Cookie PolicyApril 30, 2025 · 5 min read

Cookie Consent Banners: What's Required and How to Do It Right

Cookie consent isn't optional in the EU. Here's what your banner must do — and the mistakes that get businesses fined.

If your website uses cookies — and virtually every website does — you need to understand cookie consent requirements. The EU's GDPR and ePrivacy Directive have specific requirements about when and how you can set cookies on users' devices.

Getting this wrong can result in substantial fines: the CNIL (France) fined Google €150 million and Facebook €60 million in 2022 solely for cookie consent violations.

Which Cookies Require Consent?

Not all cookies require consent. Cookies fall into two categories:

No consent needed

Session cookies (keep you logged in)
Shopping cart cookies
Security cookies
Load-balancing cookies
Preference cookies (language, theme)

Consent REQUIRED

Google Analytics / tracking
Facebook Pixel / ad tracking
Marketing/retargeting cookies
Social media buttons
A/B testing tools

What a Valid Cookie Consent Banner Must Do

Under GDPR, valid consent must be: freely given, specific, informed, unambiguous, and easy to withdraw. In practice, this means your banner must:

  • Clearly explain what cookies are being set and why
  • Give users a genuine Accept AND Reject option
  • Not use dark patterns that make rejection harder than acceptance
  • Set no non-essential cookies before consent is given
  • Remember user preferences so they're not asked every visit
  • Allow users to change their preferences later
  • Link to your Cookie Policy and Privacy Policy

5 Common Mistakes That Lead to Fines

Pre-checked boxes

Pre-checked "I agree to analytics" checkboxes don't constitute valid GDPR consent. Consent must be affirmative.

"By continuing to use this site, you agree..."

Implied consent via continued use is not valid. Users must actively choose to accept.

Making "Reject" harder than "Accept"

If your "Accept All" button is prominent but "Reject" requires 3 clicks, that's a dark pattern. Accept and Reject must be equally accessible.

Setting cookies before consent

Analytics tools, pixels, and tracking scripts must not fire until the user consents. This is the most common technical violation.

Not updating when you change providers

If you switch from Google Analytics to Mixpanel, your Cookie Policy must be updated to reflect this.

Does Cookie Consent Apply Outside the EU?

Technically, the ePrivacy Directive is EU law. But practically:

  • If EU users can access your website, EU law applies to their interactions
  • Many non-EU companies implement it globally for simplicity
  • UK has its own similar requirements post-Brexit (PECR)
  • California's CCPA has similar opt-out requirements for tracking

The safest approach: implement GDPR-compliant cookie consent for all users worldwide.

Your Cookie Compliance Checklist

Cookie Policy explaining every cookie you use
Cookie banner with equal Accept/Reject options
No non-essential cookies set before consent
Consent stored and remembered for returning visitors
Users can change preferences via a "Cookie Settings" link
Cookie Policy linked from your banner and Privacy Policy
Cookie list updated when you add/remove tools

Generate your Cookie Policy in 60 seconds

GDPR and ePrivacy Directive compliant. Free to get started.

Generate Cookie Policy Free
← Back to Blog