Clients rarely ask about cookies until something goes wrong. A visitor complains about a pop-up. Google Ads performance drops after a banner change. A competitor gets fined by a regulator and suddenly everyone in the boardroom wants answers. When that call comes, the agency or freelancer on the other end needs to explain cookies clearly - without jargon and without brushing the topic off.
Cookies sit at the intersection of technology, law, and user experience. Your client probably thinks of them as annoyances. Your job is to reframe them as something that protects the business and builds visitor trust.
What Clients Actually Need to Know About Cookies
Start with the basics, but keep them concrete. A cookie is a small text file that a website stores on a visitor's browser. It remembers things - login status, language preferences, items in a shopping cart, or which pages someone visited. Every website your client runs almost certainly sets cookies, whether they realise it or not.
The confusion usually starts when clients assume all cookies are the same. They are not. Break them into four categories that map directly to consent rules:
| Category | What It Does | Example | Consent Needed? |
|---|---|---|---|
| Strictly necessary | Keeps the site functioning (sessions, security, load balancing) | PHPSESSID, cart tokens | No |
| Functional | Remembers user preferences (language, region, display settings) | pll_language, theme preference | Yes (in most EU jurisdictions) |
| Analytics | Tracks how visitors use the site (page views, bounce rate, session duration) | _ga, _gid | Yes |
| Marketing | Builds advertising profiles and tracks conversions across sites | _fbp, _gcl_au | Yes |
This table is the single most useful visual you can share with a client. It turns an abstract concept into something they can point at and understand. Strictly necessary cookies work without asking permission. Everything else requires the visitor to say yes before it fires.
Why the Law Cares About Cookies
Clients often assume cookie rules are a European quirk. They are not - though the EU did set the pace. Article 5(3) of the ePrivacy Directive requires prior consent before storing or accessing information on a user's device, unless the cookie is strictly necessary. The GDPR then governs how that consent must be obtained: it must be freely given, specific, informed, and unambiguous (Article 7).
Regulators are not treating this as theoretical. In 2025, the French CNIL issued fines totalling nearly 487 million euros, with cookie violations ranking among its top enforcement priorities. Twenty-one organisations were sanctioned specifically for tracker-related breaches - from placing cookies before consent to ignoring withdrawal requests. Google alone was fined 325 million euros in September 2025 for manipulative cookie consent designs and displaying ads without user permission.
The picture is similar elsewhere. The UK GDPR and PECR mirror the EU approach. In the United States, the CCPA/CPRA does not require prior consent for cookies, but it does require a clear opt-out mechanism for data sales and sharing - and by 2026, over 20 states have comprehensive privacy laws in effect. Brazil's LGPD, Canada's PIPEDA, and South Africa's POPIA each have their own rules about how personal data collected via cookies must be handled.
The point for clients: this is not optional, and the rules depend on where their visitors are located, not where the business is based.
How to Frame the Conversation With a Client
Avoid leading with fines. Scaring clients into compliance creates anxiety, not understanding. A better opening is something like: "Your website collects data from visitors through cookies. Some of that collection requires the visitor's permission by law. Right now, here is what your site does - and here is what it should do."
Then run a scan. Use a cookie scanner to produce a concrete list of every cookie the client's site sets. Nothing moves a conversation forward faster than showing a client their own data. A typical small business site might set 8-15 cookies; an e-commerce site with marketing integrations often sets 30 or more.
Present the results grouped by category. Highlight cookies that fire before consent - the most common gap agencies find, and the exact violation the CNIL targeted in its 2025 enforcement wave.
Three Questions Clients Always Ask
"Do I really need a cookie banner?" Almost always yes, if the site has visitors from the EU, UK, or Brazil. Even for US-only audiences, growing state-level privacy laws make a banner a sensible default. A simple checklist can help settle this quickly.
"Will the banner hurt conversions?" Not necessarily. A well-designed banner that is clear and non-intrusive can maintain consent rates above 70%. What hurts conversions is a banner that blocks the entire page, uses manipulative design, or confuses visitors into leaving.
"Can I just add a banner and be done?" No. A banner alone does nothing if the underlying scripts still fire without consent. The banner must be connected to a consent management platform that actually blocks non-essential cookies until the visitor opts in.
The Agency's Responsibility vs. the Client's
This is where many agency-client relationships get awkward. Under the GDPR, the website owner is the data controller - they are ultimately responsible for compliance. But if the agency sets up tracking, deploys the banner, and manages the tag configuration, the agency can be classified as a data processor, which carries its own legal obligations under Article 28.
