A cookie banner is the notice that appears when a visitor first arrives on a website. Its job is to explain what cookies and tracking technologies the site uses, and to collect the visitor's consent before any non-essential cookies are set on their device. Behind the scenes, a compliant banner also blocks scripts, logs consent records, and categorises cookies by purpose.
The reason cookie banners exist at all comes down to one line of law. Article 5(3) of the ePrivacy Directive states that storing information on - or accessing information from - a user's device requires prior consent, unless the cookie is strictly necessary for a service the user explicitly requested. The GDPR then defines what valid consent looks like: freely given, specific, informed, and unambiguous, delivered through a clear affirmative action.
Pre-ticked boxes do not count. Neither does scrolling, continuing to browse, or closing the banner without making a choice. The CJEU confirmed this in its 2019 Planet49 ruling, making opt-in consent the only lawful model for non-essential cookies across the EU.
What Happens Behind the Banner
A visible pop-up is only one piece of the system. A properly implemented cookie banner relies on several technical processes working together.
Cookie scanning identifies every cookie, tracker, pixel, and script active on the site. Categorisation sorts them into groups - typically strictly necessary, functional, analytics, and marketing. Pre-consent blocking prevents non-essential scripts from firing until the visitor makes an active choice. And consent logging records exactly what each visitor agreed to, when, and how - creating an audit trail that regulators can inspect.
A banner that looks correct but fails to block cookies before consent is not compliant. France's CNIL proved this point in September 2025 when it fined SHEIN's Irish subsidiary EUR 150 million. Investigators found that advertising cookies loaded the moment a visitor landed on shein.com - before the visitor had any chance to interact with the banner.
Cookie Categories a Banner Must Present
Regulators expect banners to give visitors granular control. That means presenting cookie categories individually, so a visitor can accept analytics but reject marketing - or reject everything except strictly necessary cookies.
| Category | Purpose | Consent Required? | Examples |
|---|---|---|---|
| Strictly necessary | Core site functions: sessions, security, load balancing | No | PHPSESSID, csrf_token |
| Functional | Preferences: language, region, layout choices | Yes (in most EU jurisdictions) | pll_language, currency_pref |
| Analytics | Traffic measurement, page performance, user behaviour | Yes | _ga, _gid, _hj cookies |
| Marketing / Advertising | Ad targeting, retargeting, cross-site tracking | Yes | _fbp, IDE, NID |
Non-essential cookies - anything beyond the strictly necessary category - must be blocked until consent is recorded. Some jurisdictions treat functional cookies differently, but the safest approach is to require opt-in for all of them.
Legal Requirements by Region
Cookie banner rules differ depending on where your visitors are located, not just where your business is based. The GDPR's territorial scope means a website in Toronto serving EU visitors still needs a compliant banner for those users.
EU and EEA
The ePrivacy Directive and GDPR work together. Article 5(3) of the ePrivacy Directive requires consent before setting non-essential cookies. The GDPR defines what valid consent looks like under Article 7. National data protection authorities then enforce both, sometimes with different emphases. The French CNIL requires equal visual treatment of Accept and Reject buttons. Germany's TTDSG demands consent for all analytics cookies without exception. Spain allows narrowly configured, privacy-focused first-party analytics without consent.
The European Commission's Digital Omnibus proposal, published in November 2025, would shift cookie rules from the ePrivacy Directive into the GDPR framework and introduce exemptions for aggregated audience measurement. Browser-based consent preference signals are also on the roadmap - but the technical standards do not exist yet, and the proposal must still pass through Parliament and Council. Until these reforms are adopted, the current opt-in regime remains fully in force.
United Kingdom
The UK GDPR and the Privacy and Electronic Communications Regulations (PECR) mirror the EU's opt-in approach. The ICO reviewed the top 100 UK websites in late 2023, issuing formal warnings to 53 of them. In January 2025, it expanded this programme to the top 1,000 websites as part of its online tracking strategy. The Data Use and Access Act 2025 introduced narrow exemptions for cookies used for security and age verification, but analytics and advertising cookies still require prior consent.
United States
The CCPA and CPRA use an opt-out model rather than opt-in. Websites must disclose cookie usage and provide a "Do Not Sell or Share My Personal Information" link. Consent banners are not legally mandated in most US states, but websites serving both EU and US traffic need geo-targeted banners that show the correct consent model for each visitor's location.
Brazil, South Africa, and Canada
Brazil's LGPD requires a lawful basis for processing personal data, with consent being the most common for cookies. POPIA in South Africa follows a similar consent-based model. PIPEDA in Canada requires meaningful consent for cookie-based data collection, though its rules are less prescriptive about banner design.
What a Compliant Banner Looks Like
Regulators across Europe have been specific about what they expect. The EDPB published five cookie banner guidelines in January 2023, responding to complaints filed by the privacy rights group noyb.
The first layer of the banner must include an Accept All button and a Reject All button with equal visual prominence - same size, same font weight, same level. Austria's highest court ruled in 2025 that a coloured Accept button paired with a grey Reject text link violates GDPR parity requirements. The CNIL fined Google EUR 325 million in September 2025 partly because rejecting personalised advertising required six clicks, while accepting required only two.
