Cookie consent is one of the most actively enforced areas of GDPR. Regulators across Europe have issued fines ranging from a few thousand euros for small businesses to hundreds of millions for large platforms. Understanding what triggers enforcement — and what protects you — is essential for any website owner.
The biggest cookie fines so far
France's CNIL fined Google €150 million and Facebook €60 million in 2022 for making it harder to refuse cookies than to accept them. Google was fined €10 million in France for using pre-ticked boxes. In 2023, TikTok was fined €345 million by Ireland's DPC partly for cookie issues affecting children. In the UK, the ICO has issued enforcement notices to major publishers and ad networks. While large companies attract the biggest penalties, smaller businesses are not immune — the ICO has published guidance that it will act on complaints regardless of company size.
What regulators are looking for
The most common triggers for enforcement are: (1) No cookie banner at all. (2) Banners with no "Reject all" or "Decline" option. (3) Dark patterns — making "Accept" visually prominent while hiding "Decline". (4) Cookies firing before consent is given. (5) Cookie policies that don't match the cookies actually on the site. (6) Consent obtained through pre-ticked boxes. (7) No way for users to withdraw consent after giving it.
What the ICO actually does in practice
For most small businesses, the risk isn't a fine out of nowhere — it's a complaint from a user that triggers an ICO investigation. The ICO will typically first issue a formal warning or enforcement notice, requiring you to fix the issue within a set timeframe. Fines are more common for organisations that ignore notices, repeat offences, or where a large number of people are affected. The reputational and administrative burden of an ICO investigation, however, is a significant cost even without a financial penalty.
How to protect your business
The good news: compliance is straightforward. You need a cookie banner that appears before non-essential cookies fire, offers a genuine accept/decline choice without dark patterns, links to a detailed cookie policy, and stores a record of consent. Running a cookie audit on your site to identify every cookie in use — and making sure your policy reflects reality — is equally important. MyCookieKit's built-in scanner does this automatically.
Is a free cookie solution good enough?
Free cookie solutions often cut corners on compliance: they may not block scripts before consent, may lack an audit log, or may not implement Google Consent Mode v2 correctly. Given that the potential cost of non-compliance far exceeds the cost of a proper solution, a paid-for tool that handles compliance correctly is a straightforward business decision. At £2.99/month, MyCookieKit is less than a cup of coffee — and considerably cheaper than an ICO enforcement notice.