Cookie Consent Banners: How to Make Yours GDPR Compliant

Q: What makes a cookie consent banner GDPR compliant?

A GDPR-compliant cookie consent banner must: appear before any non-essential cookies are set; offer a genuine 'Reject All' option as prominently as the 'Accept All' option; not use pre-ticked boxes; allow granular control by cookie category; let users easily withdraw consent later; and link to your cookie policy and privacy policy.

Q: Is a cookie notice enough, or do I need a full consent banner?

A simple notice ('We use cookies') is not enough under GDPR for non-essential cookies. You need genuine prior consent — meaning an active, informed choice before non-essential cookies are set. A notice that informs after cookies are already placed does not meet the GDPR standard.

Q: Can I make the 'Reject' button harder to find than the 'Accept' button?

No. Regulators (ICO, CNIL, and others) consistently rule that 'dark patterns' — making the reject option less prominent, harder to click, or buried in sub-menus — violate the requirement for freely given consent. Accept and Reject options must be equally prominent and accessible.

Q: Do I need cookie consent for strictly necessary cookies?

No. Strictly necessary cookies — those essential for the website to function (session cookies, security cookies, shopping cart) — do not require consent. You must still disclose them in your cookie policy, but you don't need a consent mechanism for these cookies.

Q: What free tools can I use to add a GDPR cookie banner?

Popular free or freemium cookie consent tools include: Cookiebot (free tier available), CookieYes (free tier), Osano (free tier), and the Google Consent Mode v2 API for sites using Google Analytics and AdSense. WordPress users can use GDPR Cookie Consent or Complianz plugins. For custom sites, Klaro and Tarteaucitron are open-source options.

Cookie consent banners are one of the most visible compliance elements on any website — and one of the most commonly implemented incorrectly. Regulators across Europe and the UK are actively enforcing cookie consent requirements, issuing fines to businesses of all sizes. This guide explains what a compliant banner looks like, what non-compliant banners look like, and how to get it right.

What is Valid Cookie Consent Under GDPR?

Under UK GDPR and the Privacy and Electronic Communications Regulations (PECR), valid consent for non-essential cookies must be:

Prior: Non-essential cookies must not be set before consent is given
Freely given: The user must have a genuine choice — refusing cannot result in a degraded service
Specific: Users should be able to consent by category (analytics, advertising, functional) rather than accepting everything at once
Informed: The banner must explain what cookies are used and why
Unambiguous: Consent must be a clear affirmative action — no pre-ticked boxes
Withdrawable: Users must be able to withdraw consent as easily as they gave it

What a Compliant Cookie Banner Includes

A fully compliant cookie consent banner should contain:

A brief explanation of why you use cookies and what categories you use
An "Accept All" button
A "Reject All" button (equally prominent as Accept)
A "Manage Preferences" or "Customise" option for granular control
Links to your Cookie Policy and Privacy Policy
A mechanism to withdraw or change consent later (typically a floating button or footer link)

Common Non-Compliant Patterns (Dark Patterns)

Regulators have identified and penalised these common dark patterns:

No "Reject All" option: Offering only "Accept" and "Manage Preferences" — users must click through multiple screens to refuse, while accepting is one click. This is not freely given consent.
Pre-ticked boxes: Displaying cookie category checkboxes already ticked. Consent must be an active choice.
Asymmetric prominence: "Accept" displayed in a bold, coloured button; "Reject" displayed as a small grey link. Both options must be equally easy to see and click.
Buried reject option: Making users click "Manage Preferences," then scroll through a long list, then click "Reject All" — when accepting is a single prominent button.
Cookies set before consent: Placing analytics or advertising cookies the moment the banner appears, before the user responds. This is one of the most common violations.
Misleading language: "Continue browsing" as an implied acceptance, or banners that don't make clear that clicking away counts as consent (it doesn't, under GDPR).

Google Consent Mode v2

If your website uses Google Analytics or Google Ads, Google Consent Mode v2 is essential. Since March 2024, Google requires all websites serving EU/UK users to implement Consent Mode v2 or face loss of measurement functionality in Google Analytics and conversion tracking.

Consent Mode v2 works by:

Allowing Google tags to load but restricting data collection until consent is given
Sending anonymised, aggregate "signals" to Google for users who reject cookies
Using modelled data to fill gaps in conversion tracking while respecting user choices

Most cookie consent platforms (Cookiebot, CookieYes, etc.) integrate with Consent Mode v2 automatically.

Free and Low-Cost Cookie Consent Solutions

You don't need to build a consent banner from scratch. Options include:

Cookiebot: Free for sites with fewer than 100 pages. Automatically scans your site for cookies and generates a compliant banner.
CookieYes: Free tier available. Supports Consent Mode v2 and generates a cookie policy automatically.
Osano: Free tier for small sites. US-based with good CCPA and GDPR support.
Klaro: Open-source and self-hosted. Good for technical users who want full control.
WordPress users: GDPR Cookie Consent (WebToffee) and Complianz are popular plugins with free tiers.

Storing and Proving Consent

GDPR's accountability principle requires you to be able to demonstrate that consent was properly obtained. A good consent management platform stores:

When consent was given
What version of the banner was shown
Which categories were accepted or rejected
The IP address or session ID associated with the consent record

This consent log is your evidence if a regulator or user challenges your compliance.

Withdrawing Consent

Users must be able to withdraw consent as easily as they gave it. Common implementations:

A persistent "Cookie Settings" link in the footer of every page
A floating cookie icon in the corner that reopens the preference panel
A link from your cookie policy to the preference management panel

When a user withdraws consent, non-essential cookies must be deleted and the relevant third-party scripts must stop firing.

Generate Your Cookie-Compliant Privacy Policy

Create a privacy policy that covers cookie disclosure requirements — free.

Generate Privacy Policy →

Frequently Asked Questions

What makes a cookie consent banner GDPR compliant?

A compliant banner must appear before non-essential cookies are set, offer a genuine "Reject All" option as prominently as "Accept All," not use pre-ticked boxes, allow granular control by category, let users withdraw consent, and link to your cookie and privacy policies.

Is a cookie notice enough, or do I need a full consent banner?

A simple notice is not enough under GDPR. You need genuine prior consent — an active, informed choice before non-essential cookies are set. A notice that informs after cookies are already placed does not meet GDPR standards.

Can I make the 'Reject' button harder to find than the 'Accept' button?

No. Regulators consistently rule that making the reject option less prominent violates the requirement for freely given consent. Accept and Reject options must be equally prominent and accessible.

Do I need cookie consent for strictly necessary cookies?

No. Strictly necessary cookies — session cookies, security cookies — do not require consent. You must still disclose them in your cookie policy, but no consent mechanism is needed for these.

What free tools can I use to add a GDPR cookie banner?

Popular free or freemium options include Cookiebot (free under 100 pages), CookieYes, Osano, and Klaro (open-source). WordPress users can use GDPR Cookie Consent or Complianz plugins. Most integrate with Google Consent Mode v2.