The cookie banner is the most-seen privacy interface on your site and one of the most frequently non-compliant. EU enforcement has shifted from "do you have a banner" to "does your banner actually collect valid consent." The wording, the buttons, and the default states all matter — and most templates get at least one of them wrong.
This guide is for marketers and site owners who want a banner that survives a regulator's look without killing analytics entirely. It focuses on the copy and the controls, which is where compliance is won or lost.
What consent legally requires
Under GDPR and the ePrivacy rules, consent for non-essential cookies (analytics, marketing, retargeting) must be:
- Freely given — no detriment for refusing
- Specific — per purpose, not one blanket toggle
- Informed — the user knows what they're agreeing to
- Unambiguous — a clear affirmative action, not silence or a pre-ticked box
That standard kills several common banner patterns instantly. It's the same four-part test that governs marketing consent everywhere in GDPR — the cookie banner is just the most visible place it's applied.
1. "Accept" and "Reject" must be equally easy
A bright "Accept all" button next to a buried text link for "Manage" (with no visible "Reject all") is the single most-cited dark pattern. Regulators across the EU — France's CNIL prominent among them — have ruled that refusing must be as easy as accepting. Practically: if there's an "Accept all" button on the first layer, there should be a "Reject all" button of equal prominence on the same layer.
Equal prominence means equal weight: same size, same visual hierarchy, same number of clicks. A grey "Reject" next to a glowing green "Accept all" is the kind of asymmetry enforcement actions specifically target. The copy on the buttons should be plain too — "Reject all" reads more honestly than a vague "More options."
2. No pre-ticked boxes, no implied consent
"By continuing to browse you accept cookies" is not consent. Neither is a toggle that defaults to on. Non-essential cookies must not fire until the user takes an affirmative action. The banner copy should never imply that scrolling, closing, or continuing counts as agreement.
This was settled at EU level in the Planet49 ruling: a pre-ticked checkbox does not constitute valid consent. The same logic extends to any default-on state. If your consent management platform fires analytics before the click, the banner copy is irrelevant — the consent never existed.
3. Be specific about purpose
A compliant banner separates categories so the user can consent per purpose:
| Category | Consent needed? | Example copy |
|---|---|---|
| Strictly necessary | No (always on) | "Required for the site to work" |
| Analytics | Yes | "Helps us understand site usage" |
| Marketing | Yes | "Used to show you relevant ads" |
Bundling analytics and marketing into one "Accept" is not specific consent. The user should be able to say yes to analytics and no to marketing, and the copy for each category should describe what it actually does in plain language — not a euphemism. "We personalise your experience" is a softer way of saying "we profile you for ads," and the gap between the two is exactly what regulators read as a transparency failure.
4. Name the consequences honestly
Copy like "We value your privacy" followed by a setup that hoovers up every data point is a transparency mismatch. If the banner says one thing and the cookie list says another, the inconsistency itself is the violation. Keep the banner's promise aligned with what actually fires.
This is the most common quiet failure: the banner copy is reassuring and vague, while the vendor list behind "Manage" runs to 400 partners. A banner that under-describes the real data flow is misleading even if every button is perfectly placed. Align the words with the reality.
5. Make withdrawal easy
Consent you can't withdraw isn't valid. There must be a persistent, easy way back to the settings — typically a small "Cookie settings" link in the footer. The banner copy can mention it: "You can change your choices anytime in Cookie settings." Withdrawing consent has to be as easy as giving it, which means a one-click route to turn categories back off, not an email request or a buried form.
How the banner connects to the rest of your funnel
The cookie banner doesn't sit in isolation. If your ads promise personalization and your banner is the first place a user can refuse tracking, the two have to be consistent. A retargeting campaign whose pixel fires before consent contradicts the banner, and the contradiction is the exposure. Treat the banner as one disclosure point in a chain that includes your ad copy, your landing pages, and your privacy policy.
A banner copy checklist
- "Reject all" is as visible as "Accept all" on the first layer
- Nothing non-essential fires before an affirmative click
- Categories are separated by purpose, not bundled
- No pre-ticked toggles or default-on states
- The banner's claims match the actual cookie list
- A persistent path to withdraw consent exists
- Category descriptions use plain language, not euphemisms
Logging consent and proving it later
Collecting valid consent is only half the obligation — you also have to be able to prove it. If a regulator asks how a given user consented to marketing cookies, "the banner was there" is not an answer. You need a record: which categories the user accepted or rejected, the timestamp, and the version of the banner and copy they saw. Consent management platforms can store this, but only if configured to, and only if your banner text is versioned so you can show what a user actually agreed to on a given date.
This is why the wording matters beyond the moment of the click. The copy shown at consent is part of the evidentiary record. If your banner said "analytics only" but your vendor list fired marketing tags, the log will show the mismatch — and the log is what gets examined. Keep the banner copy, the category descriptions, and the actual tag behaviour aligned, and keep a versioned history of all three.
Dark patterns regulators specifically target
Beyond the unequal Accept/Reject buttons, EU authorities have published guidance naming specific manipulative designs. Recognising them helps you avoid building one by accident:
- Visual interference — making "Accept" prominent and "Reject" low-contrast or small.
- Forced action — no way to use the site without accepting non-essential cookies.
- Misleading hierarchy — "Reject" hidden a layer deeper than "Accept."
- Confirmshaming — copy that guilts the user for declining ("No thanks, I don't want a better experience").
- Repeated nagging — re-prompting users who already declined until they relent.
Each of these undermines the "freely given" standard, and each has surfaced in enforcement guidance. A banner that's honest, balanced, and respects a "no" the first time avoids the entire category.
Consent across devices, apps, and SDKs
The web banner is the visible part, but consent has to hold everywhere you collect data. Mobile apps, in-app SDKs, and connected experiences collect the same categories of data and need the same valid consent — yet they're frequently overlooked because they don't have a "banner" in the familiar sense. An app that fires an analytics or advertising SDK on launch, before any consent prompt, has the same problem as a website firing pixels on load: the processing happened before the user agreed.
Treat consent as a property of the user, not the page. Wherever you collect non-essential data — web, app, embedded widget — the same four-part standard applies, and the choice the user makes in one place should be respected consistently rather than re-asked or quietly ignored elsewhere. Fragmented consent, where the website honours a rejection but the app keeps tracking, is both a compliance gap and a trust problem users notice.
Scan your privacy-facing copy
The text on a banner is small but legally heavy, and the same transparency principles govern your landing pages and forms. The free GDPR Ad Copy Checker scans privacy-facing copy for transparency mismatches, missing disclosures, and bundled consent before they become complaints — no login required. For the broader page, see the landing page GDPR compliance checklist, and for the full framework, the GDPR advertising compliance guide.
This article is general information, not legal advice. Use it as a risk signal alongside human compliance review.