Blog
Technical
October 13, 2025
8
min read

GDPR Cookie Consent for Developers Part 1

A practical developer's guide to GDPR cookie compliance that maps your application type to exact requirements - from static sites to SaaS platforms.

Alessandro Frank
CTO

GDPR Cookie Consent for Developers: A Practical Guide to Compliance

tl;dr

Depending on what your application does, you have differing obligations - or none. See the table below for quick reference.

Introduction

The General Data Protection Regulation (GDPR), also known as DSGVO in german-speaking jurisdictions, effective since May 25, 2018, has had a profound impact on your browsing experience. You have seen the banners.

Developers bear the brunt of this regulation, since it's unreasonable to learn how to interpret arcane legal documents while getting paid too little to get some website up and running.

Depending on who you ask, you will be told that you need to implement an audit trail of consent interactions, or some "accept all" buttons with no underlying functionality does the job. Both can be true, but who wants to get fined possibly millions to find out personally?

This article will give devs a reference which will cover most web-based use cases and help map the functionality you implemented to the minimal compliance requirements.

Why GDPR matters for Cookies

Cookies, small text files stored on users' devices, can collect personal data like IP addresses or browsing behavior, making them subject to GDPR if they identify individuals. Non-compliance risks hefty fines—up to €20 million or 4% of annual global turnover, whichever is higher. Recent enforcement trends show increased scrutiny: in 2023, fines for cookie-related violations spiked, with cases like a €40 million penalty against a major tech firm for non-compliant consent practices. The ePrivacy Directive, which complements GDPR, further mandates explicit consent for non-essential cookies. For developers, this means ensuring applications align with legal requirements without breaking functionality.

For the official GDPR text, refer to the EU's GDPR Regulation: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679

Core Principles for Developers

GDPR and the ePrivacy Directive require:

- Informed Consent: Users must know what data cookies collect, why, and by whom before consenting.

- Granular Control: Users should choose which cookie categories (e.g., analytics, marketing) to allow.

- Transparency: Cookie policies must be clear, accessible, and linked from banners.

- Easy Withdrawal: Revoking consent must be as simple as giving it.

- Audit Trail: Document consent to prove compliance during audits.

- No Cookie Walls: Access to services cannot be conditional on non-essential cookie consent.

These principles apply differently depending on your application's complexity, from static sites to SaaS platforms.

Application Logic vs Cookie Banner Requirements

Below is a table outlining how different application logics impact cookie banner requirements, consent storage, and related considerations. It covers the spectrum from static "business card" websites to SaaS platforms handling highly sensitive data.

