
Let's discuss your cookie compliance
Frequently Asked Questions
Is Google Analytics 4 subject to GDPR consent requirements?
Yes. GA4 places analytics cookies that identify visitors and collects data transmitted to Google, a US-based company. Consent is required before activating the GA4 tag. The only possible exception involves a strictly anonymised configuration, without data transfer to Google, which eliminates most GA4 functionality.
Is a 60% consent rate normal?
Consent rates vary between 55% and 75% across Europe depending on the sector and banner quality. A rate below 55% generally signals a design or wording problem. A rate above 80% warrants investigation: it may indicate a non-compliant banner (no genuine option to decline). Consent Mode v2 helps partially compensate for data loss from refusals.
Cookiebot or Axeptio: which CMP should I choose?
Cookiebot excels at automatic scanning and cookie categorisation, backed by a comprehensive database. Axeptio stands out with a more engaging design that favours higher consent rates. Both support Consent Mode v2 and TCF 2.2. The choice depends on your priorities: technical rigour (Cookiebot) or user experience (Axeptio).
Is the cookie wall legal?
Most data protection authorities consider the cookie wall (blocking content access without cookie acceptance) non-compliant in most cases. An exception exists for sites offering an equivalent alternative without cookies (a paid access option, for example). This approach remains legally fragile and is subject to evolving case law at the European level.
