TL;DR. A GDPR-compliant cookie banner gives clear information, offers a genuine choice (refusing must be as easy as accepting), pre-ticks nothing, and lets users withdraw consent at any time. Most banners fail because they are designed to nudge people toward yes rather than to collect a free choice.
Here is an uncomfortable truth about the European web. A large share of the cookie banners you see every day are not compliant. They use colours, wording and button hierarchies built to extract a fast yes. Regulators such as the ICO in the UK call these manipulative interfaces, and the wider conversation labels them dark patterns. In this article we analyse good and bad banners, then give you text templates you can adapt right away, plus a full compliance checklist.
What makes a cookie banner GDPR-compliant?
A banner is compliant when it enables consent that is freely given, specific, informed and unambiguous. In practice the user must be able to refuse without extra effort, understand what they are agreeing to, and change their mind easily. The banner is therefore not just a graphic element. It is the legal mechanism that proves you collected valid agreement before setting any non-essential trackers.
The four required elements
First, clear information. Users must know which cookie categories are used and why, in plain language, without unnecessary jargon. Second, a genuine choice. The refuse button must be visible and accessible at the same level as accept, on the first screen. Third, no pre-ticking. Consent must come from a positive action, never from inaction or a box that is already on. Fourth, easy withdrawal. Taking consent back must be as simple as giving it, for example through a permanent footer link available on every page.
For a deeper look at what valid consent involves, read our guide to GDPR consent validity requirements. It explains each of the four criteria and their legal weight.
An often forgotten detail: these four elements must coexist. A banner can show perfect information and offer granular categories, but if it pre-ticks a single box or buries the refuse button, it becomes non-compliant. Compliance is not measured by your best button but by your weakest. That is why an honest audit reviews each criterion separately, rather than relying on an overall impression.
What the consent button must say (no dark patterns)
Button labels matter as much as button design. Use neutral, symmetrical terms such as Accept all and Reject all. Avoid guilt-tripping wording like No thanks, I prefer a worse experience. Avoid hiding refusal behind several clicks. The guiding principle is equivalence: refusing should take the same number of clicks and the same effort as accepting. A banner that places refusal two or three levels deep breaks this principle, even if the word reject appears somewhere.
Good cookie banner examples (with analysis)
Here are five patterns that respect both the spirit and the letter of GDPR. None of them needs an image to be understood: what matters is the structure and the text.
Example 1: the layered banner. A first layer shows a short summary (why cookies are used, the main categories) with a Learn more link that opens the detail. The user is not buried in information but can reach it in one click. What it does right: it combines brevity with transparency, without sacrificing one for the other.
Example 2: equal-prominence buttons. Accept all and Reject all share the same size, colour and position. Neither is visually emphasised. What it does right: it removes the visual bias and respects the equivalence regulators expect.
Example 3: granular categories. The banner offers separate checkboxes for functional, analytics and marketing cookies, all unticked by default except strictly necessary ones. What it does right: it allows specific, category-by-category consent rather than a forced global yes.
Example 4: persistent access to preferences. A Manage cookies link stays available in the footer after the banner is dismissed. What it does right: it makes withdrawal as easy as the original choice, at any point during the visit.
Example 5: honest consent wording. The text never equates browsing with consent. It does not say By continuing, you agree. It waits for an explicit action from the user. What it does right: it preserves the unambiguous nature of consent required by the regulation.
These five patterns are not mutually exclusive. The best banner combines them: a concise and honest first layer, two symmetrical buttons, one-click access to categories, and a permanent link to revisit the choice. You do not need a sophisticated design, only a fair structure. On mobile, also check that the refuse button stays fully visible without scrolling, because that is often where equivalence breaks down.
Bad cookie banner examples (dark patterns to avoid)
The following practices draw regular criticism from regulators. They create the illusion of a choice while strongly steering the decision.
Pre-ticked boxes. A box that is already ticked is not consent. The Court of Justice of the European Union confirmed this in the Planet49 case: silence or inaction cannot count as agreement.
A hidden refuse button. Showing Accept all prominently while pushing refusal behind a small Settings link breaks equivalence and amounts to a manipulative interface.
Confusing language. Phrases like I agree to continue browsing mix consent with access to the site. The user can no longer tell whether they are consenting or simply confirming access. That is misleading.
