Cookie Management: Consent and Trackers in E-commerce

Introduction

Cookie management is today a major issue for any e-commerce site. Between legal obligations, user expectations regarding data protection and marketing needs, finding the right balance proves complex. Since the GDPR came into force in 2018 and the CNIL guidelines published in 2020, the rules governing trackers have been significantly strengthened. Poor management exposes e-commerce businesses to heavy financial penalties (up to 20 million euros or 4% of global revenue) and loss of consumer trust. This practical guide accompanies you in bringing your business site into compliance.

Understanding the Different Types of Cookies and Trackers

Not all cookies are equal in the eyes of the law. Four main categories are distinguished:

• Strictly necessary cookies: essential to the functioning of the site (shopping cart, user session, authentication). They do not require prior consent.

• Functional cookies: improve user experience (language preferences, currency). Consent required.

• Analytical cookies: measure audience (Google Analytics, Matomo). Consent generally required, except CNIL exemptions for certain anonymized configurations.

• Marketing and advertising cookies: cross-site tracking, retargeting, social networks (Meta Pixel, TikTok Pixel). Explicit consent mandatory.

Each tracker collects potentially sensitive personal data: IP address, browsing behavior, purchase history, advertising identifiers. Mapping all cookies placed on your site is the first essential step in any compliance effort.

Collecting Valid Consent

To be legally valid, consent must meet four criteria defined by GDPR (article 4-11): free, specific, informed and unambiguous. In practical terms, your cookie banner must:

• Clearly inform the user about the purposes of each tracker category

• Offer equivalent choice: the "Accept All" and "Refuse All" buttons must be equally visible and accessible

• Allow granular consent by purpose (analytics, marketing, personalization)

• Block the placement of non-essential cookies before the user's positive action

• Keep proof of consent and allow its withdrawal at any time

Dark patterns (pre-checked boxes, hidden "refuse" button, scrolling counting as acceptance) are explicitly prohibited by the CNIL. Several major players (Google, Facebook, Amazon) have been sanctioned for non-compliance with these rules, with fines exceeding 150 million euros.

Implementing a Consent Management Platform (CMP)

For e-commerce sites handling a large volume of visitors, the use of a CMP (Consent Management Platform) becomes almost indispensable. These solutions (Didomi, Axeptio, OneTrust, Cookiebot) automate consent management: regular cookie scanning, conditional script blocking, logging of user choices, multi-jurisdictional adaptation (GDPR, CCPA, LGPD).

Coupled with Google Consent Mode v2, a CMP allows you to maintain consistent audience measurement even when users refuse tracking, through conversion modeling. On the technical side, prioritize a tag manager (GTM) configured to trigger tags only after consent, and document your cookie policy in a dedicated page detailing the lifetime, issuer and purpose of each tracker.

Conclusion

Rigorous cookie management is not limited to a regulatory requirement: it constitutes a true lever of commercial trust. Consumers increasingly value transparency on the use of their personal data. By adopting a proactive approach — regular audits, high-performance CMP, clear information — your e-commerce site combines legal compliance and sustainable marketing performance.