EU cookie consent operates under two overlapping legal frameworks. The practical requirement is stricter than either framework alone would suggest: explicit, prior consent is required before setting non-essential cookies on EU users. This note covers why “legitimate interest” does not satisfy that requirement, what “non-essential” means in practice, and where enforcement stands in 2026.
The Two Frameworks
ePrivacy Directive
The ePrivacy Directive governs the act of storing or accessing information on a user’s device. It is the law that directly addresses cookie setting — not GDPR. The key provision: you need prior consent for any non-essential cookie, regardless of whether the data qualifies as personal under GDPR.
This matters because it means a cookie that stores only a session ID (which wouldn’t normally be personal data under GDPR on its own) still requires consent under ePrivacy if it’s not strictly necessary for the service the user explicitly requested. The question ePrivacy asks is not “is this personal data?” — it’s “is this storage essential for the service the user came to use?”
The proposed ePrivacy Regulation — which would have replaced the Directive and modernized the framework — was formally withdrawn by the European Commission in February 2025. The existing Directive remains the governing law indefinitely. This is not a technicality; it means the framework from 2002 (updated in 2009) continues to apply to tracking technologies its authors never imagined.
GDPR
GDPR applies whenever cookies involve personal data. Analytics cookies almost always involve personal data — IP addresses, browser fingerprints, and cookie identifiers are personal data under GDPR’s definition (Recital 30 explicitly names online identifiers).
GDPR sets the standard for what valid consent looks like:
- Freely given: No cookie walls that block access to content. Consent cannot be coerced.
- Specific: Granular per-purpose. Bundling consent for analytics, advertising, and social media into a single checkbox doesn’t meet this standard.
- Informed: Clear descriptions of what each cookie does, who processes the data, and for how long.
- Unambiguous: An active choice — not a pre-ticked box, not “continued browsing equals consent.”
These are minimum standards, not aspirational ones. The EDPB (European Data Protection Board) and national DPAs have issued guidance making clear that each of these elements must be genuinely satisfied, not technically satisfied while being designed to nudge users toward acceptance.
Which Cookies Are Exempt
The exemption from consent covers cookies that are “strictly necessary” for a service explicitly requested by the user. In practice, this covers:
- Session management cookies (keeping users logged in during a session)
- Load balancing cookies (distributing traffic across servers)
- Security tokens (CSRF protection, authentication)
- Language/region preference cookies (storing a choice the user explicitly made)
- Shopping cart cookies (preserving items in a basket the user is actively using)
What is not exempt: analytics cookies, advertising cookies, social media cookies, A/B testing cookies, heatmap and session recording cookies. These serve the website operator’s interests, not the user’s request, and they require consent regardless of how anonymized the data appears to be.
The exemption is narrower than many implementations assume. A common misconfiguration is treating Google Analytics as “necessary for site operation.” It isn’t — the site operates fine without it. The user didn’t request analytics measurement when they came to read your content.
EDPB Scope Expansion: Beyond Cookies
The EDPB’s Guidelines 2/2023, finalized in October 2024, extended the scope of ePrivacy requirements beyond browser cookies to:
- Tracking pixels — including tracking pixels in email campaigns
- Tracking links — URLs that encode user identity for attribution
- Device fingerprinting — using browser characteristics to identify users without cookies
- IoT reporting — connected device data transmission
CNIL’s June 2025 draft recommendations added a specific requirement: separate consent for tracking pixels in emails, distinct from consent for email marketing itself. The user consenting to receive your newsletter is not simultaneously consenting to being tracked via pixel when they open it.
This matters for analytics teams building multi-channel attribution because click tracking in email — a standard feature of every ESP — now requires explicit, separate consent for EU recipients. Implementing this cleanly requires a consent flow in the email itself or at the point of email signup that specifically covers tracking.
What “Prior Consent” Actually Means in Implementation
“Prior” means before any non-essential cookies are set. The consent must be obtained before the tracking code runs, not after. A banner that appears on page load while GA4 is already firing in the background is not compliant, regardless of what the banner says.
The implementation consequence: tags must fire only after consent is granted. Consent Mode v2 addresses this with default deny states that block tags from firing until the CMP signals approval. But the mechanism only works if the default state is genuinely deny and the tags genuinely respect it — two conditions that frequently fail in practice.
Legitimate interest is not a valid legal basis for non-essential cookies. This is not an open question. The EDPB has issued clear guidance: cookie-based tracking for analytics and advertising purposes cannot rely on legitimate interest as the legal basis. Consent is required. Many legal teams pushed back on this in the early years of GDPR enforcement; they lost those arguments repeatedly across multiple DPA decisions.
Enforcement Is Accelerating
GDPR enforcement on cookie matters is no longer theoretical. Cumulative fines reached €6.7 billion across 2,679 enforcement actions through 2025, with 2025 alone accounting for €2.3 billion — a 38% year-over-year increase. Major cases have included Google, Meta, TikTok, and hundreds of smaller companies.
National DPAs are the enforcement agents. France (CNIL), Germany (multiple Landesbeauftragte), Ireland (DPC), the Netherlands (AP), Italy (Garante), and Spain (AEPD) are the most active. They don’t coordinate cases, but they do share approaches and escalate to the EDPB for cross-border cases.
The practical risk for analytics implementations: companies using Google Analytics without a properly implemented consent banner in France were among CNIL’s early targets in 2022. The violation was using GA without consent, resulting in data transfers to the US without adequate protection — but the consent failure was what exposed the underlying data transfer issue. Fixing the consent implementation would have prevented the investigation.
The Consent Mode v2 cluster covers the technical implementation; this note is the legal context for why the requirements are what they are.