ABOUT THIS GUIDE
Few websites satisfy every criterion supervisory authorities set for consent dialogues.
The standard is unforgiving: if even one criterion is missing, the consent you obtained is invalid in its entirety. This guide distills the EU, German, and French requirements into a practical, compact checklist.
Work through each section in order and mark off every point as you verify it against your own implementation.
Sources
Based on the requirements and recommendations of
DESIGN & FUNCTION
Voluntariness
If consent can be given at the top level, users must be able to reject all access requiring consent at that same level.
No dark patterns
Declining must be an equivalent alternative to consenting. This means rejecting cannot require more clicks or effort than accepting, and color or contrast must not be used to draw the eye toward consent.

Visibility
All buttons must be visible at a glance on any screen size, including mobile.
Access to legal pages
The banner must not obstruct access to the imprint (legal notice) or the privacy policy, and the consent dialogue must not appear on those pages.
Granular selection
Users must be able to consent to each purpose specifically and independently. A first-level button, such as "Adjust settings" that opens a detailed overview, is one way to provide this.
Opt-in defaults
Checkboxes and sliders must be deactivated by default (opt-in).
STORAGE AND WITHDRAWAL OF CONSENT
Stored decision
The user’s decision — whether consent or rejection — must be stored so that the banner does not appear with every new page view.
Timing
Consent must be obtained again after 6 to 24 months, or whenever the corresponding services change.
Easy withdrawal at any time
Withdrawing consent must be as easy as giving it. An easily accessible link or a static icon (for example, bottom left of the screen) must be permanently available on every page.

Necessary information
It must be clearly recognizable that two consents are being given: one for the use of cookies and one for data processing.
Information on the first level
Information about data processing outside the EEA.
Specific detail on every individual purpose (no vague wording).
Notice when individual profiles are created or enriched with data from other websites.
The number of controllers to whom data is disclosed.
Information on the detail level
For services and cookies that do not require consent, the supervisory authorities recommend naming them in the privacy policy for transparency; listing them in the consent dialogue is not required.
A list of individual cookies is not required.
Users must be able to see who accesses the end device, for how long, for what purpose, and whether third parties gain access.

Correct Categorization
Group by precise purpose
Services and cookies must be grouped by their concrete, precise purposes. There must be no uncategorized cookies and no "Other" category.
Google Analytics & Google Tag Manager require consent
The main reason is the misuse of data and the possibility of re-identifying users despite IP anonymization. This applies without exception to the so-called extended consent mode (Advanced Consent Mode) of Google Analytics 4 (GA4): the GA4 script loads immediately, before the user makes any selection in the banner. If the user rejects cookies — or does not respond — GA4 sets no cookies in the browser but sends so-called "cookieless pings" to Google's servers.

Affiliate Activities are not exempt
Cookies used to bill affiliate activities are not exempt from the consent requirement.
“Privacy-friendly” analytics still need consent
Even ostensibly privacy-friendly web analytics services such as Matomo or Piwik PRO cannot be used without consent by default, because they actively read the screen resolution, among other things.
Numerous Technical Pitfalls
Separate consent and tag management
Running separate Consent Management and Tag Management solutions carries a very high risk of incorrect triggers without consent, because every new service must be configured in two different systems. It also requires complex "Trigger Group" configurations in the Tag Manager.
Hybrid & dual-conversion tracking
A legally and technically correct configuration becomes even harder with hybrid tracking (with and without cookies), when recording enhanced conversions that involve personal targeting data, or with dual conversion tracking (via both pixel and server side), which requires strict deduplication of the conversion data. The pitfalls are numerous and can lead to both legal violations and costly configuration errors in automated ads bidding.
Automatic scan & blocking is error-prone
Many website operators rely on the automatic scanning, blocking, and categorization features of Consent Management solutions. These tools can support manual review, but they are error-prone — especially for less frequently used services. Caution is also warranted because scans are sometimes run only weekly, which can temporarily leave the site non-compliant. Integrated Tag and Consent Management makes automatic scanning and blocking unnecessary.
Block Google Maps & YouTube by default
Because Google Maps and YouTube transmit IP addresses and other device data to Google and set cookies when their scripts and iFrames load, they must not load by default without consent. Here, so-called content blocking is recommended: without consent, only a notice about the hidden content appears, with the option to activate it deliberately via consent.
ABOUT THE AUTHOR
JustRelate
The benchmarks in this report are drawn from etracker’s measurement dataset — a Hamburg-based web analytics and consent management platform built around a consent-exempt architecture compliant with the ePrivacy Directive (TDDDG in Germany, LIL in France) and the GDPR. By avoiding analytical cookies and device fingerprinting and processing data exclusively in Germany, it measures up to 99% of visits and conversions.
etracker is part of the JustRelate Group, whose AI-powered platform, JustRelate Home, orchestrates a company’s entire MarTech stack — email building, web development, marketing automation, CRM, portals, CPQ, and analytics — with built-in AI that generates, localizes, and optimizes on-brand content across languages, regions, and channels.
4000+
happy customers
200+
great employees
100k+
global active users
30+
years of innovation
This content has been carefully researched; however, we assume no liability for its accuracy, completeness, or timeliness. It cannot replace individual legal advice.

Start your 30-day audit
Is your data compliant and AI-ready? Move past guesswork — verify every consent point against real requirements.
