Cookie Consent Compliance Checklist and Best Practices

First a little background. Not interested? Skip this and scroll down to the cookie consent compliance checklist.


The EU Cookie Act, or ePrivacy Directive, is an older legal act, passed in 2002 and updated in 2009, mainly dealing with cookies, data retention and unsolicited emailing. It is a directive, not a regulation.


Now we have the ePrivacy Regulation, which deals with the privacy of data that companies collect from EU residents, just like the GDPR. It should have been in effect in 2018, but at the time of writing there is only a draft for 20210 . If passed, it is believed not to be in effect before the end of 2023.


The ePrivacy Regulation aims to protect the privacy of the electronic communication content and metadata of EU residents. This means that the scope of the ePrivacy Regulation goes beyond personal data and can include non-personal data, such as business-to-business (B2B) communications.


The scope of the GDPR, on the other hand, is limited to personal data. But make no mistake, the two data privacy laws are not supposed to work against each other. Instead, the ePrivacy Regulation is intended to complement the GDPR. For convenience, when we talk about compliance, we use ePrivacy compliant and/or GDPR compliant interchangeably.

Let’s move on to the cookie consent compliance checklist for cookie consent compliance and best practices. The list below may seem exhaustive, but keep in mind that the ePrivacy and GDPR are multi-interpretable in practice.


We recommend that you follow them, but more importantly, do so in a way that best suits your internet users. Being clear and unambiguous in setting your cookie consent and communication certainly has a positive effect on your image.

In addition, imagine that an internet user finds out that he is still being tracked even though he has rejected all cookies. You don’t want that. And you certainly don’t want to be fined. More and more initiatives are being taken to keep a finger on the pulse. A Basel initiative called None of Your Business has the sole purpose of reporting non-compliant websites to authorities. They have already made 422 reports of websites not using the correct cookie consent banner.


Therefore, try not to think of cookie consent as a set-and-forget-type initiative. Continue to ensure that you are compliant by regularly checking and documenting that your cookie consent is working. If you do get assessed, you can prove that you are doing everything necessary to comply with the rules.


Checklist for cookie consent compliance and best practices:

  1. Collect consent to the use of cookies on your website by using a cookie consent banner or pop-up. Do not use a cookie wall, which means that a user can only use the website after having only one option: accept all cookies. This is prohibited under the GDPR, see point 39 in the consent guidelines . As a best practice, do not use a banner or pop-up that allows a user to visit parts of the website only after interacting with the website. This can demonstrably also be seen as a form of ‘not freely given consent’.
  2. Give users full control over accepting, rejecting or changing cookie settings on the banner. As a best practice, make it as easy for users to “decline all” as “accept all” by presenting this option on the first layer of the banner.
  3. Please make sure you are using the correct consent categories and ensure that cookies are categorized under the correct consent categories. As a best practice, there are these four: Strictly Necessary (default and always on), performance cookies (to measure aggregated website data and analytics), functional cookies, and commercial/marketing/tracking/social cookies.
  4. Make sure that none of the consent categories are checked in advance, with the exception of strictly necessary cookies and performance cookies (if these are set privacy-friendly). A user must always sign up for these categories.
  5. Follow the guide for privacy friendly set up Google Analytics and describe what you have done in the privacy policy. In most cases, this also applies to other direct analytical cookies. State clearly what steps you have taken to ensure that everything is anonymized and that nothing can be traced back to a person.
  6. Customize the banner for desktop and mobile devices for accessibility.
  7. Show a cookie table (with name, type, purpose and duration) on the second layer for full transparency of cookies.
  8. If that is not an option in the tool you are using, make sure to add a ‘cookies’ page where you describe the cookies. Make sure that you also describe per cookie category what information you collect from the user. As a best practice, try to be as specific as possible.
  9. Please note that visitors outside of your AVG location can visit your website. If this is very sporadic, there is no need to take action. For example, if it is an incident, you should keep in mind that different rules apply. For example, if you operate in the EU, but also track and analyze users from the US, these visitors (based on IP address) should see a different cookie consent banner based on the guidelines applicable there. This is the so-called ‘ extraterritorial effect ‘. As under the GDPR, this effect will apply under the ePrivacy Regulation.
  10. Automatically block third-party cookies from loading until the user agrees.
  11. Record all user permissions as proof of compliance.
  12. Add a link to the preference center so that users can withdraw their consent at any time. Preferably in the footer of the website and/or in the privacy policy.
  13. Generate a cookie policy with detailed disclosure of cookie usage and link it to your cookie banner.
  14. Regularly scan your website for cookies to automatically update your cookie list and cookie policy.
  15. [Most important, but often forgotten] Regularly check your consent scenarios to see if cookie consent still works and cookies are only activated when consent is given. This so-called ‘ accountability ‘ under the GDPR is something that every organization is obliged to adhere to.


[Tip] Devise a strategy to convince users to become more involved with your organization or service by letting them sign up or providing you with their personal information. Make sure you have a clear and unambiguous opt-in. State explicitly what you are contacting them for. In return, give them something valuable for their trust (and opt-in).


Disclaimer : We are not a legal party and our advice in this cookie consent compliance checklist and best practices is not legally binding. We are only offering you some help in solving this problem with cookie consent. It’s a constantly evolving business, so things are also subject to change.

Download this cookie consent compliance checklist of best practices in PDF format for easy sharing with anyone who needs to see it.