Every website that uses analytics, advertising pixels, or third-party scripts needs a functioning cookie consent setup before those tools are allowed to run. The legal requirement is not new, but enforcement has caught up. France's CNIL issued nearly half a billion euros in fines during 2025 alone, with cookie violations among its top priorities. The UK's ICO audited the top 1,000 websites and found two-thirds of them non-compliant. The Dutch DPA now scans around 10,000 websites annually and warns 500 organisations per year.
If you have not set up cookie consent yet, this is the practical, step-by-step process.
Step 1: Scan Your Website for Cookies
Before configuring anything, you need a complete inventory of what your site actually sets. Cookies come from your own code (first-party) and from third-party services like Google Analytics, Meta Pixel, chat widgets, and embedded videos. A typical small business website sets between 10 and 40 cookies without the owner realising it.
Use a cookie scanner to crawl your site and produce a list. The scan should capture the cookie name, domain, expiry, and whether it is first-party or third-party. You can also inspect cookies manually using Chrome DevTools (Application tab, then Cookies in the sidebar), but a scanner catches cookies set on subpages and after user interactions that a quick manual check might miss.
Record what you find. You will need this list for your cookie policy and for categorising cookies in the next step.
Step 2: Categorise Each Cookie
Privacy laws distinguish between cookies that are strictly necessary for the site to function and those that are not. The categories most consent management platforms use are:
| Category | Examples | Consent Required? |
|---|---|---|
| Strictly necessary | PHPSESSID, cart tokens, CSRF tokens, load-balancing cookies | No (exempt under Article 5(3) ePrivacy Directive) |
| Functional | pll_language, accessibility preferences, login persistence | Yes in EU/UK; varies elsewhere |
| Analytics | _ga, _gid, _hjSessionUser | Yes in EU/UK; opt-out in California |
| Marketing / Advertising | _fbp, _gcl_au, IDE | Yes everywhere (opt-in EU/UK, opt-out US) |
Getting the categories right matters because your banner will present these groups to visitors. Miscategorising an analytics cookie as strictly necessary is one of the most common compliance failures flagged by regulators.
Step 3: Choose a Consent Management Platform
A consent management platform (CMP) handles the banner display, user preference storage, and script blocking. You can build one from scratch, but a dedicated CMP saves months of development and keeps pace with regulatory changes automatically.
When evaluating a CMP, check whether it offers automatic script blocking (not just tag-manager integration), geo-targeted consent rules, Google Consent Mode v2 support, and IAB TCF v2.3 certification if you run programmatic advertising. Google made Consent Mode v2 mandatory for European advertisers in March 2024, and TCF v2.3 became compulsory from February 2026.
Install the CMP by adding its script tag to your site's <head> section, before any analytics or advertising tags. The CMP script must load first so it can intercept and block other scripts until consent is given.
Step 4: Configure Your Cookie Banner
The banner is the user-facing element, and regulators scrutinise its design closely. The CNIL fined Google EUR 325 million in September 2025 partly because refusing personalised ads took six clicks while accepting took two. The Dutch DPA's April 2025 warning campaign specifically targeted banners that lacked a first-layer reject button, used pre-ticked consent boxes, or made the reject option visually less prominent than the accept button.
A compliant cookie banner needs these elements on the first screen:
A clear explanation of what cookies are used for, in plain language
An Accept All button
A Reject All button with equal visual prominence (same size, same styling weight)
A link to granular category-level preferences
A link to your cookie policy
Avoid dark patterns. Do not use colour contrast tricks to make Reject harder to see. Do not require extra clicks to reject compared to accept. Do not use confusing toggles that default to "on." The ICO's 2025 audit of the top 200 UK websites found that 67% had compliance concerns, many related to exactly these design issues.
Step 5: Block Scripts Before Consent
Displaying a banner is only half the job. The other half is making sure non-essential cookies do not fire until the visitor actively consents. This is where many setups fail. The CNIL's investigation into SHEIN found that advertising cookies were deposited on user devices the moment the site loaded, before the visitor even saw the banner.
There are two main blocking approaches:
CMP-level auto-blocking: The CMP detects known tracking scripts and prevents them from executing until consent is recorded. This is the simplest approach and works well for standard services like Google Analytics 4, Meta Pixel, and Hotjar.
Tag manager conditional firing: If you use Google Tag Manager, configure each tag to fire only when the relevant consent category is granted. GTM does not block cookies on its own - it only controls when tags execute. You still need the CMP to communicate consent status to GTM via the data layer or Consent Mode integration.
