The 6 GDPR cookie requirements
Meet all six and your cookie banner does its job. Miss one — even with a banner in place — and you’re exposed. Here’s each standard in plain language.
Prior Consent
No non-essential cookie may fire until the visitor has agreed. Loading analytics or marketing scripts “to save time” and asking afterwards is the single most common violation.
Block every category except Necessary until the visitor clicks accept.
Granular Control
Consent can't be all-or-nothing. Visitors must be able to accept some categories and decline others — say yes to preferences, no to marketing.
Offer a per-category toggle, not just one “Accept all” button.
Freely Given
Access to your site can't be conditional on accepting cookies. No cookie walls, and no design that makes “reject” harder to find than “accept.”
Give “Reject all” equal weight to “Accept all.”
Easy Withdrawal
Taking consent back must be as easy as giving it. If accepting is one click, revoking can't be buried in a settings menu or an email request.
Keep a persistent link or icon to reopen the preferences panel.
Secure Records
You must store proof of every consent — who agreed, to what, and when. If a regulator asks, “show me,” a banner alone isn't an answer.
Log a timestamped, tamper-evident consent record for each visitor.
Annual Renewal
Consent isn't forever. You should re-confirm at least once a year, so people get a fresh choice instead of a decision they forgot making.
Expire stored consent after 12 months and ask again.
These six derive from the GDPR and the ePrivacy Directive, reinforced by guidance from regulators like France’s CNIL. The same principles underpin CCPA, LGPD, and POPIA — so meeting them sets you up well beyond the EU.
How does your site measure up?
Your scan checks the first standard directly — what's firing before consent — and flags exactly where you stand.