Cookie consent banners are everywhere, but most of them are wrong. Some violate GDPR by pre-ticking consent boxes. Some bury the reject option in three menus. Some fire tracking scripts before consent is given. And some sites that do not need a banner at all have installed one anyway.
Here is a clear, practical breakdown of what GDPR actually requires in 2026 — and how to check where your site stands.
Do You Actually Need a Cookie Banner?
First, the question most guides skip: not every site needs a cookie consent banner. You only need one if you set non-essential cookies. A non-essential cookie is any cookie that is not strictly necessary to provide the service the user requested.
Strictly necessary cookies — session cookies, login cookies, shopping cart cookies — do not require consent. Analytics cookies, advertising pixels, heatmap scripts and social media widgets are non-essential and require consent from EU visitors. If your site uses Google Analytics, the Facebook Pixel, Hotjar or similar tools, you need a consent mechanism.
What GDPR Actually Requires
The requirements are clearer than most implementations suggest:
- Consent must be freely given. "Accept or leave" is not freely given consent. There must be a genuine choice.
- Consent must be specific. Bundling all cookies into one "I agree" is not valid. Different categories (analytics, advertising, functional) must be presented separately.
- Consent must be informed. The user must understand what they are consenting to — which cookies, what they do, who has access to the data.
- Consent must be unambiguous. Pre-ticked boxes do not constitute consent. Silence does not constitute consent. The user must take an affirmative action.
- Equal prominence for Accept and Reject. The reject option must be as easy to find and use as the accept option. Hiding "Reject All" in a settings menu while showing "Accept All" as a prominent button is a dark pattern that violates GDPR.
- Consent must be withdrawable. Users must be able to withdraw consent as easily as they gave it at any time.
The Most Common Mistakes
Firing trackers before consent. This is the most common and most serious violation. If Google Analytics or the Facebook Pixel loads before the user makes a choice, you have collected data without consent. Compliant implementations use Google Consent Mode v2 or similar to defer all tracking until after consent is given.
No reject option on the first layer. If your banner shows "Accept All" and "Manage Preferences" but no "Reject All" button, EU regulators consider this a dark pattern. The French CNIL, the German DPAs and the UK ICO have all issued guidance and fines on this point.
Consent stored but not respected. Some implementations record consent in a cookie but continue loading the same trackers regardless. Consent records must actually control which scripts load.
No consent for EU visitors, CMP for all others. GDPR applies to EU residents — but identifying them by IP is unreliable. Most organisations show the consent banner to all visitors, which is the simpler and safer approach.
Google Consent Mode v2
Since March 2024, Google requires Consent Mode v2 for all websites using Google Ads or GA4 that have EU visitors. This means your consent management platform must signal to Google whether analytics_storage and ad_storage consent has been granted or denied. Without this, Google's advertising and conversion tracking tools are restricted for EU traffic.
Most major CMPs (Cookiebot, OneTrust, Axeptio, Termly) have built-in Consent Mode v2 support. If you are using a custom cookie notice, you need to implement the dataLayer signals manually.
Check Your Site
Use our Cookie Consent Checker to scan any URL for consent management platforms, Google Consent Mode signals and compliance indicators. For a deeper look at what trackers your site is running and whether they are being deferred pending consent, use our Tracker Scanner.
Remember that automated tools give a starting point — they cannot tell you whether your banner appearance, consent records or data processing agreements are compliant. For a site that collects significant personal data or runs advertising, a legal review is worthwhile.
