GDPR Cookie Consent for Ecommerce: What You Actually Need (and What You Don't)

Cookie consent banners are the most-clicked-through, least-understood compliance feature on the modern web. Most ecommerce stores have one because they think they have to. Most of them are configured wrong. And a meaningful number of them are technically violating the very regulations they're trying to comply with.

This guide is for store owners who want to actually understand the requirements — not just install a plugin and hope.

What GDPR Actually Says About Cookies

GDPR (the EU's General Data Protection Regulation) and the ePrivacy Directive together create the legal framework for cookies in the EU and UK. The rules are simpler than the average banner suggests:

• Strictly necessary cookies (cart contents, login state, CSRF tokens) require no consent.
• Everything else — analytics, advertising, A/B testing, personalization, social media embeds — requires opt-in consent before the cookie is set.
• Consent must be freely given (no cookie wall), specific (per-purpose, not blanket), informed (clear description), and unambiguous (no pre-checked boxes).
• Withdrawing consent must be as easy as giving it.

The Most Common Mistake: Cookies Set Before Consent

The single most common GDPR violation on ecommerce stores is loading Google Analytics, Meta Pixel, or TikTok Pixel before the user has clicked accept. The cookie banner asks for permission, but the tracking script has already fired and set its cookies in the background.

This is a real, actionable violation. CNIL (France's data protection authority) has issued fines of €60M (Google) and €40M (Facebook) specifically for this pattern. Smaller stores are unlikely to face fines that size, but the threat of any enforcement action makes this worth fixing.

To verify your store handles this correctly, open DevTools → Application → Cookies before clicking anything in the banner. If you see _ga, _fbp, or similar tracking cookies already set, you have a problem.

What "Strictly Necessary" Actually Means

Some store owners try to claim everything is "strictly necessary" to avoid the consent flow. This doesn't hold up. Strictly necessary cookies must be required for a service the user explicitly requested. The list is short:

• Shopping cart state
• User authentication / session cookies
• CSRF tokens
• Load balancer routing
• Cookie consent preferences themselves

Analytics is not strictly necessary. "We need it to run our business" doesn't qualify. The user didn't request analytics — your business did.

Consent Platforms Worth Considering

For stores selling in the EU/UK, a proper Consent Management Platform (CMP) is worth the investment. The major options:

• Cookiebot: Strong scanner-based approach, identifies cookies automatically, IAB TCF v2.2 compliant. Pricing scales with site size.
• OneTrust: Enterprise-focused, deep integration options, more expensive.
• CookieYes: Affordable, well-suited for small stores, decent customization.
• Klaro: Open source, requires more technical setup but free.
• Iubenda: Good integrated approach for stores that also need privacy policy generation.

CCPA and Other US State Laws

The US has no federal privacy law. Instead, there's a patchwork of state laws — California (CCPA/CPRA), Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and growing. The legal model is generally opt-out (data collection is allowed by default; users can opt out) rather than opt-in.

This means the EU-style "Accept All / Reject All" banner is overkill for US-only stores — but it's not harmful. If you sell to both EU and US customers, a single banner with consent gating analytics is the simplest solution.

The Global Privacy Control (GPC) Signal

An often-overlooked requirement: California's CPRA mandates that stores honor the Global Privacy Control browser signal. Some browsers (Brave, Firefox with the toggle on) send a Sec-GPC: 1 header indicating "do not sell my data." Your store must respect this signal as an opt-out request from California users.

Most cookie consent platforms now handle this automatically. If yours doesn't, you have a gap.

What Goes in a Compliant Cookie Banner

A compliant banner under GDPR shows:

1. Clear explanation that cookies are being used
2. Links to your cookie policy and privacy policy
3. Equal-prominence "Accept All" and "Reject All" buttons (no dark patterns)
4. Granular consent options for different categories (Analytics, Marketing, Functional, Necessary)
5. A way to withdraw consent later (usually a small "Cookie Settings" link in the footer)

Pre-checked boxes for non-essential categories were explicitly outlawed by the European Court of Justice in the Planet49 case (2019). If your banner has them, you're noncompliant.

Auditing Your Store

To verify your store's cookie compliance:

1. Run a free scan with our Cookie Consent Checker to identify the consent platform and detect analytics loading without consent.
2. Manually test the banner: do "Accept" and "Reject" actually behave differently?
3. Check for cookies set on initial page load (DevTools → Application → Cookies).
4. Verify your privacy policy lists the specific cookies and their purposes.
5. Confirm "Reject All" is as easy to find as "Accept All."

The Bottom Line

Most stores selling in Europe have a banner that looks compliant but isn't because tracking scripts fire before consent. Fix that one issue and you've solved 80% of the legal exposure. The remaining 20% is making sure your banner is honest and your privacy policy reflects reality.

StoreVitals scans for the presence of consent platforms and tracking scripts on your store's homepage. It can't make legal judgments — that's what a privacy lawyer is for — but it can flag the most common technical pattern that gets stores into trouble.