Most websites set cookies. Session tokens, language preferences, analytics trackers, advertising pixels - the list grows every time a new script is added. The question is not whether your site uses cookies. The question is whether the law requires you to ask visitors before those cookies fire.
The short answer: if your website sets anything beyond strictly necessary cookies, you almost certainly need a consent banner in at least some jurisdictions. The longer answer depends on where your visitors are, what cookies your site drops, and which regulations apply to your business.
What Counts as a Cookie Under Privacy Law
Article 5(3) of the ePrivacy Directive does not mention "cookies" by name. It covers the storing of information, or the gaining of access to information already stored, in the terminal equipment of a user. That includes traditional HTTP cookies, but also local storage, session storage, tracking pixels, browser fingerprinting scripts, and any similar technology that reads from or writes to a visitor's device.
The European Data Protection Board adopted guidelines in 2024 confirming this broad reading. Tracking URLs, IoT device reporting, and hashed email identifiers all fall within scope. If a technology stores or accesses data on someone's device, the consent rule applies.
The Two Exemptions That Let You Skip Consent
Under the ePrivacy Directive, only two narrow categories of cookies are exempt from the consent requirement. The first exemption covers cookies whose sole purpose is carrying out the transmission of a communication over a network - think load-balancing cookies that route traffic between servers. The second exemption covers cookies strictly necessary to provide a service explicitly requested by the user, such as a shopping cart cookie on an e-commerce site or an authentication token for a logged-in session.
Everything else requires informed, prior consent. That includes analytics cookies, marketing cookies, social media embeds, A/B testing scripts, and most functional cookies like language or theme preferences.
Your Cookie Banner Checklist
Work through each question below. If you answer "yes" to any of them, your site needs a cookie banner.
| Question | If Yes |
|---|---|
| Does your site use Google Analytics, Matomo (with cookies), Plausible (with cookies), or any other analytics tool that sets cookies? | Banner required for EU/UK visitors |
| Do you run Google Ads, Meta Pixel, TikTok Pixel, Pinterest Tag, or any advertising tracker? | Banner required in most jurisdictions |
| Do you embed YouTube videos, social sharing buttons, or third-party chat widgets? | These typically set third-party cookies - banner required |
| Do you use a CRM that drops tracking cookies (HubSpot, Salesforce, ActiveCampaign)? | Banner required |
| Do you use session replay tools like Hotjar or Microsoft Clarity? | Banner required |
| Do you sell to or target advertising at California residents? | Opt-out mechanism required under CCPA/CPRA |
| Does your website serve visitors in Brazil, Canada, or South Africa? | Consent mechanism required under LGPD, PIPEDA, or POPIA |
| Does your site use only strictly necessary cookies (session auth, shopping cart, CSRF tokens)? | No banner required, but a cookie policy explaining these cookies is still recommended |
A quick way to check: open your browser's developer tools, clear all cookies, then visit your site without interacting with any banner. If cookies appear from domains other than your own - or if analytics cookies like _ga, _fbp, or _hjSessionUser are already set - those are firing before consent and your site is non-compliant.
Which Laws Apply and What They Require
Cookie consent rules vary by jurisdiction, but the direction is clear: requirements are tightening and regulators are enforcing them.
EU and EEA (GDPR and ePrivacy Directive)
The GDPR and ePrivacy Directive together create the strictest cookie regime globally. Non-essential cookies must be blocked until the visitor gives informed, freely given, unambiguous consent through a clear affirmative action. Pre-ticked boxes, scrolling, and vague "OK" buttons do not count. The banner must offer granular category choices and an equally prominent "Reject All" option. The CNIL fined Google 325 million euros in September 2025 for manipulative consent flows, and hit SHEIN with 150 million euros for setting advertising cookies before the banner appeared.
United Kingdom (UK GDPR and PECR)
The UK GDPR and PECR mirror the EU approach. The ICO reviewed the top 1,000 UK websites in 2025, flagging 134 out of the first 200 for non-compliant cookie practices. The Data Use and Access Act introduced higher PECR penalties while adding limited new cookie exemptions for certain analytics use cases.
United States (CCPA/CPRA and State Laws)
No US federal law requires a GDPR-style opt-in cookie banner. The CCPA and CPRA operate on an opt-out model: if cookies are used for targeted advertising or data "sales," you must provide a clear "Do Not Sell or Share My Personal Information" link. By mid-2025, over a dozen US states had enacted comprehensive privacy statutes with similar opt-out requirements. Several of these - including Colorado, Connecticut, and Texas - also require honouring Global Privacy Control (GPC) signals sent by the browser.
No US state technically mandates a pop-up banner, but a consent tool has become the standard mechanism for managing opt-out obligations across multiple states.
Brazil (LGPD)
The LGPD requires a lawful basis before processing personal data, including data collected through cookies. Consent is one of ten legal bases under the LGPD, and it must be free, informed, and unambiguous. A cookie banner that explains purposes and collects opt-in consent is the most straightforward compliance path for non-essential cookies.
