GDPR-compliant cookie banner: the complete guide

TL;DR

A GDPR-compliant cookie banner must allow users to accept or decline trackers with the same degree of simplicity, before any non-essential cookie is set. Regulators require a clearly visible reject option, effective script blocking before consent, and verifiable proof of consent. This article covers the rules you need to follow, the most common mistakes, and a concrete method to configure your banner correctly.

Why your cookie banner is a critical compliance element

The cookie banner is often the first interaction between a visitor and your website. It is also the first element regulators check during an audit. Under the ePrivacy Directive (Article 5.3), transposed into national laws across the EU, prior consent is required before setting any non-essential tracker. The GDPR complements this framework by requiring that consent be freely given, specific, informed, and unambiguous.

The stakes are both legal and operational. A misconfigured banner exposes your organization to enforcement actions from data protection authorities. It also corrupts your analytics data (cookies set without consent produce legally unusable data) and erodes user trust.

What it actually impacts

Cookie banner compliance touches several dimensions of your website. On the legal side, a non-compliant banner is a breach of privacy regulations. On the analytics side, trackers set before consent rest on no valid legal basis. On UX, a deceptive or intrusive banner increases bounce rates and damages trust. On SEO, a banner that blocks initial rendering or causes layout shift can affect your Core Web Vitals scores.

Symptoms of a non-compliant banner

An accept button that is visually more prominent than the reject option (through color, size, or placement). Cookies already set before any user interaction with the banner (verifiable via browser developer tools). A settings button offered instead of a clear reject button at the first level. No mechanism for withdrawing consent after it has been given. No server-side proof of consent stored.

The rules you need to follow

What the regulations require

The legal framework rests on three pillars. The ePrivacy Directive (Article 5.3), transposed into national laws, requires prior consent for any non-essential tracker. The GDPR (Articles 4.11 and 7) defines the conditions for valid consent: freely given, specific, informed, and unambiguous, demonstrated through a clear affirmative action. National guidance from data protection authorities (such as the CNIL in France, the ICO in the UK, or the DPA in Germany) provides practical recommendations on how to collect consent.

Concrete requirements for the banner

The banner must inform users about the purposes of the trackers at the first level (a brief description of the objectives). It must offer a rejection mechanism that is as simple as acceptance. Regulators across Europe recommend a reject all button at the same level and in the same format as the accept all button. A settings button next to accept all is not sufficient, as it discourages refusal in practice.

No non-essential tracker may be set before consent is collected. Continued browsing does not constitute consent. Closing the banner without an explicit action must be treated as a refusal. Users must be able to withdraw their consent at any time, for example through a footer link or a cookie management button accessible at all times.

Consent must be recorded with verifiable proof (timestamp, identifier, choice made) so it can be demonstrated in case of an audit. Regulators generally recommend renewing the consent request at regular intervals, typically every 6 to 13 months depending on context.

Cookies exempt from consent

Some trackers do not require consent: cookies strictly necessary for the site to function (authentication, shopping cart, language preferences), audience measurement cookies exempt under specific conditions (limited configuration, no data cross-referencing, no transfer to third parties), and security-related trackers. Your banner should inform users about their existence, but their placement does not depend on the user's choice.

How to set up a compliant cookie banner

Step 1: audit the cookies on your site

Before configuring anything, you need to know which trackers are active on your site. Use a cookie scanner to identify every cookie, its origin (first-party or third-party), its lifespan, and its purpose. You cannot configure a banner correctly if you do not know which scripts need blocking.

Step 2: categorize your cookies

Organize your cookies into clear categories: essential (no consent required), analytics/audience measurement, advertising/targeting, and functional (preferences). Each category should correspond to a choice in your banner and in the preference management panel.

Step 3: choose and configure your CMP

Your CMP (consent management platform) is the tool that displays the banner, blocks scripts, and stores proof of consent. Choose a CMP that effectively blocks scripts before consent (not just visually), offers a reject button at the first level, stores timestamped proof of consent, and integrates with your tech stack (Webflow, WordPress, Next.js, Shopify, etc.). For more on how to choose a CMP and our consent management services, visit our dedicated page.

Step 4: configure script blocking

This is the most technical step. Every non-essential script (Google Analytics, Google Ads, Meta Pixel, TikTok, embedded YouTube videos with cookies, etc.) must be blocked by default and only fire after the user has explicitly consented to the relevant category. Verify with your browser's network inspector that no requests to third-party domains are sent before the user interacts with the banner.

Step 5: test and document

Test three scenarios: full rejection, partial acceptance (analytics only, for example), and full acceptance. For each scenario, verify the cookies set, the network requests sent, and the banner behavior on page reload. If you use Google Consent Mode v2, also verify that consent signals are correctly transmitted to Google tags.

Common mistakes (and how to avoid them)

The reject button is less visible than accept. Regulators require that refusal be as easy as acceptance. A pale gray button on a white background next to a brightly colored button does not meet this standard. Same size, same level, same visibility.

Cookies set before any interaction. This is the most common and most serious mistake. If your Google Analytics or Meta Pixel scripts fire before the user has clicked on the banner, you are in breach. Blocking must be technical, not just visual.

No way to withdraw consent. A manage cookies link or a button accessible at all times (footer, floating icon) must allow users to change their choices at any moment.

Using a cookie wall. Blocking access to the site until the user accepts cookies is a risky practice. Regulators evaluate cookie walls on a case-by-case basis, and the trend is toward strict scrutiny. A fair alternative must be offered.

No proof of consent stored. In case of an audit, the burden of proof lies with the data controller. Your CMP must record a timestamped log of each consent with the choice made.

Forgetting embedded content. YouTube videos, Google Maps, and social media widgets set third-party cookies. If your banner does not cover them, you have a gap in your compliance.

Compliant cookie banner checklist

1. Full cookie and tracker audit completed.
2. Cookies categorized (essential, analytics, advertising, functional).
3. Reject all button visible at the first level, same format as accept all.
4. Clear information about tracker purposes displayed at the first level.
5. Zero non-essential cookies set before consent (technical verification, not just visual).
6. Third-party scripts blocked by default and triggered only after consent.
7. Consent withdrawal mechanism accessible at all times (footer link or icon).
8. Timestamped proof of consent stored for each user.
9. Embedded content (YouTube, Maps, social widgets) covered by the banner.
10. Three scenarios tested: full rejection, partial acceptance, full acceptance.
11. Consent renewal scheduled every 6 to 13 months.

Conclusion and next step

A compliant cookie banner rests on three pillars: a neutral design where rejecting is as easy as accepting, effective technical blocking of scripts before consent, and reliable storage of consent proof. None of these can be overlooked.

If you do not know which cookies are active on your site, start with a free cookie scan. That is the first step toward building a banner that holds up. Visit our blog for more practical guides on cookie compliance and consent management.