·8 min read

Cookie Consent Banner Requirements: The 2026 Compliance Guide

Most cookie banners are non-compliant. Here is what the law actually requires, what a compliant banner looks like, and how to avoid fines.

You have seen them on every website: those cookie banners that pop up asking you to "Accept all" or manage your preferences. But here is a fact that might surprise you — research suggests that over 90% of cookie consent banners are non-compliant with EU law. Many use dark patterns, pre-checked boxes, or simply do not give users a real choice.

In 2026, enforcement is ramping up. EU data protection authorities have issued multi-million-euro fines specifically for cookie consent banner violations. If your website serves EU visitors, getting this right is essential.

The Legal Framework: Why Cookie Consent Exists

Cookie consent requirements come from two main sources:

EU ePrivacy Directive (2002, amended 2009)

Often called the "Cookie Law," this directive requires informed consent before storing or accessing information on a user's device. This covers cookies, local storage, fingerprinting, and tracking pixels. Each EU member state has implemented this differently, but the core principle is the same: you need consent before setting non-essential cookies.

GDPR (2018)

GDPR raised the bar for what "consent" means. Under GDPR, consent must be freely given, specific, informed, and unambiguous. Pre-checked boxes do not count. Scrolling does not count. Continuing to browse does not count. Users must take a clear, affirmative action to consent.

UK PECR

The UK's Privacy and Electronic Communications Regulations mirror the ePrivacy Directive. Post-Brexit, the UK maintains its own version with similar requirements. The ICO actively enforces cookie compliance and has published detailed guidance.

What Makes a Cookie Banner Compliant?

Based on enforcement actions, guidance from the EDPB (European Data Protection Board), and national DPA decisions, here are the cookie consent banner requirements you must meet:

1. Prior Consent (Before Setting Cookies)

Non-essential cookies must NOT be set until the user actively consents. This means your analytics, advertising, and social media cookies cannot fire on page load. Only strictly necessary cookies (session cookies, load balancing, security) can be set without consent.

2. Clear Accept AND Reject Options

Your banner must give users an equally prominent way to refuse cookies as to accept them. A large "Accept All" button with a tiny "manage preferences" link hidden below is a dark pattern and does not meet the standard. The reject option must be available on the first layer — not buried in settings.

3. Granular Choices

Users must be able to consent to different categories of cookies separately. The standard categories are:

  • Strictly Necessary — Always on, no consent needed (session management, security, load balancing)
  • Functional — Preferences, language settings, saved cart contents
  • Analytics — Google Analytics, Hotjar, session recording
  • Marketing/Advertising — Facebook Pixel, Google Ads, retargeting, social media tracking

4. No Pre-Checked Boxes

When showing cookie category toggles, they must default to OFF (unchecked). The user must actively opt in. Pre-selecting analytics and marketing cookies and asking users to deselect them does not count as valid consent.

5. Easy Withdrawal

Users must be able to change their cookie preferences at any time. Include a persistent link (usually in the footer) to reopen cookie settings. Withdrawing consent must be as easy as giving it.

6. Informed Consent

Users need to understand what they are consenting to. Your banner should explain what cookies do, what data they collect, who the data goes to, and link to your full cookie policy for details.

7. No Cookie Walls

In most EU jurisdictions, you cannot block access to your website if users refuse cookies. "Accept cookies or leave" is not valid consent because it is not freely given. Some countries (like France) have limited exceptions for ad-funded content, but the general rule is: no cookie walls.

What a Non-Compliant Banner Looks Like

These common patterns will get you in trouble:

  • "This site uses cookies. OK" — No real choice, no information, not consent
  • "By continuing to browse, you accept cookies" — Implied consent is not valid consent under GDPR
  • Big "Accept" button, tiny "Settings" link — Unequal prominence = dark pattern
  • Pre-checked analytics and marketing toggles — Pre-selected = not freely given
  • No way to reject on first layer — Reject must be equally accessible as accept
  • Cookies fire before consent — Analytics/tracking loading on page load before any interaction

What a Compliant Banner Looks Like

A compliant cookie consent banner:

  • Appears on first visit before any non-essential cookies are set
  • Has equally prominent "Accept All" and "Reject All" buttons on the first layer
  • Offers a "Manage Preferences" option to set granular choices
  • Explains briefly what cookies are used for
  • Links to your full cookie policy
  • Does not use pre-checked boxes for any non-essential category
  • Remembers the user's choice (so the banner does not appear every page load)
  • Provides a footer link to change preferences at any time

Recent Enforcement Actions

Cookie banner enforcement has intensified:

  • CNIL (France) fined Google €150 million and Facebook €60 million for making it harder to refuse cookies than to accept them
  • ICO (UK) has issued enforcement notices to major UK websites for non-compliant cookie practices
  • DPC (Ireland) and AEPD (Spain) have increased cookie audits, focusing on pre-checked boxes and missing reject options
  • NOYB (Max Schrems' organisation) filed over 800 complaints against websites with non-compliant cookie banners in a single campaign

Do You Need a Cookie Policy Too?

Yes. A cookie consent banner is the front-end mechanism for collecting consent, but you also need a full cookie policy that documents every cookie on your site, its purpose, duration, and whether it is first-party or third-party. Your banner should link to this policy.

LegalForge generates both a cookie policy and a privacy policy that covers your cookie disclosures. Answer a few questions about your website, and the AI creates a policy document that lists cookie categories, purposes, and third-party providers — all customised to your tech stack.

Quick Compliance Checklist

  1. Audit all cookies on your site (use browser dev tools or a cookie scanner)
  2. Categorise them: strictly necessary, functional, analytics, marketing
  3. Implement a proper consent management platform (CookieYes, Osano, Cookiebot)
  4. Ensure non-essential cookies do not load until consent is given
  5. Provide equal "Accept" and "Reject" buttons on the first layer
  6. Default all non-essential toggles to OFF
  7. Add a footer link to reopen cookie settings
  8. Create a comprehensive cookie policy
  9. Test regularly — new scripts and third-party tools may add cookies

Need a Cookie Policy for Your Website?

LegalForge generates a compliant cookie policy alongside your privacy policy — customised to your tech stack and jurisdictions.

Generate Your Documents — £19 One-Time