ConsentLabConsentLab
Get started free
FeaturesPricingFAQDocumentationBlogLog in

GDPR Cookie Guide for SMBs

Derniere mise a jour : April 14, 2026

Do you have a website? Do you use Google Analytics, a Facebook pixel or a live chat? Then you are subject to GDPR and cookie regulations. This guide explains everything you need to know as a small or medium business, without unnecessary legal jargon.

1. GDPR in 2 minutes

The General Data Protection Regulation (GDPR, Regulation EU 2016/679) came into force on 25 May 2018. It applies to any business that collects or processes personal data of European residents, regardless of size.

Yes, even if you are a sole trader with a WordPress site and 200 visitors per month. The GDPR makes no distinction by size.

What the GDPR considers "personal data"

  • Email address
  • First and last name
  • IP address (even dynamic)
  • Cookie identifiers
  • Geolocation data
  • Advertising identifiers (Google, Facebook)

In short: as soon as a cookie can identify or track a visitor (even indirectly), it is personal data.

2. Cookies: what the law says

The ePrivacy Directive (2002)

Even before the GDPR, the ePrivacy Directive (2002/58/EC, Article 5-3) already required consent for non-essential cookies. In France, it is transposed into Article 82 of the French Data Protection Act.

The principle is simple

  • Necessary cookies (session, basket, security): no consent required
  • Analytics cookies (Google Analytics, Hotjar): consent required
  • Marketing cookies (Facebook Pixel, Google Ads): consent required

Consent must be obtained BEFORE cookies are set. Not after. Not at the same time. Before.

3. CNIL requirements

The CNIL (France's data protection authority) has published its guidelines (deliberation no. 2020-091 of 17 September 2020) and its practical recommendations (1 October 2020). Here is what it requires:

3.1 The consent banner must

  • Clearly inform of the purpose of each cookie
  • Allow accepting or refusing with equal ease
  • NOT pre-tick boxes
  • NOT use "dark patterns" (different colour for "Accept" vs "Refuse" buttons)
  • Allow changing the choice at any time
  • Retain proof of consent

3.2 Recommended maximum durations

  • Cookie lifetime: 13 months maximum
  • Consent validity: 25 months maximum, then ask again
  • Retention of records: 5 years recommended (general statutory limitation)

3.3 "Scrolling" or "continued browsing" does NOT constitute consent

The CNIL has made it clear: continuing to browse a site does not constitute valid consent. A positive and unambiguous act is required (a click on "Accept").

4. Google Consent Mode v2

Since March 2024, Google requires sites using Google Ads or Google Analytics in the European Economic Area to implement Google Consent Mode v2.

Without a Consent Mode v2-compatible CMP:

  • Your Google Ads audiences are no longer built
  • Your Google Ads conversions are no longer tracked
  • Your Google Analytics 4 data is incomplete

ConsentLab natively supports Google Consent Mode v2. Signals are sent automatically as soon as the visitor makes their choice.

5. The fines

The CNIL is not joking. Cookie fines are among the most frequent:

  • Google: €150 million (2022) for cookies set without consent
  • Facebook: €60 million (2022) for the same reason
  • Criteo: €40 million (2023)
  • SMBs: fines from €5,000 to €100,000 depending on cases

The GDPR provides for fines of up to 4% of annual global revenue or €20 million (whichever is higher). For cookies specifically, the CNIL can impose fines of up to 2% of revenue.

6. Cookie compliance checklist

Here is what your site must do:

  • Display a consent banner BEFORE setting any non-essential cookie
  • Allow accepting and refusing with equal ease
  • Allow customisation by category (analytics, marketing, etc.)
  • Block third-party scripts until consent is given
  • Record and retain proof of consent
  • Allow changing the choice at any time
  • Send Google Consent Mode v2 signals (if you use Google)
  • Have an accessible and detailed cookie policy

7. How ConsentLab helps you

ConsentLab automatically ticks every box in the checklist above:

  • CNIL-compliant banner: accept/refuse with equal ease, no dark patterns
  • Automatic script blocking: no non-essential cookie before consent
  • Google Consent Mode v2: signals sent natively
  • Consent records: archived with timestamp, exportable in CSV
  • Data in France: OVH hosting, no transfer outside the EU
  • Install in 2 minutes: 1 line of code, no complex configuration

Get started for free — 5,000 sessions/month, unlimited domains

8. Official resources