Cookie Management: Consent and Trackers in E-commerce

Introduction

Cookie management is today a major issue for any e-commerce site. Between legal obligations, user expectations regarding data protection and marketing needs, finding the right balance proves complex. Since the GDPR came into force in 2018 and the CNIL guidelines published in 2020, the rules governing trackers have been considerably strengthened. Poor management exposes e-commerce businesses to heavy financial penalties (up to 20 million euros or 4% of global turnover) and loss of consumer trust. This practical guide supports you in bringing your merchant site into compliance.

Understanding Different Types of Cookies and Trackers

Not all cookies are equal in the eyes of the law. There are mainly four categories:

• Strictly necessary cookies: essential for site functioning (cart, user session, authentication). They do not require prior consent.

• Functional cookies: improve user experience (language preferences, currency). Consent required.

• Analytics cookies: measure audience (Google Analytics, Matomo). Consent generally required, except for CNIL exemption for certain anonymised configurations.

• Marketing and advertising cookies: cross-site tracking, retargeting, social networks (Meta Pixel, TikTok Pixel). Explicit consent mandatory.

Each tracker collects potentially sensitive personal data: IP address, browsing behaviour, purchase history, advertising identifiers. Mapping all cookies placed on your site is the first essential step in any compliance process.

Collecting Valid Consent

To be legally valid, consent must meet four criteria defined by the GDPR (article 4-11): freely given, specific, informed and unambiguous. Concretely, your cookie banner must:

• Clearly inform the user about the purposes of each tracker category

• Offer equivalent choice: the "Accept All" and "Refuse All" buttons must be equally visible and accessible

• Allow granular consent by purpose (analytics, marketing, personalisation)

• Block non-essential cookie placement before positive user action

• Retain proof of consent and allow withdrawal at any time

Dark patterns (pre-ticked boxes, hidden "refuse" button, scroll counting as acceptance) are explicitly prohibited by the CNIL. Several major players (Google, Facebook, Amazon) have been penalised for non-compliance with these rules, with fines exceeding 150 million euros.

Implementing a Consent Management Platform (CMP)

For e-commerce sites handling a large volume of visitors, the use of a CMP (Consent Management Platform) becomes almost essential. These solutions (Didomi, Axeptio, OneTrust, Cookiebot) automate consent management: regular cookie scanning, conditional script blocking, user choice logging, multi-jurisdictional adaptation (GDPR, CCPA, LGPD).

Combined with Google Consent Mode v2, a CMP enables consistent audience measurement even when users refuse tracking, through conversion modelling. On the technical side, prioritise a tag manager (GTM) configured to trigger tags only after consent, and document your cookie policy on a dedicated page detailing the lifetime, issuer and purpose of each tracker.

Conclusion

Rigorous cookie management is not limited to regulatory obligation: it constitutes a genuine lever of commercial trust. Consumers increasingly value transparency about how their personal data is used. By adopting a proactive approach — regular audits, high-performing CMP, clear information — your e-commerce site combines legal compliance and sustainable marketing performance.