Application Logic Cookie Banner Requirements Consent Storage Additional Considerations
Raw Static Website (e.g., HTML-only portfolio site, no tracking) No banner required. Only strictly necessary cookies (e.g., session cookies for basic functionality) are used, which are exempt from consent per GDPR and ePrivacy Directive. None needed, as no personal data is collected. Ensure no third-party scripts (e.g., embedded fonts or images) introduce cookies. Use a cookie scanner to verify. Include a basic cookie policy explaining no tracking occurs.
Static with Analytics (e.g., site with Google Analytics or similar) Banner required with checkboxes for analytics cookies. Must include:
  • Clear info on cookie purpose (e.g., "Google Analytics tracks page views")
  • Opt-in for non-essential cookies (no pre-ticked boxes)
  • Link to cookie policy
  • "Accept" and "Reject" buttons with equal prominence
 Store consent record (e.g., user ID, timestamp, cookie categories accepted). Local storage or a lightweight database suffices for small sites. Specify third-party data recipients (e.g., Google). Update policy if analytics tools change. Ensure cookies don't load until consent is given (use tag manager scripts).
Dynamic Website with Personalization (e.g., e-commerce with user accounts, preferences) Banner with granular options for analytics, preferences, and marketing cookies. Include:
  • Details on cookie types (e.g., "Preferences cookies store login details")
  • Granular toggles for each category
  • Clear withdrawal instructions
  • Link to preference center
 Database for consent audit trail: user ID, consent timestamp, selected categories, policy version, and withdrawal option. Use a Consent Management Platform (CMP) like Cookiebot for automation. Ensure third-party cookies (e.g., payment processors) are disclosed. Regularly audit cookies for compliance. Implement a preference center for users to revisit choices.
SaaS with Subscriptions and Payment Processing (e.g., subscription-based service with Stripe) Comprehensive banner with toggles for essential, analytics, marketing, and functional cookies. Include:
  • Details on data shared with payment processors
  • Granular consent options
  • Preference center link
  • No pre-selected non-essential cookies
 Robust database for consent audit trail: user ID, consent timestamp, categories, IP address, device info, and policy version. CMPs are recommended for scalability. Comply with GDPR's data minimization principle for payment data. Disclose third-party processors (e.g., Stripe) in policy. Ensure secure storage of consent logs for audits.
SaaS with Highly Personal Data, Unencrypted (e.g., medical journal platform storing health data) Advanced banner with strict compliance:
  • Explicit consent for all non-essential cookies
  • Detailed disclosure of data processing (e.g., "Analytics cookies track usage patterns")
  • Preference center with granular controls
  • Clear withdrawal mechanism
 Enterprise-grade database for consent audit trail: user ID, consent timestamp, categories, IP, device, policy version, and proof of consent (e.g., screenshot or click log). Use CMPs with audit-ready reporting. Health data is "special category" under GDPR (Article 9), requiring explicit consent and enhanced security. Conduct Data Protection Impact Assessments (DPIAs). Notify users of breaches within 72 hours (Article 34).
SaaS with Highly Personal Data, Encrypted on User's Device (e.g., medical journal with client-side encryption, SaaS has no keys) Same banner requirements as unencrypted SaaS, but clarify encryption in policy (e.g., "Data is encrypted on your device; we cannot access it"). Granular toggles and withdrawal options still apply. Same audit trail as unencrypted SaaS, but note encryption in logs to demonstrate limited access. Use CMPs for consistency. Client-side encryption reduces GDPR obligations for data processing (as the SaaS cannot access the data), but cookie consent still applies if tracking occurs. Clearly state in policy that data is inaccessible to the SaaS. DPIAs may still be required for tracking cookies.

Consent Audit Trail: When and How

A consent audit trail is necessary whenever non-essential cookies are used, as GDPR requires proof of compliance (Article 7). Here's how to implement it:

What to Store:

  • User Identifier: Anonymous ID or session ID (avoid personal data unless necessary)
  • Timestamp: Date and time of consent
  • Consent Details: Categories accepted (e.g. analytics, marketing)
  • Policy Version: Link to the cookie policy version at the time of consent
  • Method: How consent was given (e.g. banner click, preference center)
  • Withdrawal Option: Proof that users can revoke consent (e.g. preference center access)

Storage Mechanism

  • Static Sites with Analytics: Local storage or a simple JSON file on the server suffices for small-scale consent tracking
  • Dynamic Sites/SaaS: Use a database (e.g., MySQL, PostgreSQL) or a CMP like OneTrust or Cookiebot to automate logging. Ensure encryption for stored consent data to comply with GDPR's security principle (Article 32)
  • High-Sensitivity SaaS: Enterprise-grade databases with audit-ready reporting (e.g., MongoDB with audit plugins or CMPs with compliance dashboards). Retain logs for at least 12 months or as required by local regulations

When it’s necessary:

Required for any site using non-essential cookies. For raw static sites with no cookies, no audit trail is needed. For SaaS platforms, especially those handling sensitive data, robust audit trails are critical to demonstrate compliance during regulatory audits.

Handling Encrypted Personal Data

For SaaS platforms storing highly personal data (e.g., medical journals) encrypted on the user's device with no access to decryption keys, GDPR obligations are reduced but not eliminated:

  • Data Processing: If the SaaS cannot access the data (e.g., end-to-end encryption), it's not considered a data processor for that data under GDPR (Article 4). However, cookies used for tracking or analytics still require consent.
  • Cookie Compliance: Tracking cookies (e.g., for usage analytics) still fall under GDPR and ePrivacy Directive. You must implement a consent banner and audit trail as described above. 
  • Policy Clarity: Explicitly state in your cookie and privacy policies that user data is encrypted client-side and inaccessible to the SaaS. This builds trust and clarifies your limited role in data processing.
  • DPIA Consideration: Even with encryption, a Data Protection Impact Assessment may be required if tracking cookies process personal data (Article 35). Consult a legal expert to confirm.