Canada (PIPEDA)
PIPEDA requires meaningful consent for the collection, use, and disclosure of personal information. For tracking cookies that collect browsing data, this generally means obtaining opt-in consent or, at minimum, providing clear notice with a genuine opt-out before cookies are set.
What a Compliant Banner Must Include
Regulators across the EU have converged on a clear set of requirements for cookie banners. If your banner is missing any of these elements, it is likely non-compliant.
The first layer of the banner - what visitors see immediately - must include a brief explanation of what cookies are used and why, an "Accept All" button, a "Reject All" button with equal visual prominence, and a "Customise" or "Manage Preferences" option. The Dutch Data Protection Authority warned 50 organisations in April 2025 specifically for missing "Reject All" buttons, pre-checked consent boxes, and designs that made rejection harder than acceptance.
Behind the first layer, visitors must be able to toggle individual cookie categories on or off. The banner must not block access to the website if the visitor refuses consent - cookie walls are prohibited in most EU member states. Consent records must be logged with a timestamp and stored for audit purposes. And closing the banner without clicking any button must not be interpreted as consent.
Common Mistakes That Trigger Enforcement
The CNIL's September 2025 action against SHEIN revealed advertising cookies deposited the moment a user landed on the site - before the banner even appeared. The "Reject All" button existed but failed to stop tracking. Other frequent violations include asymmetric button design, scripts firing before the consent platform loads, and marketing cookies mislabelled as "functional" to dodge consent.
The Dutch DPA now monitors roughly 10,000 websites annually and plans to warn 500 organisations per year. Three-quarters of warned sites made corrections in 2025, but the rest face formal investigations and fines.
What If Your Site Only Uses Strictly Necessary Cookies
If your website genuinely sets no analytics, marketing, or functional cookies beyond what is strictly necessary, you do not need a consent banner. A static HTML site with no third-party scripts and no analytics falls into this category.
Most real-world websites do not fit that description. Even a basic WordPress installation with a contact form plugin and Google Analytics triggers the consent requirement. Run a cookie scan to verify what your site actually sets - the results often surprise owners who assumed their site was "cookie-free."
Google Consent Mode and Advertising Requirements
If your site uses any Google advertising or analytics products and serves EU visitors, Google Consent Mode v2 is a practical necessity. Consent Mode communicates your visitors' consent choices to Google services, controlling whether data is collected or modelled. Without it, Google Ads campaigns lose measurement accuracy and audience signals degrade.
Consent Mode does not replace a cookie banner. It sits behind one, translating the visitor's choices into signals that Google's tags understand.
Frequently Asked Questions
Can I use a simple "This site uses cookies" notice instead of a full banner?
Not if you set non-essential cookies and have EU or UK visitors. A notice-only approach with no option to refuse was acceptable before 2018, but current GDPR and PECR requirements demand granular consent with a genuine "Reject All" option.
Do I need a cookie banner if my website only targets US visitors?
You may not need a traditional opt-in banner, but if your site uses cookies for targeted advertising or data sharing, state laws like the CCPA/CPRA require an opt-out mechanism - typically a "Do Not Sell or Share My Personal Information" link and support for Global Privacy Control signals.
Are analytics cookies like Google Analytics exempt from consent?
In most EU member states, no. The ICO in the UK, the CNIL in France, and the EDPB have all confirmed that analytics cookies like _ga require prior consent. Some national DPAs (notably France and the Netherlands) allow exemptions for privacy-friendly, first-party analytics tools under specific conditions, but standard Google Analytics does not qualify.
How often should I scan my website for new cookies?
At least monthly, or whenever you add a new plugin, script, or third-party integration. Cookies can appear without your knowledge when third-party tags load additional scripts. A scheduled scan catches these before a regulator does.
What happens if I ignore cookie consent rules?
Fines can be significant. The CNIL issued 475 million euros in cookie-related fines to Google and SHEIN in a single month in 2025. The ICO warns sites directly and can issue enforcement notices. Beyond fines, non-compliant banners erode visitor trust and can disrupt advertising data quality when consent signals are missing or invalid.
Does my cookie banner need to be accessible to users with disabilities?
Yes. The European Accessibility Act took effect in June 2025, requiring WCAG 2.2 Level AA compliance for digital services - including cookie banners. All buttons must be keyboard-navigable, screen-reader compatible, and have sufficient colour contrast. An inaccessible banner can invalidate consent entirely, since users with disabilities cannot freely give or refuse it.
Check Your Site and Get Compliant
If any item on the checklist above applies to your website, a cookie banner is not optional - it is a legal requirement in at least one jurisdiction you serve. Start by scanning your site to see exactly which cookies are active, then set up a consent management platform that blocks non-essential cookies until consent is given.
Kukie.io scans your site, categorises every cookie, and deploys a geo-targeted banner that adapts to GDPR, CCPA, LGPD, and PECR rules automatically.
