Cookie consent & GDPR: your questions answered
Cookie consent triggers more questions, and more fines, than any other part of the GDPR. A single non-essential cookie dropped before the visitor consents is enough to make a site non-compliant. Here are the most common questions, each with a direct, data-backed answer based on the French CNIL guidelines.
Is cookie consent mandatory?
Consent is mandatory for any cookie that is not strictly necessary. Only trackers essential to the site’s operation are exempt. Everything else, non-exempt analytics, advertising and social media, requires prior consent under the ePrivacy Directive and the GDPR.
How long should you keep cookie consent?
The CNIL recommends keeping the visitor’s choice, both refusal and acceptance, for 6 months before asking again. The proof of consent itself is kept longer, since the burden of proof falls on the data controller under Article 7 of the GDPR.
What are the fines for non-compliant cookies?
Dropping cookies without consent can lead to fines of up to €20 million or 4% of annual worldwide turnover. In September 2025, the CNIL fined SHEIN €150 million and Google €325 million for cookie-related breaches.
Is Google Consent Mode v2 mandatory?
Google Consent Mode v2 has been required since March 2024 to use Google Ads and GA4 with data from European Economic Area users. This requirement comes from Google, not the CNIL, and is set up through a compatible CMP that relays consent signals to Google.
Check your site’s compliance in seconds
Scan your cookies for free, then install a CMP that meets CNIL and GDPR requirements.