Cookie consent on your website: what are the rules in Europe?

Pexels fotios photos 230325

If you measure visitors on your website with tools such as Google Analytics, Facebook Pixel or Hotjar, you have to deal with European cookie legislation. Many websites still place tracking cookies without valid consent - and this is not allowed. In this article, we explain exactly what the rules are around cookie consent, what is allowed, and how you, as a website owner, can regulate this properly.

What is cookie consent?

Cookie consent means: asking permission from your visitors to place cookies that are not strictly necessary. Think of:

  • Google Analytics (without anonymisation)
  • Remarketing via Facebook, LinkedIn or Google
  • Hotjar, Mouseflow, etc.
  • YouTube or Vimeo embeds with tracking

Without consent, these cookies may not be placed - even on the first page view.

What does European law say?

The ePrivacy Directive and the AVG (GDPR) together state that:

  1. You must seek clear and specific consent for cookies that process personal data.
  2. Consent must be actively given (no pre-ticked boxes).
  3. Visitors must be given information about what you are measuring and for what purpose.
  4. You must be able to prove that you have obtained consent.
  5. You may only place cookies after consent - not before.

What is allowed without consent?

There are some cookies that do not require consent, for example:

  • Functional cookies (such as login status, shopping basket)
  • Cookies required for security (e.g. load balancing)
  • Analytics with 100% anonymised data (but note that even "anonymised" Google Analytics is not always secure within the AVG)

What happens if you don't comply?

The Personal Data Authority in the Netherlands (and similar bodies in other EU countries) can impose fines, send warnings or investigate your website.

In addition, users and customers are increasingly walking away from companies that are not transparent about tracking.

✋ Many websites use Google Analytics without permission and without privacy-friendly settings. This is not allowed.

How do you arrange cookie consent properly?

Use a law-compliant consent platform, such as:

  • Cookiebot/Usercentrics
  • Complianz
  • CookieYes

In doing so, note:

  • Cookie banner must not 'hide'
  • User must be able to refuse cookies
  • User must be able to change their preference
  • You may only load scripts once permission has been given (via prior consent or tag manager integration)

Google Analytics and cookie consent

Google Analytics is only allowed if you have explicit consent to set cookies. Do you want it to be allowed without consent? Then you need to:

  • Anonymise IP addresses
  • Turn off all data sharing with Google
  • Do not share data with other Google services
  • Do not use remarketing
  • Do not use user IDs

Even then, it remains grey area - and it's better to opt for explicit consent via a banner.

📌 Since the Schrems II ruling and the stricter role of the AVG, it is advised to consider alternatives such as Matomo or Plausible.

Conclusion

The rules around cookie consent are clear: no tracking without consent. Do you want secure, transparent and AVG-proof measurement on your website? Then make sure that:

  • Use a good cookie banner
  • Only load cookies after consent
  • Log preferences and keep them up to date
  • Give visitors the possibility to adjust their permission

PixelDeluxe is happy to help you implement cookie consent correctly on your website - including Cookiebot, Tag Manager and script blocking.

Interested in our approach?

Would you like to know what we can do for you? Feel free to contact us or sign up for a tailored work plan and discover the possibilities.