Almost every website greets you with a pop-up about cookies. Most people click "Accept" without thinking. That pop-up is a cookie consent banner, and it exists because privacy laws in dozens of countries require websites to ask before storing certain files on your device. The French data protection authority (CNIL) fined Google EUR 325 million in September 2025 for manipulative consent designs, and SHEIN received EUR 150 million for dropping advertising cookies before users could say no.
What Are Cookies and Why Do Websites Use Them?
Cookies are small text files that a website stores in your browser. They carry short pieces of information - a session identifier, a language preference, a login token - that the site reads back on your next visit or page load. Without them, shopping carts would empty between pages and login sessions would vanish.
A session cookie that keeps you logged in behaves very differently from a tracking pixel that follows you across unrelated websites to build an advertising profile. Privacy law draws a sharp line between those two use cases, and that line is exactly where cookie consent comes in.
The Legal Framework Behind Cookie Consent
Two pieces of EU legislation form the backbone of cookie consent rules in Europe: the ePrivacy Directive and the GDPR. They work as a pair. Article 5(3) of the ePrivacy Directive states that storing or accessing information on a user's device requires prior consent, unless the cookie is strictly necessary for a service the user has requested. The GDPR then defines what valid consent looks like: it must be freely given, specific, informed, and unambiguous.
Pre-ticked boxes do not count. Scrolling past a banner does not count. A design that makes "Accept" large and green while hiding "Reject" behind two extra clicks does not count either - regulators now classify that as a dark pattern.
The European Commission withdrew the long-planned ePrivacy Regulation in February 2025, leaving the 2002 Directive as the controlling law. A new proposal under the Digital Omnibus initiative (November 2025) would fold cookie rules into the GDPR through a proposed Article 88a, potentially allowing aggregated audience measurement without consent and introducing browser-level preference signals. That reform is unlikely to take effect before late 2026 or 2027.
What Counts as Valid Consent?
Regulators across Europe have converged on a consistent set of requirements. A valid cookie consent mechanism must:
Block all non-essential cookies until the user makes an active choice
Present "Accept" and "Reject" buttons with equal visual prominence - same size, colour contrast, and number of clicks
Explain which categories of cookies the site uses and why
Allow granular control so the user can accept analytics but decline marketing
Make withdrawal of consent as easy as giving it
Log every consent decision with enough detail for a regulatory audit
The UK's ICO reviewed its top 1,000 websites in early 2025 and warned 134 of the first 200 examined, mostly for consent walls and missing reject options. The Dutch DPA warned 50 organisations in April 2025 and monitors roughly 10,000 Dutch websites annually.
Which Cookies Need Consent and Which Do Not?
The dividing line is strict necessity. A cookie qualifies as "strictly necessary" only if the service literally cannot function without it - think authentication tokens, shopping cart identifiers, or load-balancing cookies. Everything else needs consent.
| Cookie type | Example | Consent required? |
|---|---|---|
| Strictly necessary | PHPSESSID (session), cart tokens | No |
| Functional | pll_language (language preference) | Yes (in most EU states) |
| Analytics | _ga, _gid (Google Analytics) | Yes |
| Marketing | _fbp (Meta Pixel), IDE (Google Ads) | Yes |
Spain allows narrowly configured first-party analytics without consent. Germany's TTDSG requires consent for all analytics. France's CNIL permits certain audience measurement tools under an exemption, provided no data leaves the site operator. These national differences are why geo-targeted banners exist.
How Cookie Consent Works Outside Europe
The EU's opt-in model is not the only approach. Privacy laws around the world handle cookies differently, and if your site attracts international traffic, you need to know where the differences lie.
The CCPA in California does not require prior consent. Instead, it gives consumers the right to opt out of the sale or sharing of their personal information via a "Do Not Sell or Share" link and browser signals like Global Privacy Control (GPC). Regulations effective 1 January 2026 tightened these rules: closing a banner without clicking is explicitly not consent, and opt-out flows must require the same number of steps as opt-in.
Brazil's LGPD follows an opt-in model similar to the GDPR. PIPEDA in Canada requires meaningful consent with clear explanations. POPIA in South Africa mandates informed, voluntary consent. India's DPDPA is expected to require registered Consent Managers by late 2026.
| Jurisdiction | Law | Consent model |
|---|---|---|
| EU / EEA | GDPR + ePrivacy Directive | Opt-in (prior consent) |
| United Kingdom | UK GDPR + PECR | Opt-in (prior consent) |
| California (US) | CCPA / CPRA | Opt-out |
| Brazil | LGPD | Opt-in |
| Canada | PIPEDA | Meaningful consent |
| South Africa | POPIA | Opt-in |
| India | DPDPA | Opt-in (enforcement pending) |
Serving visitors from multiple jurisdictions means your banner must adapt. An EU visitor sees an opt-in mechanism; a Californian visitor sees opt-out controls with GPC support. Ford Motor Company paid USD 375,703 in March 2026 for adding an email verification step to its opt-out process - something CCPA regulations explicitly prohibit.
