Cookie Compliance Template (GDPR + ePrivacy)

Cookie consent and management checklist combining GDPR consent requirements with ePrivacy Directive obligations — covering first-party, third-party, and tracking cookies.

Quick Answer

Cookie compliance requires blocking non-essential cookies by default, obtaining granular GDPR-compliant consent before dropping them, logging every consent with a timestamp, and providing an equally easy withdrawal mechanism at all times.

Compliance Checklist (8 items)

Conduct a cookie audit: inventory all cookies by type, purpose, and duration
Classify cookies: strictly necessary, functional, analytics, advertising/tracking
Block non-essential cookies by default until explicit consent is obtained
Implement a GDPR-compliant consent banner: no pre-ticked boxes, equal prominence
Log consent: timestamp, user ID, cookie categories consented to, banner version
Provide easy withdrawal: accessible at all times (e.g., footer cookie settings link)
Update cookie policy whenever new cookies are added or purposes change
Review third-party cookie providers for GDPR compliance and valid DPAs

Penalty if not compliant

Up to €20 million or 4% of global annual turnover under GDPR; plus separate national ePrivacy fines (e.g., CNIL fined Google €150M for cookie withdrawal issues).

Frequently Asked Questions

Do analytics cookies (e.g., Google Analytics) require consent?

Yes. Analytics cookies are not strictly necessary and require prior consent under ePrivacy/GDPR. Some DPAs (e.g., Austria's DSB, France's CNIL) have ruled that Google Analytics violates GDPR even with consent due to US data transfers. Privacy-friendly alternatives (Plausible, Fathom) use cookieless tracking and may not require consent.

What is a "legitimate interests" cookie — does it exist?

Legitimate interests is not a valid legal basis for setting cookies in most EU jurisdictions under the ePrivacy Directive. Cookies require consent unless strictly necessary. Only the ICO (UK) permits legitimate interests for some analytics cookies, and that position is contested.

How long is cookie consent valid?

No fixed period is mandated. The EDPB recommends refreshing consent every 6 months to 1 year. In practice, most organisations seek re-consent annually or when the cookie categories or purposes change materially.

Need this turned into a real document?

Our compliance sprint service delivers production-ready documents tailored to your organisation in 5–15 business days. A senior compliance specialist reviews every document before delivery.

Get Expert Help →Browse All Templates

cookie consentGDPR cookiesePrivacyconsent bannercookie audit