Cookie Consent and Tracking Laws: Website Compliance Checklist

TL;DR

Cookie consent compliance is about more than a banner. Websites must identify cookies, pixels, SDKs, tags, fingerprinting scripts, analytics tools, and advertising technologies; classify them by purpose; block non-essential tracking until valid consent where required; keep consent logs; honor withdrawals; update privacy and cookie notices; and review third-party sharing. GDPR, ePrivacy rules, KVKK, CCPA/CPRA, and regulator guidance all affect website tracking. The highest-risk areas are advertising pixels, cross-site tracking, dark-pattern banners, pre-ticked choices, and tools added by marketing teams without legal review.

Pillar Navigation

This article is part of the Data Privacy & KVKK pillar. Use the pillar page to explore the full topic cluster and related Kurums Law guides.

Cookie compliance looks simple from the outside: add a banner and move on. In reality, tracking compliance is one of the most operationally messy parts of privacy law. Modern websites use analytics, A/B testing, chat widgets, embedded media, heatmaps, ad pixels, affiliate tags, conversion APIs, personalization tools, and consent platforms. Each tool may collect device identifiers, IP addresses, browsing behavior, or profile data.

This guide is part of the Kurums Law department and its Data Privacy and KVKK pillar. It explains how to build a practical cookie and tracking compliance program for business websites, including consent design, tag governance, cookie notices, adtech sharing, and audit checks.

Key Takeaways

Are all cookies illegal without consent?

No. Strictly necessary cookies may usually operate without consent. Analytics, advertising, personalization, social media, and similar non-essential trackers often require consent or opt-out controls depending on jurisdiction.

What is prior blocking?

Prior blocking means non-essential cookies and tags do not fire until the user has given valid consent.

What makes a banner risky?

Pre-ticked boxes, no reject button, confusing colors, bundled purposes, hidden settings, hard-to-withdraw choices, and firing tags before consent.

Why does adtech create special risk?

Advertising pixels may share identifiers and behavior with third parties for targeting, measurement, retargeting, and profiling. This can trigger consent, opt-out, sale/share, and transfer obligations.

What are cookies and tracking technologies?

Cookies are small files stored on a user’s device, but tracking compliance also covers many non-cookie technologies. Pixels, tags, SDKs, local storage, device fingerprinting, session replay, conversion APIs, and embedded third-party tools can all collect or transmit information about users and devices.

The legal issue is not the word “cookie.” The issue is whether the technology stores information on a device, reads information from a device, identifies or profiles a person, tracks behavior, shares data with third parties, or supports advertising and analytics. A website can have serious tracking risk even if traditional cookies are limited.

How should cookies be classified?

Cookie classification determines which tools can run by default and which require consent or opt-out controls. Most websites should classify tools into strictly necessary, functional, analytics, performance, personalization, advertising, social media, and security categories.

Category	Purpose	Consent Position
Strictly necessary	Security, login, cart, load balancing, consent storage	Usually no consent, but disclose
Analytics	Usage measurement and site improvement	Often consent unless configured as exempt where allowed
Advertising	Targeting, retargeting, conversion measurement	High consent or opt-out risk
Functional	Preferences, language, chat, enhanced features	Depends on necessity and jurisdiction

What does valid cookie consent require?

Valid consent should be freely given, specific, informed, unambiguous, and withdrawable. For cookie banners, this usually means clear choices, no pre-ticked boxes, no non-essential tags before consent, a reject option that is as accessible as accept where required, granular purposes, and an easy way to change preferences later.

The most common failure is visual manipulation. If the accept button is bright and the reject option is hidden in a settings menu, regulators may treat the interface as a dark pattern. If tags fire before the user chooses, the banner becomes cosmetic rather than functional. If consent logs are not retained, the company may struggle to prove consent.

Pro Tip: Run a tag scan before and after consent. The legal team should not approve the banner based only on screenshots. It must verify whether non-essential cookies, pixels, and network calls are actually blocked until the user consents.

How do GDPR, KVKK, and CCPA affect tracking?

Website tracking is affected by overlapping privacy and electronic communications rules. GDPR controls personal data processing, ePrivacy-style rules control device storage and access, KVKK controls Turkish personal data processing and consent where applicable, and California rules may treat certain adtech disclosures as sale or sharing.

This is why global sites often need layered controls: EU-style consent for non-essential cookies, Turkish notices and consent logic where relevant, California “Do Not Sell or Share” or opt-out mechanisms where required, and contract controls with adtech and analytics providers. The same pixel may trigger different obligations for different users.

What should a cookie notice include?

A cookie notice should explain what tracking technologies are used, who uses them, why they are used, how long they last, whether third parties receive data, and how users can manage choices. It should not be a generic statement that “we use cookies to improve your experience.”

Categories of cookies and trackers.
Specific purposes for each category.
First-party and third-party providers.
Cookie duration or expiration.
Legal basis or consent requirement.
International transfer information where relevant.
How to withdraw or change consent.
Link to the main privacy notice.