Implementation Tips for Developers

  • Use a CMP: There exist tools to help navigate the jungle. They handle varying degrees of automagical integration and customizability from audit logs to the UI:
  • Geo-Targeting: Use geolocation to display banners only to EU users, as GDPR applies to EU residents regardless of your business's location (Article 3).
  • Avoid Dark Patterns: Ensure "Reject" buttons are as prominent as "Accept" buttons. Pre-ticked boxes for non-essential cookies are non-compliant.
  • Regular Audits: Scan your site quarterly for new cookies introduced by third-party scripts (e.g., via updates to analytics tools). Of course this applies only if regulations or page functionality changed.
  • Secure Storage: Encrypt consent logs and store them securely to comply with GDPR's integrity and confidentiality principle.
  • User-Friendly Policies: Write cookie policies in plain language, avoiding jargon. Include a link in your site's footer and banner.

Example Cookie Banner Code

Below is a minimal example of a GDPR-compliant cookie banner for a static site with analytics, using JavaScript and local storage. For SaaS, consider integrating with a CMP for scalability.


<!DOCTYPE html>
<html>
<head>
 <title>GDPR Cookie Banner</title>
 <style>
   .cookie-banner {
     position: fixed;
     bottom: 0;
     width: 100%;
     background: #333;
     color: #fff;
     padding: 20px;
     display: none;
     justify-content: center;
     align-items: center;
     z-index: 1000;
   }
   .cookie-banner button {
     margin: 0 10px;
     padding: 10px 20px;
     cursor: pointer;
   }
   .cookie-banner a {
     color: #fff;
     text-decoration: underline;
   }
 </style>
</head>
<body>
 <div id="cookieBanner" class="cookie-banner">
   We use cookies for analytics. <a href="/cookie-policy">Learn more</a>.
   <input type="checkbox" id="analyticsConsent"> Enable Analytics Cookies
   <button onclick="saveConsent()">Save</button>
   <button onclick="rejectAll()">Reject All</button>
 </div>

 <script>
   // Check if consent is already given
   if (!localStorage.getItem('cookieConsent')) {
     document.getElementById('cookieBanner').style.display = 'flex';
   }

   function saveConsent() {
     const analyticsConsent = document.getElementById('analyticsConsent').checked;
     const consentData = {
       analytics: analyticsConsent,
       timestamp: new Date().toISOString(),
       policyVersion: '1.0'
     };
     localStorage.setItem('cookieConsent', JSON.stringify(consentData));
     document.getElementById('cookieBanner').style.display = 'none';
     if (analyticsConsent) {
       // Load analytics script (e.g., Google Analytics)
       // Example: const script = document.createElement('script'); script.src = 'ga.js'; document.head.appendChild(script);
     }
   }

   function rejectAll() {
     localStorage.setItem('cookieConsent', JSON.stringify({
       analytics: false,
       timestamp: new Date().toISOString(),
       policyVersion: '1.0'
     }));
     document.getElementById('cookieBanner').style.display = 'none';
   }
 </script>
</body>
</html>
Blog

Advanced Insights.

Access our exclusive whitepapers, expert webinars, and in-depth articles on the latest breakthroughs and strategic implications of webdesign, software development and AI.

Visit Blog
Insights
8
min read

How to Integrate Cal.com into Your Website in a GDPR-Compliant Way

Learn how to integrate Cal.com booking into your website while staying GDPR-compliant – with consent buttons, self-hosting options, and practical comparisons to other tools.
Insights
8
min read

Our IT Landscape at Iridium Works

A behind-the-scenes look at the daily IT tools Iridium Works relies on – from open source solutions like Gogs and Passbolt to paid services like Odoo, Slack, and Figma.

Let's build your digital future, together.

We build digital experiences for pioneers that want to challenge the status quo so that they can rise to the top of their competitive landscape.
Begin your Journey
Iridium
HomeServicesProductsContact
Company
About UsCase StudiesCareersBlog
Legal
ImprintPrivacyTerms
Ressources
Open SourceEXIF CleanerSitemap ScannerHeading ScannerDead Link ScannerExternal Link ScannerLLM.txt Generator
© Iridium Works GmbH. All rights reserved.
Welcome to digital excellence.