Cookie Management: Consent and Trackers in E-commerce

Introduction

Cookie management is today a major issue for any e-commerce site. Between legal obligations, user expectations regarding data protection and marketing needs, finding the right balance proves complex. Since the GDPR came into force in 2018 and the CNIL guidelines were published in 2020, the rules governing trackers have significantly tightened. Poor management exposes e-commerce businesses to heavy financial penalties (up to €20 million or 4% of global turnover) and loss of consumer trust. This practical guide will help you bring your online store into compliance.

Understanding different types of cookies and trackers

Not all cookies are equal in the eyes of the law. Four main categories are distinguished:

• Strictly necessary cookies: essential for the site to function (shopping cart, user session, authentication). They do not require prior consent.

• Functional cookies: improve user experience (language preferences, currency). Consent required.

• Analytical cookies: measure audience (Google Analytics, Matomo). Consent generally required, except for CNIL exemption for certain anonymised configurations.

• Marketing and advertising cookies: cross-site tracking, retargeting, social networks (Meta Pixel, TikTok Pixel). Explicit consent mandatory.

Each tracker collects potentially sensitive personal data: IP address, browsing behaviour, purchase history, advertising identifiers. Mapping all cookies deposited on your site is the essential first step in any compliance effort.

Obtaining valid consent

To be legally valid, consent must meet four criteria defined by the GDPR (article 4-11): free, specific, informed and unambiguous. In practical terms, your cookie banner must:

• Clearly inform the user of the purposes of each tracker category

• Offer equivalent choice: the "Accept all" and "Refuse all" buttons must be equally visible and accessible

• Allow granular consent by purpose (analytics, marketing, personalisation)

• Block the deposit of non-essential cookies before the user takes positive action

• Keep proof of consent and allow it to be withdrawn at any time

Dark patterns (pre-ticked boxes, hidden "refuse" button, scrolling constituting acceptance) are explicitly prohibited by the CNIL. Several major players (Google, Facebook, Amazon) have been sanctioned for non-compliance with these rules, with fines exceeding €150 million.

Implementing a Consent Management Platform (CMP)

For e-commerce sites handling a large volume of visitors, the use of a CMP (Consent Management Platform) becomes almost essential. These solutions (Didomi, Axeptio, OneTrust, Cookiebot) automate consent management: regular cookie scanning, conditional script blocking, logging of user choices, multi-jurisdictional adaptation (GDPR, CCPA, LGPD).

Combined with Google Consent Mode v2, a CMP allows you to maintain consistent audience measurement even when users refuse tracking, through conversion modelling. On the technical side, favour a tag manager (GTM) configured to trigger tags only after consent, and document your cookie policy on a dedicated page detailing the lifespan, issuer and purpose of each tracker.

Conclusion

Rigorous cookie management is not limited to a regulatory obligation: it constitutes a genuine lever of commercial trust. Consumers increasingly value transparency regarding the use of their personal data. By adopting a proactive approach — regular audits, high-performing CMP, clear information — your e-commerce site combines legal compliance and sustainable marketing performance.