A Customise or Manage Preferences link must lead to a second layer where visitors toggle individual cookie categories. The banner must also disclose the purpose of each category, storage duration, data controller identity, and how to withdraw consent. Withdrawal must be as easy as giving consent.
Dark Patterns That Trigger Fines
Manipulative banner designs - known as dark patterns - are now one of the highest-risk compliance issues. The Belgian DPA threatened daily fines of EUR 25,000 to four press websites at the end of 2024 for using dark patterns in their consent banners. Sweden's IMY took enforcement action in April 2025 against companies for pre-selecting non-essential cookie categories.
The violations regulators target include asymmetric buttons (a bold Accept next to a faded Reject link), extra rejection steps, pre-checked toggles for non-essential cookies, consent walls that block access until cookies are accepted, and confusing language that obscures the visitor's actual choice.
Google Consent Mode and Cookie Banners
Google Consent Mode v2 became mandatory in March 2024 for websites using Google advertising and measurement products in the EEA. A compliant cookie banner must send accurate consent signals to Google's tags. If a visitor rejects marketing cookies, the banner must signal ad_storage: denied and ad_personalization: denied to Google's scripts.
Without correct integration, Google disables conversion tracking, remarketing, and audience building for non-compliant sites. The Google EU User Consent Policy requires websites to obtain verifiable consent before transmitting data to Google.
An IAB TCF v2.3-compliant banner is also required for websites running ads through Google AdSense, Google Ad Manager, or AdMob. The Transparency and Consent Framework standardises how consent choices flow between the visitor, the website, and ad tech vendors.
How to Set Up a Cookie Banner That Works
Start with a cookie scan. You cannot write accurate disclosures or configure proper blocking if you do not know what cookies your site actually sets. Many websites discover cookies from third-party scripts, embedded videos, or social media widgets they were unaware of.
Choose a consent management platform (CMP) that handles automatic script blocking, consent logging, geo-detection, and Google Consent Mode integration. Run scheduled scans regularly, because new cookies can appear any time a developer adds a plugin or analytics tool.
Configure region-specific rules. EU visitors see an opt-in banner. US visitors covered by the CCPA see an opt-out notice. Visitors from jurisdictions with no specific cookie law may see a simplified notice or none at all.
Test the banner after setup. Verify that non-essential cookies are blocked before consent and that rejecting cookies actually stops tracking. Review cookie durations to ensure nothing exceeds the 13-month guidance that many DPAs follow.
Frequently Asked Questions
Does every website need a cookie banner?
If your website sets any non-essential cookies and has visitors from the EU, UK, Brazil, or other jurisdictions with consent requirements, yes. A website that uses only strictly necessary cookies - and genuinely no analytics, marketing, or functional cookies - does not legally need a banner under most laws, though this is rare in practice.
Can I use a cookie wall that blocks access until visitors accept?
The EDPB, CNIL, and ICO have all taken the position that consent walls - where a visitor cannot access the website without accepting cookies - invalidate consent because it is not freely given. Some narrow exceptions exist for paid content models, but for most websites, cookie walls are not compliant.
How often should I rescan my website for cookies?
At least monthly. New cookies can appear whenever a developer adds a plugin, updates a script, or embeds third-party content. Scheduled scans catch these changes automatically, keeping your banner disclosures accurate.
What happens if my Reject button does not actually block cookies?
Regulators treat this as a serious violation. The CNIL fined SHEIN EUR 150 million in 2025 partly because the opt-out mechanism did not function correctly - cookies kept firing after visitors clicked Reject All. A non-functional reject button can attract heavier penalties than having no banner at all.
Do US websites need a cookie banner?
No US federal law requires a cookie consent banner. The CCPA and CPRA require an opt-out link for data sales and sharing, but not a pre-consent pop-up. If your US-based website serves EU or UK visitors, you need a geo-targeted banner for those users.
Is legitimate interest a valid legal basis for setting cookies?
Under the current ePrivacy Directive, no - non-essential cookies require consent regardless of any GDPR legal basis. The EU Commission's November 2025 Digital Omnibus proposal would permit legitimate interest for certain low-risk cookies like aggregated audience measurement, but this reform has not been adopted yet. Until it is, consent remains the rule.
How long can a consent preference last before I need to ask again?
Most DPAs accept consent durations of 6 to 12 months. The Digital Omnibus proposal includes a rule preventing websites from re-asking for consent within six months of a refusal. If your visitor accepted consent, you do not need to show the banner again until the consent record expires.
Get Your Cookie Banner Right
Cookie banner compliance is not optional, and regulators have moved well past the warning stage. The combined EUR 475 million in fines issued to Google and SHEIN in September 2025 made that clear. Scan your site, block scripts before consent, present equal Accept and Reject options, and log every choice.
Kukie.io detects, categorises, and blocks cookies automatically - with geo-targeted banners, Google Consent Mode v2 integration, and a consent log that satisfies audit requirements.