Put this division in writing from day one. Define three buckets:
The agency handles: technical implementation of the consent banner, script blocking configuration, cookie scanning, and Google Consent Mode integration.
The client handles: reviewing and approving the cookie policy text, deciding which third-party services to use on the site, and responding to data subject requests.
Both parties agree on: a data processing agreement, a schedule for periodic cookie re-scans, and a process for updating consent settings when new tools are added to the site.
Without this clarity, each side assumes the other is handling compliance - and neither does.
Practical Steps for the First Client Conversation
Run the cookie scan before the meeting. Arrive with data, not hypotheticals.
Show the cookie categories table. Let the client see where their cookies fall. Most clients are surprised by how many marketing cookies third-party tools inject without their knowledge.
Explain consent in one sentence: "Before your website tracks a visitor for analytics or advertising, the visitor must actively agree to it." That covers 90% of what a non-technical client needs to hear.
Demo a consent banner in action. Show them what it looks like when a visitor arrives, what the preference centre offers, and what happens when someone clicks "Reject All" - the scripts genuinely stop firing.
Discuss Consent Mode v2. If the client runs Google Ads or Analytics, explain that Google now requires verified consent signals from sites targeting EEA and UK users. Without proper consent mode integration, conversion tracking degrades and remarketing audiences shrink. This is often the detail that gets budget approval - the cost of non-compliance is not just a fine, it is lost marketing data.
How to Talk About Cookies Without Sounding Like a Lawyer
Analytics cookies can be compared to footfall counters in a retail store - useful for the owner, invisible to most shoppers, but still subject to rules about surveillance. Avoid the term "compliance" where possible. Clients hear "compliance" and think "cost." Instead, talk about "making sure visitors trust the site" or "keeping the site eligible for Google advertising tools." Frame cookies as a UX and business concern, not purely a legal one.
When the client pushes back - "nobody reads those banners anyway" - acknowledge it, then redirect. Regulators do not care whether visitors read the banner; they care whether the banner exists, functions correctly, and respects the visitor's choice. The CNIL's 2025 enforcement report made clear that websites allowing cookies to drop before consent, or making it harder to reject than to accept, face sanctions regardless of whether users engage with the banner.
Scaling Cookie Compliance Across Multiple Clients
Agencies managing 10, 50, or 200 client sites need a process, not a one-off fix. Standardise the workflow:
Run an initial cookie audit during onboarding and set up scheduled scans - monthly at minimum - to catch cookies introduced by plugin updates or third-party script changes. Maintain a shared document per client listing every cookie, its category, and its legal basis.
For agencies handling sites across multiple jurisdictions, consent rules vary by country. A site with visitors from both Germany and California needs geo-targeted consent logic - opt-in for EU traffic, opt-out for US traffic. A consent management platform that supports region-based rules saves hours of manual configuration.
Make cookie compliance a line item in service agreements rather than burying it inside a "maintenance" retainer. A dedicated compliance service is easier for clients to understand and easier to defend during budget reviews.
Frequently Asked Questions
How do I explain cookies to a non-technical client in under a minute?
Tell them a cookie is a small file their website saves on each visitor's browser to remember things like login status or language choice. Some cookies track behaviour for analytics or advertising, and privacy laws require visitor permission before those cookies activate.
Is the agency legally responsible if a client's cookie banner is non-compliant?
The website owner (client) is the data controller and bears primary responsibility. The agency may be classified as a data processor under GDPR Article 28 if it manages tracking and consent tools, which carries its own compliance obligations. A data processing agreement should clarify each party's duties.
Do websites with only US visitors need a cookie consent banner?
Strict opt-in banners are not required under most US state laws, but the CCPA/CPRA requires a "Do Not Sell or Share My Personal Information" link, and over 20 states now have comprehensive privacy laws. A consent banner is increasingly the safest default for US-facing sites too.
What happens if a client refuses to add a cookie banner?
Document the recommendation in writing. If the site targets EU, UK, or Brazilian visitors and sets non-essential cookies without consent, the client risks fines - up to 20 million euros or 4% of global turnover under GDPR. The agency should not accept liability for a decision it advised against.
How often should cookie scans be repeated for client websites?
Monthly is the recommended minimum. Plugin updates, CMS changes, and third-party script modifications can introduce new cookies at any time. Scheduled scans catch these changes before a regulator does.
Get Your Clients' Cookie Compliance Right
If you manage websites for clients and are not sure what cookies each site sets, start with a scan. Kukie.io detects and categorises cookies automatically, supports multi-site management for agencies, and integrates with Google Consent Mode v2 - so your clients stay compliant and their marketing data stays intact.
