Why It Matters
Cookie consent banners are the most visible part of data protection to everyday users — and one of the most frequently violated requirements. EU regulators have issued hundreds of millions in fines for non-compliant cookie practices. The French CNIL fined Google €150 million and Facebook €60 million for making it harder to reject cookies than to accept them. Getting cookies wrong is one of the easiest ways to attract regulatory attention.
Which Cookies Need Consent?
| Cookie Type | Consent Required? | Examples |
|---|---|---|
| Strictly necessary | No | Session cookies, authentication, shopping cart, security |
| Functional | Yes | Language preferences, user settings, chat widgets |
| Analytics | Yes | Google Analytics, Hotjar, Matomo (unless server-side and anonymized) |
| Marketing/Advertising | Yes | Facebook Pixel, Google Ads, retargeting, affiliate tracking |
| Social media | Yes | Share buttons that load third-party scripts, embedded content |
Legal Requirements
EU (ePrivacy Directive + GDPR)
- Active opt-in required — consent must be given through a clear affirmative action
- Pre-ticked boxes are invalid — confirmed by CJEU Planet49 ruling (2019)
- Cookie walls are problematic — blocking access unless cookies are accepted is generally not "freely given"
- Equal prominence — "Accept" and "Reject" must be equally easy
- Granular choice — users should be able to accept by category
- Withdraw anytime — as easy to withdraw as to give
UK (PECR + UK GDPR)
- Same opt-in requirement as EU
- ICO has issued enforcement notices for non-compliant cookie practices
US
- No federal cookie consent law
- CCPA/CPRA — requires "Do Not Sell or Share" link, not cookie-specific consent
- State laws vary — some emerging requirements
Common Violations
- No reject option — only "Accept All" button, with reject hidden in settings
- Pre-ticked boxes — analytics and marketing pre-selected
- Dark patterns — accept button is large and green, reject is small and gray
- Firing cookies before consent — scripts load before the user interacts with the banner
- No cookie policy — banner exists but doesn't explain what cookies are used
- Ignoring withdrawal — no way to change cookie preferences after initial choice
- Cookie walls — "accept cookies or leave"
Building a Compliant Cookie Banner
- Block all non-essential cookies until consent is given (no scripts fire before opt-in)
- Show the banner on first visit — clear, readable, not covering essential content
- Offer equal choices — "Accept All" and "Reject All" buttons of equal prominence
- Provide granular options — let users choose by category (analytics, marketing, functional)
- Link to cookie policy — list all cookies, their purpose, and duration
- Record consent — store proof of when and what the user consented to
- Allow withdrawal — accessible link to change preferences (e.g., footer link)
- Respect the choice — actually block the cookies that weren't consented to
Key Regulation
- ePrivacy Directive 2002/58/EC (Article 5(3)) — cookie consent requirement
- GDPR — defines valid consent standards (applied to cookies via ePrivacy)
- CJEU Planet49 (C-673/17) — pre-ticked boxes invalid
- CNIL cookie guidelines — detailed French enforcement guidance (used as EU benchmark)