The cookie consent banner has become one of the most ubiquitous features of the modern web. But despite their prevalence, the majority of cookie banners fail to meet legal requirements — either by not offering a genuine choice, pre-ticking consent boxes, or making the "decline" option unreasonably difficult to find.
This guide breaks down the legal framework behind cookie consent, explains which cookies require it, and tells you exactly what a compliant implementation looks like.
The Legal Basis: ePrivacy Directive + GDPR
The ePrivacy Directive requires that websites obtain prior informed consent before storing or accessing non-essential information on a user's device. This covers cookies, local storage, pixels, and any other tracking technology.
GDPR defines what valid consent looks like: it must be a freely given, specific, informed, and unambiguous indication of agreement — meaning pre-ticked boxes, implied consent, and consent buried in terms and conditions are all invalid.
Which Cookies Require Consent?
Strictly Necessary Cookies — No Consent Required
Cookies that are essential to deliver a service the user has explicitly requested do not require consent. Examples include:
- Session cookies that keep you logged in
- Shopping cart cookies on e-commerce sites
- Security cookies (CSRF tokens, fraud prevention)
- Load balancing cookies
- Cookie consent preference cookies (the cookie that remembers your consent choice)
Non-Essential Cookies — Consent Required
All other cookies require prior, informed consent. This includes:
- Analytics cookies: Google Analytics, Matomo, Hotjar, Microsoft Clarity — even anonymized analytics require consent under strict EU interpretation
- Advertising cookies: Google Ads, Facebook Pixel, LinkedIn Insight Tag, Twitter/X Pixel
- Personalization cookies: Cookies that remember user preferences beyond the current session (language, theme, etc.)
- Social media tracking pixels: "Like" buttons, social share widgets that track users across sites
- A/B testing tools: Tools like Optimizely, VWO that track user behavior
What Makes a Cookie Banner Legally Compliant?
Enforcement data from EU Data Protection Authorities reveals the most common violations. A compliant cookie banner must:
1. Offer a Genuine Choice
The option to accept and the option to decline must be equally prominent. Hiding the "decline" option behind a small link or requiring multiple clicks to refuse while acceptance is one click is not valid consent.
2. No Pre-Ticked Boxes
Consent cannot be assumed from inaction. Checkboxes for non-essential cookie categories must be unchecked by default.
3. Granular Consent by Category
Best practice (and increasingly required by regulators) is offering separate consent choices for different categories: analytics, advertising, personalization, etc.
4. No "Cookie Wall"
While still debated, most EU regulators have ruled that conditioning website access on accepting all cookies (a "cookie wall") is invalid because consent is not freely given if refusal means denial of service.
5. Easy Withdrawal
Users must be able to withdraw consent as easily as they gave it. This typically means a persistent "Cookie Settings" link in the footer that reopens the consent manager at any time.
6. No Dark Patterns
Design tricks that nudge users toward accepting (e.g., making "Accept All" bright green and "Decline" grey and tiny) are illegal under GDPR's requirement for freely given consent. The EU's data protection authorities have specifically targeted dark patterns in cookie banners.
Generate Your Cookie Policy Free
Create a professional Cookie Policy covering all required disclosures. Free + No Signup required — ready to paste into your site in minutes.
✨ Generate Free Now →Cookie Policy vs Cookie Consent Banner
These are two separate but related requirements:
- Cookie Policy: A written page explaining what cookies you use, what they do, who sets them, and how users can control or delete them. Required for transparency under GDPR.
- Cookie Consent Banner (CMP): The interactive mechanism through which you collect and record user consent. Required before non-essential cookies are loaded.
You need both. The Cookie Policy satisfies the information requirement; the consent banner satisfies the consent requirement.
What Must a Cookie Policy Include?
- A list of cookies used on your site (name, provider, purpose, expiry)
- Categories of cookies (strictly necessary, analytics, advertising, etc.)
- Whether cookies are first-party or third-party
- How long each cookie persists
- How users can withdraw consent or delete cookies
- Links to third-party cookie policies (Google, Facebook, etc.)
- Contact information for privacy queries
Cookie Consent in the US
The US does not have a federal cookie consent law equivalent to the ePrivacy Directive. However:
- California (CCPA/CPRA): If your site uses cookies for advertising purposes, California residents have the right to opt out of the "sale or sharing" of their data. A "Do Not Sell or Share" mechanism is required for qualifying businesses.
- Other US states: Virginia (VCDPA), Colorado (CPA), Connecticut, and several other states have enacted privacy laws with opt-out requirements for targeted advertising that effectively require cookie opt-out mechanisms.
Even for US-only websites, implementing cookie consent is increasingly best practice — particularly as state privacy laws continue to proliferate.
Frequently Asked Questions
Not all websites need a consent banner. If your website only uses strictly necessary cookies (session cookies, security cookies, load balancing), no consent is required. A consent banner is required if you use any non-essential cookies such as analytics (Google Analytics), advertising pixels (Facebook Pixel), or personalization cookies.
No. Under GDPR and the ePrivacy Directive, a compliant cookie consent banner must offer users a genuine choice. This means providing an equally prominent option to decline or manage cookies. Banners that only show an "Accept" button, or that make declining harder than accepting, violate the consent requirements.
Yes, if your visitors include EU/EEA residents. Google Analytics uses cookies that fall outside the "strictly necessary" category and require prior consent under GDPR. Even Google Analytics 4 (GA4), which offers cookieless measurement options, still uses cookies by default and requires consent under EU law.
A Cookie Policy is a written document that explains what cookies your site uses, why, and how users can control them. A cookie consent banner is the interactive UI element that collects user consent. Both are required for GDPR compliance — the policy provides transparency, the banner obtains consent.