Why Static HTML Sites Still Need Cookie Consent
A website built from hand-coded HTML files is not exempt from privacy regulations. If your pages load Google Analytics, a Meta Pixel, a live chat widget, or any other third-party service, cookies are almost certainly being set on your visitors' devices.
Article 5(3) of the ePrivacy Directive is clear: storing or accessing information on a user's terminal equipment requires prior informed consent, unless the cookie is strictly necessary to deliver a service the user explicitly requested. The GDPR reinforces this by setting a high bar for what counts as valid consent - it must be freely given, specific, informed, and unambiguous.
These rules apply regardless of how your site is built. A static HTML page that drops _ga, _fbp, or _gid before the visitor has made a choice is non-compliant.
Common Cookies Found on Static HTML Sites
Even a minimal static site can accumulate cookies quickly once third-party scripts are added. Here is a breakdown of the most common ones and their legal classification:
| Cookie | Set By | Purpose | Category | Consent Required? |
|---|---|---|---|---|
PHPSESSID | Server | Session management | Strictly necessary | No |
_ga | Google Analytics | Visitor identification | Analytics | Yes |
_gid | Google Analytics | Session grouping | Analytics | Yes |
_fbp | Meta Pixel | Ad targeting | Marketing | Yes |
pll_language | Polylang | Language preference | Functional | Depends on jurisdiction |
__cf_bm | Cloudflare | Bot detection | Strictly necessary | No |
The first step is knowing exactly which cookies your site sets. A free cookie scan will identify every cookie, local storage entry, and third-party request your pages make.
The Script-Blocking Problem
Displaying a cookie banner is only half the requirement. The banner itself does nothing if analytics and marketing scripts still fire before the visitor responds.
Under ePrivacy rules, non-essential cookies must be blocked until consent is granted. This means your Google Analytics snippet, your Facebook Pixel, and any ad-tech tags need to stay dormant until the user clicks "Accept" for that specific cookie category. Simply showing a notice while cookies load in the background is exactly the pattern that led to the CNIL fining Google 325 million euros and Shein 150 million euros in September 2025 for depositing advertising cookies before users had any chance to interact with the consent interface.
On a CMS like WordPress, plugins handle this script blocking automatically. On a static HTML site, you need a different approach.
How Script Tag Installation Works
The most practical method for adding cookie consent to a plain HTML site is a single script tag placed in the <head> section of every page. A consent management platform like Kukie.io provides a snippet that looks something like this:
<script src="https://cdn.kukie.io/banner.js" data-site-id="YOUR_SITE_ID"></script>This script handles three things at once: it displays the cookie banner, it blocks non-essential scripts until consent is recorded, and it stores the visitor's choice so the banner does not reappear on every page load. The full walkthrough is in the HTML installation guide.
Placing the Script in Your HTML
The consent script must load before any other third-party script. Place it as the first <script> element inside your <head> tag. If it loads after Google Analytics or a tracking pixel, those scripts will have already set cookies - defeating the purpose entirely.
For sites with multiple HTML files, you need the snippet in every file's <head>. If you use a templating system or server-side includes (SSI), add it once to the shared header partial.
Blocking Third-Party Scripts Until Consent
The standard technique changes the type attribute on scripts you want to block. Instead of type="text/javascript", set it to type="text/plain" and add a data-cookie-consent attribute indicating the category:
<script type="text/plain" data-cookie-consent="analytics"
src="https://www.googletagmanager.com/gtag/js?id=G-XXXXX">
</script>When the visitor grants consent for the analytics category, the consent script flips the type back to text/javascript and the tag loads normally. This approach works for any third-party script - analytics, marketing pixels, chat widgets, or embedded video players.
Multi-Page Sites and Consistency
A single-page portfolio site might have one HTML file. A documentation site or small business website could have dozens. The consent script must appear on every page, and the visitor's consent choice must persist across all of them.
Cookie-based consent storage handles this automatically. Once the visitor makes a choice on any page, a strictly necessary cookie records that preference. Every subsequent page load reads the stored consent state and applies the same script-blocking rules without showing the banner again.
If your static site uses Gatsby, Hugo, or another static site generator, the same script tag approach applies - but those tools have their own templating systems that make placement easier.
Geo-Detection and Regional Rules
Not every visitor to your site is covered by the GDPR. A user browsing from Texas faces different consent requirements than one browsing from Berlin. Under the CCPA/CPRA, California visitors must be able to opt out of the sale or sharing of personal information, but prior consent before setting cookies is not required the way it is under European law.
A properly configured consent platform uses geo-detection to show the right banner to the right visitor. European visitors see a GDPR-compliant opt-in banner. Californian visitors see an opt-out notice. Visitors from unregulated regions may see no banner at all. This is configured in the platform dashboard rather than in your HTML code.
Google Consent Mode v2
If your site uses Google Analytics 4, Google Ads, or Google Tag Manager, Google Consent Mode v2 is relevant. Since March 2024, Google requires websites serving ads in the EEA to send consent signals via Consent Mode. Without it, remarketing audiences and conversion measurement stop working for European traffic.
Consent Mode works by sending two key parameters - ad_storage and analytics_storage - to Google's tags. When consent is denied, Google collects modelled (cookieless) data instead. The consent script handles these signals automatically, so you do not need to write custom GTM logic.
Testing Your Implementation
After adding the consent script, verify three things:
No cookies before consent - Open your site in an incognito window. Before interacting with the banner, check the browser's developer tools (Application tab, Cookies section). Only strictly necessary cookies like
__cf_bmor session identifiers should be present.Scripts fire after consent - Accept all categories and confirm that
_ga,_gid, and any marketing cookies now appear.Rejection works - Reject all non-essential categories. Reload the page. Verify that analytics and marketing cookies are absent.
Run a cookie scan after deployment to confirm the results match your expectations.
Frequently Asked Questions
Do I need cookie consent on a static HTML website?
Yes. If your static site sets any non-essential cookies - such as analytics or marketing cookies - you must obtain consent before those cookies are placed on the visitor's device, under the ePrivacy Directive and GDPR.
How do I add a cookie banner to HTML without a plugin?
Add a single script tag to the <head> section of every HTML file. The script displays the banner, blocks non-essential cookies until consent is given, and stores the visitor's choice. See the HTML installation guide in the Help Centre for the exact steps.
Can I just show a cookie notice without blocking scripts?
No. Under EU rules, displaying a banner while setting tracking cookies in the background is not valid consent. Non-essential scripts must be blocked until the visitor actively opts in.
Does a one-page HTML site need cookie consent?
If that single page loads any third-party scripts that set non-essential cookies, then yes. The number of pages is irrelevant - the obligation depends on what cookies are set.
How do I block Google Analytics until consent on a static site?
Change the script tag's type attribute from text/javascript to text/plain and add a data-cookie-consent="analytics" attribute. The consent management script will re-enable it once the visitor grants analytics consent.
What happens if my HTML site gets visitors from different countries?
A consent management platform with geo-detection serves different banner types based on the visitor's location. European visitors see an opt-in banner, while visitors from less regulated regions may see a simplified notice or no banner at all.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
