Cookie Consent Banner Compliance

Cookie consent banners are ubiquitous on the web, and most of them are non-compliant. The problem is not that websites lack a banner, but that their banners do not actually work. Scripts fire before consent is given, reject options are hidden behind extra clicks, and accept buttons are visually emphasized to manipulate user choice.

Under the ePrivacy Directive and GDPR, cookie consent is not a formality, it is a legal requirement with real enforcement. France's CNIL has issued over €200 million in fines specifically for non-compliant cookie consent implementations. And it is not just large companies: small businesses, individual professionals, and startups have been fined too.

This guide explains what a legally compliant cookie consent mechanism looks like, the dark patterns that make banners non-compliant, and exactly how to build a banner that satisfies regulators while still allowing you to use cookies and trackers for legitimate purposes. For official guidelines, refer to the European Data Protection Board (EDPB) Guidelines on consent.

The Legal Definition

Under EU law, you need explicit consent before dropping non-essential cookies on a user's device. “Non-essential” means any cookie not strictly required for the core functionality the user requested, this includes analytics, advertising, session replay, and social media trackers.

Valid consent under the GDPR has five requirements:

Enforcement and Trust

• Active enforcement: EU regulators are using automated scanning tools to detect non-compliant banners at scale. This is not theoretical, fines are being issued regularly.
• Significant fines: Google received €150M, Amazon €35M, and Criteo €40M specifically for cookie consent violations.
• Dark pattern crackdowns: The EDPB (European Data Protection Board) has released specific guidelines on what constitutes a dark pattern in consent interfaces. Violations are actively pursued.
• User trust: A manipulative consent banner signals to privacy-conscious users that you do not respect their choices, damaging brand perception.
• Enterprise readiness: B2B buyers increasingly evaluate vendor cookie compliance during procurement. A non-compliant banner can disqualify you from enterprise sales.

The correct flow is simple but critical:

1. Page loads → Only essential scripts (e.g., authentication, server-side rendering) execute.
2. Consent banner appears → Shows cookie categories with equal Accept and Reject options.
3. User makes a choice → Their preference is stored in a first-party cookie.
4. If accepted → Non-essential scripts (analytics, ads) fire dynamically.
5. If rejected → Non-essential scripts remain blocked indefinitely.

1. Test before consent: Open your site in an incognito window. Before clicking the consent banner, check DevTools → Application → Cookies and Network tab. If non-essential cookies or analytics requests appear, your banner is non-functional.
2. Test rejection: Click “Reject All” and check whether analytics/ad cookies still appear. If they do, your rejection mechanism is broken.
3. Run an automated scan: Use the Cookie Scanner to identify all cookies set before and after consent, and verify that non-essential cookies are properly gated.
4. Check button prominence: Compare Accept and Reject buttons. Are they the same size, color, and click count? If Reject requires an extra step (e.g., “Manage Settings”), this may violate equal prominence requirements.
5. GDPR compliance check: Run the GDPR Quick Check for a comprehensive assessment including consent banner behavior.

Implementation Steps

1. Block all non-essential scripts by default: Use type="text/plain" or a tag manager's consent mode to prevent scripts from executing until consent is obtained.
2. Provide equal Accept and Reject buttons: Same size, same visual weight, same number of clicks. A “Reject All” button should be on the first screen, not behind a “Manage Settings” link.
3. Categorize cookies: Group cookies into categories (Essential, Analytics, Marketing) with individual toggles. Essential cookies should be permanently enabled and clearly labeled.
4. Explain purposes: Briefly describe what each category does and which services use the cookies in that category.
5. Fire scripts dynamically on accept: When the user accepts, load analytics and ad scripts via JavaScript injection, never hardcode them in the HTML.

1. Test consent in incognito mode, this simulates a first-time visitor with no existing consent cookie. Verify that no non-essential scripts fire.
2. Make withdrawal easy, include a persistent way to change preferences (footer link or floating button). Withdrawing consent should be as easy as giving it.
3. Re-prompt periodically, re-request consent every 6–12 months, or whenever you add new cookie categories or change vendors.
4. Log consent records, store a record of when consent was given, what was accepted, and the version of your privacy policy at the time. This is your evidence in case of regulatory inquiry.
5. Avoid dark patterns, no pre-ticked boxes, no asymmetric button styling, no guilt-tripping copy (“No thanks, I don't care about my experience”).
6. Integrate with security headers, a strong CSP provides an additional technical enforcement layer that blocks unauthorized scripts even if your consent mechanism has a bug.

A compliant cookie consent banner is not just about displaying a popup, it is about ensuring that non-essential scripts genuinely do not execute until the user explicitly opts in. This requires technical implementation (script gating), design compliance (equal button prominence), and ongoing monitoring (regular audits).

With regulators actively scanning for violations and issuing significant fines, getting consent right is no longer optional. Start by testing your banner in incognito mode, audit your cookies, and ensure your rejection mechanism actually works.