Why It Matters
Cookie consent banners are the most visible part of data protection to everyday users โ and one of the most frequently violated requirements. EU regulators have issued hundreds of millions in fines for non-compliant cookie practices. The French CNIL fined Google โฌ150 million and Facebook โฌ60 million for making it harder to reject cookies than to accept them. Getting cookies wrong is one of the easiest ways to attract regulatory attention.
Which Cookies Need Consent?
| Cookie Type | Consent Required? | Examples |
|---|---|---|
| Strictly necessary | No | Session cookies, authentication, shopping cart, security |
| Functional | Yes | Language preferences, user settings, chat widgets |
| Analytics | Yes | Google Analytics, Hotjar, Matomo (unless server-side and anonymized) |
| Marketing/Advertising | Yes | Facebook Pixel, Google Ads, retargeting, affiliate tracking |
| Social media | Yes | Share buttons that load third-party scripts, embedded content |
Legal Requirements
EU (ePrivacy Directive + GDPR)
- Active opt-in required โ consent must be given through a clear affirmative action
- Pre-ticked boxes are invalid โ confirmed by CJEU Planet49 ruling (2019)
- Cookie walls are problematic โ blocking access unless cookies are accepted is generally not "freely given"
- Equal prominence โ "Accept" and "Reject" must be equally easy
- Granular choice โ users should be able to accept by category
- Withdraw anytime โ as easy to withdraw as to give
UK (PECR + UK GDPR)
- Same opt-in requirement as EU
- ICO has issued enforcement notices for non-compliant cookie practices
US
- No federal cookie consent law
- CCPA/CPRA โ requires "Do Not Sell or Share" link, not cookie-specific consent
- State laws vary โ some emerging requirements
Common Violations
- No reject option โ only "Accept All" button, with reject hidden in settings
- Pre-ticked boxes โ analytics and marketing pre-selected
- Dark patterns โ accept button is large and green, reject is small and gray
- Firing cookies before consent โ scripts load before the user interacts with the banner
- No cookie policy โ banner exists but doesn't explain what cookies are used
- Ignoring withdrawal โ no way to change cookie preferences after initial choice
- Cookie walls โ "accept cookies or leave"
Building a Compliant Cookie Banner
- Block all non-essential cookies until consent is given (no scripts fire before opt-in)
- Show the banner on first visit โ clear, readable, not covering essential content
- Offer equal choices โ "Accept All" and "Reject All" buttons of equal prominence
- Provide granular options โ let users choose by category (analytics, marketing, functional)
- Link to cookie policy โ list all cookies, their purpose, and duration
- Record consent โ store proof of when and what the user consented to
- Allow withdrawal โ accessible link to change preferences (e.g., footer link)
- Respect the choice โ actually block the cookies that weren't consented to
Key Regulation
- ePrivacy Directive 2002/58/EC (Article 5(3)) โ cookie consent requirement
- GDPR โ defines valid consent standards (applied to cookies via ePrivacy)
- CJEU Planet49 (C-673/17) โ pre-ticked boxes invalid
- CNIL cookie guidelines โ detailed French enforcement guidance (used as EU benchmark)