Warning: Marketing teams often add pixels through tag managers faster than legal teams update notices. Make tag manager access a controlled process with approval, documentation, and periodic scans.

Cookie compliance checklist

Scan the website for cookies, pixels, tags, SDKs, local storage, and third-party calls.
Classify each tool by purpose and provider.
Identify which tools are strictly necessary and which are optional.
Block non-essential tags before consent where required.
Design balanced accept, reject, and settings choices.
Keep consent logs with timestamp, version, choices, and jurisdiction where practical.
Update cookie notice and privacy notice.
Review adtech providers and contracts.
Implement California sale/share opt-outs where applicable.
Repeat scans after marketing, plugin, theme, or analytics changes.

Infographic: Cookie Governance Workflow

Scan -> Classify -> Block -> Collect choices -> Store proof -> Honor withdrawal -> Review vendors -> Re-scan after changes

How should companies manage ad pixels and analytics?

Ad pixels and analytics tools require special review because they can transmit user identifiers, page visits, events, purchases, form activity, and device information to third parties. Some tools support privacy-preserving configurations; others are designed for cross-site profiling and advertising measurement.

Businesses should ask four questions before enabling a tracker: Is it necessary? What data does it collect? Who receives the data? Can it be configured to reduce risk? Options may include IP masking, disabling advertising features, limiting retention, server-side controls, consent mode, regional blocking, or replacing intrusive tools with lower-risk analytics.

How should consent records be stored?

Consent records should show what the user was told, what choice the user made, when the choice was made, and which version of the notice or banner applied. Without that evidence, a company may have a functioning banner but weak proof. This matters during regulator inquiries, customer audits, advertising partner reviews, and disputes about marketing consent.

A useful consent log includes timestamp, consent status by category, banner version, policy version, country or region logic, device or session identifier where lawful, and withdrawal events. The log should not collect excessive data merely to prove consent. It should be proportionate, secured, retained for a defined period, and connected to the preference center so withdrawals are honored across tags and systems.

Who should own cookie governance?

Cookie governance usually fails when no one owns the gap between marketing, legal, and engineering. Marketing wants fast campaign deployment. Engineering controls the tag manager and site code. Legal understands consent and disclosure duties. Security may review third-party scripts. Procurement may own vendor contracts. A working model assigns clear approval gates for new tags and periodic audits for existing tags.

A simple operating rule works well: no new tracking tool goes live until it has an owner, purpose, vendor, data description, category, retention period, jurisdictional consent rule, and contract status. This does not need to be bureaucratic. A one-page tag intake form linked to the tag manager change process can prevent most website privacy drift.

What should be checked after a banner goes live?

Cookie compliance must be verified after implementation, not assumed from the consent platform settings. Test the website as a first-time visitor, reject all cookies, accept selected categories, withdraw consent, and revisit the page in a new session. Check which cookies are placed and which network calls fire in each scenario.

Also test mobile layouts, embedded videos, forms, checkout pages, and landing pages used for paid campaigns. Many compliance failures happen outside the homepage. A campaign page built quickly by marketing may load ad pixels before the global consent banner controls them.

Common cookie compliance mistakes

The most common cookie compliance mistakes are easy to miss because the website appears to work normally. Tags fire before consent, the reject option is hidden, analytics is treated as strictly necessary, cookie lists are outdated, withdrawal does not stop future tracking, and third-party pixels are added through tag manager without legal review.

Another frequent mistake is ignoring regional differences. A banner configured for one jurisdiction may not satisfy another. Global businesses should apply jurisdiction logic carefully, but they should avoid making the experience so fragmented that consent records become impossible to maintain. Simple, conservative controls are often easier to operate than complex regional exceptions.

The final mistake is failing to retest after design changes. A new landing-page builder, embedded form, chat widget, or video component can bypass the consent setup. Cookie governance should be part of release management, not an annual legal clean-up project.

Frequently Asked Questions

Do strictly necessary cookies require consent?

Usually no, if they are genuinely necessary for the service requested by the user, such as security, login, shopping cart, session management, or consent storage. They should still be disclosed.

Can analytics run without consent?

It depends on the jurisdiction and configuration. Some low-risk, privacy-preserving analytics may be exempt in limited cases, but many analytics tools require consent, especially if they use identifiers, third-party sharing, advertising features, or cross-site tracking.

Is a cookie banner enough?

No. The banner must be connected to real tag blocking, consent logging, preference management, notice updates, vendor controls, and periodic scans. A banner that does not control tags is mostly cosmetic.

Do cookie rules apply to mobile apps?

Similar principles can apply to SDKs, device identifiers, mobile analytics, advertising IDs, push tokens, and app tracking technologies. The interface is different, but the legal issues around consent, transparency, sharing, and profiling remain.

How often should a website be scanned for cookies?

At least quarterly for active commercial sites, and after any marketing, plugin, analytics, tag manager, theme, or advertising change. Tracking tools change frequently, so a one-time audit becomes stale quickly.

Discover more from Kurums | Business Intelligence

Subscribe to get the latest posts sent to your email.