Skip to Content

ABOUT THIS ​GUIDE

The standard is unforgiving: if even one criterion is missing, the consent you obtained is invalid in its entirety. This guide distills the EU, German, and French requirements into a practical, compact checklist.

Work through each section in order and mark off every point as you verify it against your own implementation.

DESIGN & ​FUNCTION

Voluntariness


If consent can be given at the top level, users must be able to reject all access requiring consent at that same level.

No dark patterns


Declining must be an equivalent alternative to consenting. This means rejecting cannot require more clicks or effort than accepting, and color or contrast must not be used to draw the eye toward consent.

Visibility


All buttons must be visible at a glance on any screen size, including mobile.


The banner must not obstruct access to the imprint (legal notice) or the privacy policy, and the consent dialogue must not appear on those pages.

Granular selection


Users must be able to consent to each purpose specifically and independently. A first-level button, such as "Adjust settings" that opens a detailed overview, is one way to provide this.

Opt-in defaults


Checkboxes and sliders must be deactivated by default (opt-in).

Stored decision


The user’s decision — whether consent or rejection — must be stored so that the banner does not appear with every new page view.

Timing


Consent must be obtained again after 6 to 24 months, or whenever the corresponding services change.

Easy withdrawal at any time


Withdrawing consent must be as easy as giving it. An easily accessible link or a static icon (for example, bottom left of the screen) must be permanently available on every page.

Necessary information

It must be clearly recognizable that two consents are being given: one for the use of cookies and one for data processing.

Information on the first level

Information about data processing outside the EEA.

Specific detail on every individual purpose (no vague wording).

Notice when individual profiles are created or enriched with data from other websites.

The number of controllers to whom data is disclosed.

Information on the detail level

For services and cookies that do not require consent, the supervisory authorities recommend naming them in the privacy policy for transparency; listing them in the consent dialogue is not required.

A list of individual cookies is not required.

Users must be able to see who accesses the end device, for how long, for what purpose, and whether third parties gain access.

Correct Categorization

Group by precise purpose


Services and cookies must be grouped by their concrete, precise purposes. There must be no uncategorized cookies and no "Other" category.


The main reason is the misuse of data and the possibility of re-identifying users despite IP anonymization. This applies without exception to the so-called extended consent mode (Advanced Consent Mode) of Google Analytics 4 (GA4): the GA4 script loads immediately, before the user makes any selection in the banner. If the user rejects cookies — or does not respond — GA4 sets no cookies in the browser but sends so-called "cookieless pings" to Google's servers.

Affiliate Activities are not exempt


Cookies used to bill affiliate activities are not exempt from the consent requirement.


Even ostensibly privacy-friendly web analytics services such as Matomo or Piwik PRO cannot be used without consent by default, because they actively read the screen resolution, among other things.

Numerous Technical 
Pitfalls


Running separate Consent Management and Tag Management solutions carries a very high risk of incorrect triggers without consent, because every new service must be configured in two different systems. It also requires complex "Trigger Group" configurations in the Tag Manager.

Hybrid & dual-conversion tracking


A legally and technically correct configuration becomes even harder with hybrid tracking (with and without cookies), when recording enhanced conversions that involve personal targeting data, or with dual conversion tracking (via both pixel and server side), which requires strict deduplication of the conversion data. The pitfalls are numerous and can lead to both legal violations and costly configuration errors in automated ads bidding.

Automatic scan & blocking is error-prone


Many website operators rely on the automatic scanning, blocking, and categorization features of Consent Management solutions. These tools can support manual review, but they are error-prone — especially for less frequently used services. Caution is also warranted because scans are sometimes run only weekly, which can temporarily leave the site non-compliant. Integrated Tag and Consent Management makes automatic scanning and blocking unnecessary.

Block Google Maps & YouTube by default


Because Google Maps and YouTube transmit IP addresses and other device data to Google and set cookies when their scripts and iFrames load, they must not load by default without consent. Here, so-called content blocking is recommended: without consent, only a notice about the hidden content appears, with the option to activate it deliberately via consent.

ABOUT THE AUTHOR

JustRelate

The benchmarks in this report are drawn from etracker’s measurement dataset — a Hamburg-based web analytics and consent management platform built around a consent-exempt architecture compliant with the ePrivacy Directive (TDDDG in Germany, LIL in France) and the GDPR. By avoiding analytical cookies and device fingerprinting and processing data exclusively in Germany, it measures up to 99% of visits and conversions.

etracker is part of the JustRelate Group, whose AI-powered platform, JustRelate Home, orchestrates a company’s entire MarTech stack — email building, web development, marketing automation, CRM, portals, CPQ, and analytics — with built-in AI that generates, localizes, and optimizes on-brand content across languages, regions, and channels.

4000+

happy customers

200+

great employees

100k+

global active users

30+

years of innovation

This content has been carefully researched; however, we assume no liability for its accuracy, completeness, or timeliness. It cannot replace individual legal advice.

Start your 30-day audit

Is your data compliant and AI-ready? Move past guesswork — verify every consent point against real requirements.

AI chat