After setting up blocking, test it. Open your site in a private browser window, inspect cookies before interacting with the banner, and verify that only strictly necessary cookies are present. Then accept all cookies and confirm that analytics and marketing cookies appear only after consent.
Step 6: Set Up Region-Specific Rules
Cookie consent rules differ by jurisdiction. The EU and UK require opt-in consent before any non-essential cookie fires. California follows an opt-out model where you disclose cookies and let users refuse the sale or sharing of personal information. Brazil's LGPD requires opt-in consent with Portuguese-language notices. Canada's PIPEDA requires meaningful consent for tracking.
A CMP with geo-detection identifies the visitor's location via IP address and displays the appropriate consent model. EU visitors see a full opt-in banner with all non-essential cookies blocked by default. US visitors see an opt-out notice with a "Do Not Sell or Share My Personal Information" link, as required by the CCPA/CPRA. Visitors from jurisdictions without specific cookie laws might see a simplified notice or no banner at all.
If your CMP does not support geo-detection, default to the strictest standard (EU opt-in) for all visitors.
Step 7: Write Your Cookie Policy
Your cookie policy documents what cookies your site uses, why they are used, how long they last, and whether any data is shared with third parties. It should list every cookie by name and category, not just offer a vague reference to "analytics tools."
Link to the cookie policy from your banner, from your privacy policy, and from your website footer. Keep it updated - run a fresh cookie audit whenever you add new tools or plugins, and at least quarterly using scheduled scans.
Step 8: Connect to Google Consent Mode
Google Consent Mode v2 is mandatory for any site running Google Ads, GA4, or other Google services in the EEA and UK. It sends consent signals (parameters like ad_storage, analytics_storage, ad_user_data, and ad_personalization) to Google's tags so they adjust their behaviour based on what the visitor allowed.
When a visitor has not consented, Google tags switch to cookieless pings that support conversion modelling without storing identifiers. This recovers some measurement data that would otherwise be lost entirely. Your CMP should send gtag('consent', 'update', ...) calls automatically when the visitor makes a choice.
Set region-specific defaults using Google's own consent default command so that ad_storage and analytics_storage start as denied for EEA visitors. This ensures no tracking occurs during the gap between page load and the visitor interacting with the banner.
Step 9: Test, Verify, and Monitor
Testing is not optional. Check your setup across multiple browsers and devices. Use the browser's DevTools Network tab to confirm that tracking requests only fire after consent. Verify that rejecting all cookies actually stops all non-essential scripts - not just visually hiding the banner while cookies continue running in the background.
After launch, monitor consent rates and look for anomalies. An unusually high accept rate (above 90%) might indicate the banner is pressuring visitors. A regulator reviewing your setup will check exactly these patterns.
Re-scan your site monthly or after any change to your marketing stack. New plugins, updated SDKs, and tag manager modifications can all introduce cookies that bypass your consent setup.
Frequently Asked Questions
Do I need cookie consent if my site only uses Google Analytics?
Yes. Google Analytics sets cookies like _ga and _gid that track individual browsing behaviour. Under EU and UK rules, these require explicit opt-in consent before they load. Under CCPA, you must at minimum disclose their use and honour opt-out requests.
Can I use a cookie wall that blocks content until consent is given?
Most EU data protection authorities consider cookie walls non-compliant because they do not offer freely given consent. The Dutch DPA and CNIL have both stated that visitors must be able to access the site even after refusing non-essential cookies. "Consent or pay" models are a separate question - the UK ICO published guidance in 2025 acknowledging these can be lawful under specific conditions.
What happens if I do not set up cookie consent at all?
You risk fines from any data protection authority with jurisdiction over your visitors. GDPR fines can reach EUR 20 million or 4% of global annual turnover. The CNIL alone issued EUR 486 million in cumulative fines during 2025, with cookie violations among the top enforcement priorities.
How often should I re-scan my site for new cookies?
At minimum quarterly, and always after adding new plugins, changing analytics tools, or updating your tag management setup. Automated scheduled scans catch cookies that manual checks miss, especially those set by third-party scripts that update independently.
Is Google Consent Mode v2 required for my website?
If you run Google Ads or use Google advertising features serving users in the EEA or UK, Google requires Consent Mode v2 through a certified CMP. Without it, Google cannot process your conversion data for ad targeting and measurement in those regions.
Get Your Cookie Consent Right from Day One
Setting up cookie consent correctly the first time saves you from retrofitting under regulatory pressure later. Kukie.io scans your site, categorises every cookie, blocks scripts before consent, and supports Google Consent Mode v2 and IAB TCF v2.3 out of the box.