What a Compliant Cookie Banner Looks Like
A compliant cookie banner does three things at once: it informs, offers a genuine choice, and enforces that choice technically. The text should name the cookie categories, link to a full cookie policy, and present both "Accept" and "Reject" on the first screen with equal prominence. No pre-ticked boxes. No wall of text designed to exhaust visitors into clicking "Accept All".
Behind the scenes, the banner must block every non-essential script until the user makes a choice. If someone clicks "Reject All," no analytics tag, advertising pixel, or social widget should load. The CNIL found that SHEIN was placing cookies the moment visitors arrived - before the banner even appeared - and "Reject All" did not stop new cookies from being set.
Consent records matter too. Regulators now routinely request audit logs. Each record should capture what the user was shown, which categories they accepted or rejected, a timestamp, and enough detail to reconstruct the interaction. The Dutch DPA and Sweden's IMY expect retention for at least five years.
Common Mistakes That Trigger Enforcement
Most cookie consent violations fall into a handful of recurring patterns:
Cookies fire before consent - scripts load on page arrival, making the banner purely cosmetic
Asymmetric design - "Accept" is large and colourful while "Reject" is greyed out or buried in settings
No reject option on the first screen - the user must navigate to a second layer to decline
Implied consent - the site treats scrolling, clicking elsewhere, or closing the banner as acceptance
Miscategorised cookies - marketing trackers labelled as "functional" to bypass consent requirements
No consent log - the site collects consent but cannot prove it to a regulator
The CNIL's Google fine specifically noted that rejecting personalised ads required six clicks compared to two clicks for accepting them. That asymmetry alone was enough to invalidate the entire consent flow.
How to Set Up Cookie Consent on Your Website
Start by running a cookie scan to identify every cookie and tracker on your site. Categorise each one - necessary, functional, analytics, or marketing. Then choose a consent management platform (CMP) that blocks scripts before consent, presents a geo-targeted banner, stores audit-ready logs, and respects browser signals like GPC. If you use Google Consent Mode v2, connect it so Google services receive consent signals in real time.
Test the result. Open your site in a fresh browser, inspect the network tab in DevTools, and confirm that no non-essential requests fire before you interact with the banner. Click "Reject All" and verify analytics and marketing tags stay silent. Repeat on mobile.
Frequently Asked Questions
Do all websites need a cookie consent banner?
If your website sets any non-essential cookies - analytics, marketing, or functional cookies that are not strictly necessary for the service - and you have visitors from jurisdictions with cookie laws (the EU, UK, Brazil, and others), then yes, you need a consent mechanism. Sites that use only strictly necessary cookies may be exempt.
What happens if I ignore cookie consent requirements?
Regulators can impose fines. Under the GDPR, penalties reach up to EUR 20 million or 4% of global annual turnover, whichever is higher. The CNIL fined Google EUR 325 million and SHEIN EUR 150 million in 2025 for cookie consent violations alone. Smaller businesses typically face lower fines, but enforcement is expanding to mid-market and smaller sites as well.
Is clicking "Accept All" the only way to give consent?
No. Valid consent can also be given by selecting specific cookie categories in a preference centre. The key requirement is that the choice is active, informed, and freely given. Pre-ticked boxes, continued browsing, or closing the banner without clicking a button do not qualify as consent under GDPR or ePrivacy rules.
Can I use the same cookie banner for EU and US visitors?
You can, but it is not ideal. The EU requires opt-in consent that blocks cookies before acceptance. California's CCPA requires opt-out controls with a "Do Not Sell or Share" link and GPC signal support. A geo-targeted banner that adapts to the visitor's location provides the best compliance coverage.
How often should I scan my website for cookies?
At least once a month, and after every significant change to your site - adding a new analytics tool, embedding a video player, or installing a chat widget can introduce new cookies. Scheduled scans automate this process so nothing slips through unnoticed.
Will cookie consent banners eventually disappear?
Possibly. The EU's Digital Omnibus proposal, published in November 2025, envisions browser-level preference signals that would transmit consent choices automatically, reducing the need for per-site banners. That reform is still in legislative negotiation and unlikely to take effect before 2027 at the earliest.
Take the Guesswork Out of Cookie Compliance
If you are unsure what cookies your site sets or whether your banner meets current requirements, start with a free scan. Kukie.io detects and categorises every cookie on your site, blocks non-essential scripts before consent, and stores audit-ready logs - so your visitors get a genuine choice and you stay compliant.