Withdrawal harder than consent. If accepting takes one click but refusing takes five, the banner is non-compliant. Symmetry must hold at withdrawal just as it does at the moment of consent.
Colour hierarchy. A bright green accept button next to a grey, small or low-contrast refuse button steers the choice. This is a classic dark pattern, even when both buttons are present.
These tactics also erode trust and, paradoxically, hurt your durable consent rate. Forced consent is fragile and open to challenge.
A useful test to spot a dark pattern: ask whether the design helps the user decide, or helps you obtain a specific answer. If every visual and textual cue points toward yes, the banner is steering rather than informing. A second test is the stopwatch: time how long it takes to refuse versus to accept. If refusing is noticeably slower, you have a compliance problem, regardless of how the buttons are labelled.
Why do these practices persist? Often out of habit or fear of losing data. But a misleading banner creates a double risk: a regulator penalty, and a loss of trust from visitors who increasingly spot these manipulations. The short-term calculation (maximise yes) backfires in the medium term. A rarer but solid consent is worth more than a massive but legally fragile one.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Cookie banner text: what to write (templates)
The templates below should be adapted to your site, your real purposes and your language. Do not copy text that does not match the trackers you actually set. Good text is short, concrete and free of empty legal phrasing.
Short version (adapt as needed).
We use cookies to run this site and, with your agreement, to measure audience and personalise content. You can accept, reject, or choose by category. You can change your choice at any time through the Manage cookies link in the footer.
Full version (adapt as needed).
This site uses cookies. Strictly necessary cookies keep the basic functions working and do not require your consent. Other cookies, for analytics and marketing, are only set with your agreement. Analytics cookies help us understand how the site is used. Marketing cookies let us offer relevant content. You can accept all, reject all, or set your choices category by category. No box is pre-ticked. Your choice is stored and you can withdraw or change it at any time through the Manage cookies link, without any reduction in your access to content.
A few useful drafting rules. Name the real purposes rather than vague categories. State the retention period where it is relevant. Avoid multiple negatives that blur the meaning. And remember to mention any data transfers outside the European Union when your marketing tools involve them, because that information is part of what makes consent informed.
One more practical point: keep the wording consistent between the banner and your full cookie policy. If the banner mentions three categories but the policy lists ten trackers under unclear names, the mismatch undermines the informed nature of the consent. Treat the banner as the short, honest summary of a longer document that anyone can open in one click. Consistency across the two is what regulators look for during a review.
Cookie banner compliance checklist
- Information is clear, in plain language, and states the categories and purposes.
- The Reject all button is as visible and accessible as Accept all, on the first screen.
- No box is pre-ticked, apart from strictly necessary cookies.
- Refusing takes the same number of clicks as accepting.
- Categories (functional, analytics, marketing) are separate and selectable.
- No non-essential cookie is set before consent is collected.
- A permanent link lets users change or withdraw consent at any time.
- No wording equates browsing with consent.
- The design does not visually favour any button.
- Proof of consent is stored with a timestamp.
Conclusion
A good cookie banner is not about looks but about respecting the user's choice. Clear information, symmetrical buttons, no pre-ticked boxes and easy withdrawal cover most of what matters. Before you redesign your banner, note that a cookie wall is only lawful under conditions, and it should never be used to bypass the right to refuse.
Next step: check your own site. Run a free cookie scan to see within minutes which cookies you set and where your banner falls short of compliance.
Frequently asked questions
Does the refuse button have to be at the same level as the accept button?
Yes. Regulators apply the principle of equivalence: refusing must be as easy as accepting, with the same number of clicks and comparable visibility. Hiding refusal behind a discreet link is treated as a manipulative interface.
Does a pre-ticked box count as consent?
No. Consent must result from a positive action by the user. The Court of Justice of the European Union confirmed this in the Planet49 case. A box that is already ticked has no legal value.
Can I set analytics cookies before consent?
In principle no, except for narrowly defined exempt audience measurement that strictly meets regulatory criteria. Marketing cookies and most analytics cookies require prior consent.
How do I let users withdraw consent?
The simplest method is a permanent link, for example Manage cookies, in the footer. It should reopen the preferences panel and let users change or withdraw each category at any time.