Cookie Management: Consent and Trackers in E-commerce

Introduction

Cookie management has become a major priority for any e-commerce site. Between legal obligations, user expectations regarding data protection and marketing requirements, finding the right balance proves complex. Since the GDPR came into effect in 2018 and the CNIL guidelines were published in 2020, the rules governing trackers have been significantly strengthened. Poor management exposes e-commerce businesses to heavy financial penalties (up to 20 million euros or 4% of global turnover) and loss of consumer trust. This practical guide will help you ensure your online store complies with regulations.

Understanding the different types of cookies and trackers

Not all cookies are equal in the eyes of the law. There are four main categories:

• Strictly necessary cookies: essential for the site to function (shopping cart, user session, authentication). They do not require prior consent.

• Functional cookies: improve user experience (language preferences, currency). Consent required.

• Analytical cookies: measure audience (Google Analytics, Matomo). Consent generally required, except for CNIL exemptions for certain anonymised configurations.

• Marketing and advertising cookies: cross-site tracking, retargeting, social networks (Meta Pixel, TikTok Pixel). Explicit consent mandatory.

Each tracker collects potentially sensitive personal data: IP address, browsing behaviour, purchase history, advertising identifiers. Mapping all the cookies deposited on your site is the essential first step to any compliance effort.

Obtaining valid consent

For consent to be legally valid, it must meet four criteria defined by the GDPR (Article 4-11): free, specific, informed and unambiguous. In practice, your cookie banner must:

• Clearly inform the user of the purposes of each tracker category

• Offer an equivalent choice: the "Accept All" and "Refuse All" buttons must be equally visible and accessible

• Allow granular consent by purpose (analytics, marketing, personalisation)

• Block the deposit of non-essential cookies before the user takes positive action

• Retain proof of consent and allow its withdrawal at any time

Dark patterns (pre-ticked boxes, hidden "refuse" button, scrolling as acceptance) are explicitly prohibited by the CNIL. Several major players (Google, Facebook, Amazon) have been sanctioned for breaching these rules, with fines exceeding 150 million euros.

Implementing a Consent Management Platform (CMP)

For e-commerce sites handling significant visitor volumes, the use of a CMP (Consent Management Platform) becomes virtually essential. These solutions (Didomi, Axeptio, OneTrust, Cookiebot) automate consent management: regular cookie scanning, conditional script blocking, logging of user choices, multi-jurisdictional adaptation (GDPR, CCPA, LGPD).

Combined with Google Consent Mode v2, a CMP allows you to maintain consistent audience measurement even when users refuse tracking, thanks to conversion modelling. On the technical side, favour a tag manager (GTM) configured to trigger tags only after consent, and document your cookie policy on a dedicated page detailing the lifetime, issuer and purpose of each tracker.

Conclusion

Rigorous cookie management is not limited to a regulatory obligation: it is a genuine lever for commercial trust. Consumers increasingly value transparency about how their personal data is used. By adopting a proactive approach — regular audits, high-performing CMP, clear information — your e-commerce site combines legal compliance with sustainable marketing performance.