- GDPR
- cookie consent
- ePrivacy
- compliance
- web development
Most cookie banners you see online are not compliant with EU law — and regulators have stopped treating that as a minor technicality. In September 2025 alone, France's data protection authority (CNIL) fined Google €325 million and Shein €150 million, largely over cookie violations. This guide sets out what a legally compliant cookie banner must do in 2026, the mistakes that draw fines, and how to get it right without breaking your website.
The two laws that apply
Cookie consent in the EU sits on two pieces of legislation working together.
The first is the ePrivacy Directive (2002/58/EC). Its Article 5(3) says that storing information on, or reading information from, a user's device is only allowed if the user has given consent — with one exception: cookies that are "strictly necessary" to provide a service the user explicitly requested. This covers cookies and any similar technology (local storage, pixels, device fingerprinting), not just cookies in the narrow sense.
The second is the GDPR, which defines what valid "consent" actually means: it must be freely given, specific, informed and unambiguous, given by a clear affirmative action (Article 4(11) and Article 7). Pre-ticked boxes and "by continuing to browse you agree" banners do not meet this standard — the Court of Justice confirmed as much in the Planet49 ruling.
Put simply: non-essential cookies must not load until the user actively opts in.
Sources: EUR-Lex — ePrivacy Directive 2002/58/EC, EDPB Guidelines 2/2023 on the scope of Art. 5(3).
What a compliant cookie banner must do
Drawing on the EDPB Cookie Banner Taskforce report (18 January 2023), which coordinated how national regulators assess banners, a compliant setup needs all of the following.
- Block non-essential cookies until consent. Analytics, advertising, functional and social-embed cookies must not fire on page load. Only strictly necessary cookies (session, security, load-balancing, and the tool that remembers the user's cookie choice) may run without consent.
- Reject must be as easy as accept. If the first layer of your banner has an "Accept all" button, it must also have a "Reject all" button of equal prominence on that same layer. Burying rejection behind a "Settings" or "Manage" link is not compliant.
- Offer granular choice. Users must be able to consent by category or purpose — analytics separately from advertising, for example. All non-essential toggles must be off by default.
- No legitimate interest for tracking. You cannot claim "legitimate interest" as a legal basis for advertising or analytics cookies to sidestep consent. For non-essential cookies, consent is the only valid basis.
- Easy withdrawal. Taking back consent must be as easy as giving it — typically a small persistent icon or link that reopens the preferences panel.
- Clear, honest information. State what each cookie category does, who the third parties are, and roughly how long cookies last, in plain language.
- Keep records. Under GDPR Article 7(1) you must be able to demonstrate that each user consented. A proper consent-management tool logs the choice, timestamp and banner version.
The common mistakes that draw fines
The regulators keep flagging the same design patterns. Avoid these.
- Accept button but no reject on the first layer. The single most cited failure. This is exactly what the CNIL penalised in its 2025 actions.
- Deceptive contrast. A bright, colourful "Accept all" next to a greyed-out or barely visible "Reject" is treated as nudging, not free choice.
- Cookies firing before consent. Many sites load Google Analytics or the Meta pixel on page load and only then show a banner. By that point the tracking has already happened.
- Pre-ticked boxes or "on by default" toggles. Consent must be a positive action, so defaults must be off.
- Mislabelling cookies as "essential". Analytics and advertising are not strictly necessary. Calling them essential to avoid a consent option is non-compliant.
- No way to withdraw. A banner with no persistent settings link fails the "as easy to withdraw as to give" test.
How to implement it in practice
You do not need to build a consent engine from scratch. The realistic path for a small business is:
- Audit what you actually run. List every cookie and script your site sets, and sort them into essential vs. analytics vs. advertising vs. functional. You can get a quick read on where you stand with our free GDPR / cookie checker before you change anything.
- Add a consent management platform (CMP). Tools such as Cookiebot, CookieYes, Osano, Complianz or Klaro present a compliant banner and, crucially, block tagged scripts until the matching consent is given. This "prior blocking" is the part people most often get wrong when hand-coding.
- Wire tracking behind consent. Route Google Analytics, ads pixels and similar through Google Consent Mode or your CMP's blocking, so they only run once the user has said yes to that category.
- Test it. Open your site in a fresh private window, open the browser's developer tools, and confirm no analytics or advertising cookies appear before you click "Accept". Then check that "Reject all" genuinely stops them.
- Keep the records. Make sure your CMP stores consent logs — you will want them if a regulator ever asks.
Cookies are only one slice of your obligations. If you handle any personal data at all, read our companion guide on GDPR for small websites to cover privacy notices, data requests and processing records. And if you are still setting things up, cookie consent is one item on the wider list in how to start an online business in Europe.
This is general information, not legal or tax advice — rules vary by country and change; confirm with a qualified professional before acting.
Get it done properly
A compliant banner is not just a legal box to tick — done well, it is invisible to genuine users and keeps you off the regulators' radar. If you would rather it were handled correctly the first time, we build it into every site we ship: see web development, or book a free consultation and we will review your current setup and tell you exactly what needs fixing.
Sources: EDPB Cookie Banner Taskforce report; EUR-Lex — ePrivacy Directive 2002/58/EC; CNIL enforcement, September 2025.