What is Cookie Consent? Requirements, Best Practices & Implementation Guide

Data privacy has become a crucial concern for businesses and individuals. The rise of data-driven marketing has led businesses to collect huge amounts of data to personalise their website experiences, optimise marketing campaigns, and improve website performance. However, as consumers are increasingly aware of how their data is being used, governments worldwide have enforced policies to protect user rights.

Laws such as GDPR (General Data Protection Regulation) in the EU, the California Consumer Privacy Act (CCPA/CPRA) in the US, and the ePrivacy directive mandate websites to ask for consent before storing or tracking customer data. Failure to comply can result in huge fines and reputational damage. For example, Google has faced a hefty €150M fine for failure to provide clear cookie consent options. Another survey revealed that a significant percentage of adult consumers in the US are taking careful steps to secure their personal information.

Proper cookie agreement implementation is essential not only for legal compliance but also for maintaining trust with customers. This blog will outline the key steps required for effective website cookie consent implementation, which ensures both compliance with regulations and seamless user experience. 

Cookies are small text files used to store customer information when they visit the website. They play an important role in analysing website performance, tracking user behaviour, and personalising online experiences. They usually store login information, language preferences, and browsing activity.

There are two types of cookies.

1. First party cookie

This cookie is installed by the website, it helps to improve site functionality, remember preferences, and provide a seamless experience to a user. For e-commerce websites, these cookies may be used to retain add-to-cart information even if a user navigates away from the website. 

2. Third-party cookie 

These cookies are placed by external parties such as GA4 or Pixel, to track user activity on different websites. It provides insights for these platforms to create targeted audiences.

Cookies help enhance user experience, reduce load times, and serve relevant content. However, the role of third-party cookies has raised privacy concerns. This prompted stricter regulations following less accurate targeting on these platforms.  

Cookies serve different purposes and understanding their types and uses helps businesses to implement privacy-compliant tracking on their websites. There are 4 main types of cookies.  

1. Essential cookies

Essential cookies are necessary for website functionality as they play key roles in user authentication, session management, and security. Without this cookie, users won't be able to log in, add to cart, or navigate the website efficiently. Since it doesn't track users for marketing purposes, most policies allow this cookie without consent.  

2. Analytical Cookies

Analytical cookies collect data on how each user interacts with the website. These data help businesses optimise their user experience. Tools such as Google Analytics, and Microsoft Clarity use this type of cookie to store data about the visitor such as session duration, bounce rate, and page views. While these cookies don't collect unique user data such as email addresses, they still require explicit user consent under laws like GDPR and CCPA/CPRA. 

3. Marketing Cookies

As the name suggests, marketing cookies are used primarily for tracking users across the websites. Platforms such as Meta ads & Google ads rely on these cookies to deliver targeted advertising based on history and preferences. Due to this tracking nature, it is heavily regulated under privacy laws and requires clear user opt-in consent from users before activation.  

4. Preference Cookies

Preference cookies store user preferences like currency, language, or theme preferences. They help users by remembering their previous choices, eliminating the need to set these personal preferences on each visit. While they improve user experience, they still require consent under strict privacy laws.  

Different industries handle consent cookies based on their unique data usage and policy requirements.  

E-commerce

Online shopping sites rely upon cookies to enhance user experience and drive sales. Essential cookies track cart activity, ensuring users don't lose shopping cart items even if they leave the website. Meta pixel and Google ads tag use marketing cookies to analyse browsing behaviour to deliver personalised product recommendations. Due to this intrusive behaviour, e-commerce websites must obtain clear consent before tracking a user.  

Banking

Financial institutions prioritise security and compliance when handling cookies. Essential cookies help to prevent fraud, authenticate users, and enable secure transactions. Due to strict financial regulations, banks limit the usage of marketing cookies and encrypt tracking. Privacy laws require the provision of detailed consent notices regarding their data collection practices.

Healthcare

Healthcare websites handle sensitive data such as patient data, so they must adhere to laws such as HIPAA (Health Insurance Portability Accountability Act) which restricts using healthcare data for marketing purposes. Many healthcare websites are limited to essential and analytical cookies only to ensure compliance.

Media & Advertising

Advertisers rely on third-party cookies to deliver targeted ads, with increasing privacy restrictions and browsers moving towards a privacy-first approach, many media companies are focusing on collecting their customer data instead of relying on third-party data.

Cookie consent refers to the act of obtaining user permission before storing cookies for tracking user activity or their data for marketing purposes.

Cookie Consent Definition 

As per GDPR cookie consent requirements, users must have a clear, informed choice about enabling cookies. For consent to be valid, it must meet the following criteria.

• Freely Given - users must have a real choice without forced acceptance 
• Informed & Specific - websites must disclose what data is collected, why it is collected & who collects the data.  
• Unambiguous - users must actively opt-in (pre-checked boxes or passive scrolling doesn't count)

Websites must adhere to strict cookie consent requirements under various privacy laws to protect user data and legal compliance. The GDPR, ePrivacy Directive, and CCPA/ CCRA put forward specific requirements for obtaining consent before installing cookies.

GDPR & ePrivacy Directive

The GDPR & ePrivacy Directive mandates that websites obtain explicit, informed, and at-will consent for installing any non-essential cookies. This means:

• Users must be informed about cookie usage.  
• Consent must be opt-in, and should not contain pre-ticked boxes.  
• Users should be able to withdraw their consent easily.  
• Websites should document and store opt-in rates.

California Consumer Privacy Act (CCPA/CPRA)

Under CCPA/ CPRA

• Inform users about data collection practices. 
• Provide an opt-out option for third-party tracking. 
• Offer a “Do not sell or share my personal information” link for residents of California.

Cookie Consent for Google Analytics 4 (GA4) & Microsoft Clarity

GA4 & Microsoft clarity requires explicit consent in GDPR regions before collecting data. Key requirements include:

• Consent mode for adjusting tracking according to user preferences.  
• Ensuring clarity session recording according to the local consent laws.  
• Blocking the tracking script until consent is given.  

Here are the best practices for implementing effective cookie consent management.

1. Use a Consent Management Platform (CMP)

A CMP helps automate consent collection, ensures legal compliance with privacy laws, enables businesses to manage user preferences efficiently, and documents consent records.  

2. Provide Granular Consent Options

Allow users to choose which types of cookies they accept - essential, analytical, marketing, or preference cookies. This helps to build user trust and increases compliance.  

3. Enable Easy Opt-Out Options

Users must have an easy opt-out or withdrawal option for consent at any time. A Clear “manage preferences” should be accessible and linked to the footer of the website.  

4. Regular Audit & Update Policies

Laws and regulations evolve, so it is important to review and update cookie consent policies periodically to remain compliant. Many CMPs allow businesses to check whether their consent management system is compliant through a free cookie checker.  

Method 1: Using Google CMPs (Consent Management Partners)

Google consent partners provide an easier way to manage cookie consent. This method integrates with Google Tag Manager and the consent mode API, which automates compliance.

Step 1: Choose a CMP (Consent Management Partner)

Google provides a certified list of CMPs which includes Cookiebot, CookieYes & ABconsent. These platforms provide ready-to-use consent banners and clear step-by-step instructions, which makes implementation way easier compared to manual implementation.

Step 2: Integrate CMP with GTM

1. Login to tag manager 
2. Create a new tag >  tag configuration > community template gallery  
3. Search and find the CMP and add that to the workplace 
4. Enable default consent states to deny non-essential cookies

Step 3: Sync CMP with Consent Mode

Once the user allows the cookies, update it through the Google Consent mode 

Step 4: Test consent mode in Google Tag Assistant

Open the tag assistant and verify if tags are only triggering when the user consents.  

Method 2: Manual Implementation

For businesses that prefer full control over cookies and allow compliance for a unique set of policies.

Enable consent mode in GTM.

• Go to Tag Manager → Admin → container settings. 
• Enable consent overview and configure default consent settings.  
   

 2. Define default consent states

• Use the tag manager’s consent initialisation trigger to set default consent states. 
  
• Insert the following script with a custom HTML tag. 

This makes sure that tags are not triggered until consent is given.    
 
 3. Capture & retain user consent choices

To prevent users from having to accept cookie banners every time they visit, their consent choice is stored in a cookie for 30 days. 

• When a user selects the consent option, their choice is stored in a cookie. 
• On future visits, stored consent settings are automatically applied without requiring the user to reselect their preferences.  
   

4. Update consent when the user grants specific consent

By default, essential cookies like security & functionality are enabled as they are required for the website's smooth operation. No tracking for advertising, analytics, or personalisation occurs until the user is specifically allowed to do so.

Essential cookies are enabled by default.  

• If a user clicks “accept all”, all tracking categories (Ads, analytics, and personalisation) are enabled. 
• If a user clicks preferences, only personalisation is enabled. 
• If a user clicks the marketing only ad-related tracking is enabled. 

5. Modify tags to respect the consent

Navigate to each tag and under advanced settings adjust the tag to fire only when the respective consent is given.  

While manual implementation offers flexibility, it requires technical expertise and ongoing maintenance to make sure it remains compliant with updated data privacy laws.

1. Not Blocking Cookies Before Consent

Cookies must not load until the user gives explicit consent, failing to do this will violate GDPR and other privacy laws.  

2. Using Pre-Checked Consent Options

Consent must be freely given, meaning the user should have to actively opt-in, including pre-checked boxes & implied consent is not compliant.   

3. Failing to Offer Granular Consent Options

Some businesses bundle all into a single “Accept” button which doesn’t align with consent mode V2. Ensure there are granular options for different consent types allowing users to choose.  

4. Forgetting to Store or Track Consent Logs

Businesses must be able to prove users have consented to data collection, without logs, compliance audits can be a problem. Implement a consent log with timestamped user choices in a database.  

5. Not Allowing Users to Withdraw Consent

Privacy laws require that users must be able to withdraw or modify their consent at any time. Include a change preferences option on the footer of the website.  

6. Failing to Apply Consent Mode to Marketing Tags

Enabling cookie banners is not enough, tags should only fire according to user consent. Go to tag settings and make sure tags are only fired if the user has given consent.  

7. Ignoring Country-Specific Laws

Different regions have different privacy laws, and implementing a one-size-fits-all approach will lead to non-compliance.    

8. Not Testing the Implementation

Assuming consent settings are working properly and failing to test them. This results in tracking data before consent is given. Use Google tag preview mode to check tags are not triggered before user consent is given.  

9. Not Updating Policies & Consent Management Systems Regularly 

Privacy policies are getting updated regularly; failing to catch up with them will make the consent management system non-compliant. Perform regular audits to ensure compliance with the latest privacy laws and browser cookie policies.   

With increasing data privacy regulations, implementing a proper cookie consent management system is essential to stay compliant and gain user trust. By following best practices and consent mode V2 businesses can continue to collect data while remaining compliant with the laws and browser policies.

While CMPs provide an easier way to implement consent mode, they always come with a cost over manual implementation. However, both methods require careful setup and regular audits to remain compliant with evolving privacy laws.

Webandcrafts specialises in privacy-compliant analytics solutions, helping businesses implement privacy-compliant cookie consent management. Learn more about how Webandcrafts can help implement privacy-first analytics with our analytics services.