Cookie Banner Requirements Under EU Law (2026 Guide)

A cookie banner is the visible front-end of a deeper compliance obligation: under Article 5(3) of the ePrivacy Directive, as transposed in each EU member state, a website may not place cookies on a user's device or read information from it unless the user has given prior consent, except where the cookie is strictly necessary for the service the user explicitly requested. Consent must meet the GDPR Article 4(11) standard: freely given, specific, informed and unambiguous, indicated by a statement or a clear affirmative action.

The Court of Justice of the EU confirmed this standard in Planet49 (C-673/17) on 1 October 2019. The European Data Protection Board consolidated the practical requirements in Guidelines 05/2020 on consent under Regulation 2016/679, which national supervisory authorities apply when enforcing cookie consent.

Most cookie banners on EU-facing websites fail at least one of these cookie banner requirements. This guide covers what those requirements actually are, what counts as a dark pattern, the practical implementation pattern that passes inspection and the recurring enforcement themes across member states. Run a free cookie banner scan to see which of these requirements your site already meets.

When a banner is required

Article 5(3) of the ePrivacy Directive applies whenever the website:

• Places a cookie on the user's device, or
• Reads information already on the user's device (including localStorage, sessionStorage, fingerprinting techniques, cache-storage)

The exception is for cookies that are strictly necessary for the service the user explicitly requested. The EDPB Opinion 04/2012 of the Article 29 Working Party and subsequent guidance read this narrowly:

• Session cookies that maintain login state during a session: strictly necessary
• Cart cookies for an active shopping session: strictly necessary
• Load-balancing cookies that route the user to a specific server: strictly necessary
• CSRF and security tokens: strictly necessary
• Cookies that remember language preference: borderline, arguably necessary for a multilingual site
• Analytics cookies (Google Analytics, Plausible default config, Matomo with persistent ID): not strictly necessary
• Advertising and marketing pixels: not strictly necessary
• Social media embed cookies (YouTube, X/Twitter, Facebook): not strictly necessary
• Embed cookies for fonts and CDNs that send data to a third party (Google Fonts loaded from Google rather than self-hosted): not strictly necessary. See the Google Fonts and GDPR guide.

If the site uses any cookie outside the strictly-necessary set, a banner is required.

Six requirements that an EU cookie banner must satisfy

These are derived from EDPB Guidelines 05/2020 and the consistent enforcement practice of national supervisory authorities.

1. Prior consent before any non-essential cookie

The banner must appear before any non-essential cookie is set and before any tracker is activated. A page that loads Google Analytics in the head and shows the banner afterwards has already infringed. The banner is too late.

Technical implementation: gate every non-essential script through a tag manager or consent management platform that fires only on the consent event. Tools like Google Tag Manager, Cookiebot, OneTrust and self-built consent managers can do this. The test is whether the request to the third party happens before or after the user clicks.

2. Reject must be as easy as Accept

The Accept All and Reject All options must be presented at the same level, with the same visual prominence and the same number of clicks. The CNIL fined Google €150 million and Facebook €60 million in January 2022 specifically for making rejection harder than acceptance. The Italian Garante, the Spanish AEPD and the German Datenschutzbehörden have followed with consistent decisions on the same point.

Patterns that fail this test:

• Accept button in colour, Reject behind a "Settings" link
• Accept as a single click, Reject requiring opening a modal and unticking each category
• Reject in muted grey, Accept in saturated brand colour
• Reject button styled as a link, Accept styled as a button

3. Granular consent by purpose

Consent must be granular: the user must be able to accept analytics without accepting marketing, and vice versa. A single "Accept" that bundles all purposes is not specific consent under Article 4(11) GDPR.

Practical implementation: at least three categories visible from the first screen of the banner:

• Strictly necessary (always on, not user-controllable)
• Analytics
• Marketing / advertising
• Optionally: functional/preferences as a fourth category

The user accepts or rejects per category.

4. Clear information before the decision

The user must be informed before consenting. The banner itself does not need to list every cookie, but the link to the cookie policy must be visible from the banner and the policy must be accurate. The information that must be available includes:

• The categories of cookies and their purposes
• The names of the third parties (or categories of third parties) that receive data
• The retention period of each cookie
• The rights of the data subject and how to withdraw consent

A cookie policy that is generic or out of date is a finding even if the banner itself looks compliant.

5. No dark patterns

The EDPB Guidelines on dark patterns 03/2022 enumerate the manipulations that invalidate consent:

• Misleading wording ("Make our content better" when the choice is actually to share data with advertisers)
• Pre-selected options
• Visual bias toward acceptance
• Forced consent (cookie walls without a paid alternative or with a coercive alternative)
• Repetitive consent prompts that wear down the user
• Difficulty in withdrawing consent compared to giving it

National authorities including the French CNIL, the Italian Garante, the Belgian GBA and the Spanish AEPD have applied this guidance to specific banners and found infringements.

6. Withdrawal as easy as consent

Article 7(3) GDPR requires that the user be able to withdraw consent at any time, and the withdrawal mechanism must be as easy as giving consent. A persistent link in the website footer (often labelled "Cookie settings" or "Cookie preferences") that reopens the banner is the standard implementation. Hiding the withdrawal in the privacy policy text or requiring an email to customer support is an infringement.

Pre-ticked boxes: confirmed invalid since 2019

The Court of Justice of the EU ruled in Planet49 (C-673/17) that consent within the meaning of Article 2(h) of the ePrivacy Directive and Article 4(11) GDPR cannot be expressed via a pre-ticked checkbox. Despite this being settled law since October 2019, pre-ticked boxes still appear regularly in cookie banner audits.

The corollary is that a banner with no checkboxes at all (only Accept and Reject buttons) is conceptually equivalent: by definition no box can be pre-ticked. This is why most compliant 2026 banners use buttons rather than checkboxes. For more detail on the pre-tick prohibition, see pre-checked checkbox is illegal.

Implied consent (continued browsing): also invalid

A banner that says "by continuing to use this site you accept our cookies" is not compliant. Continued browsing, scrolling or closing the banner without making a choice is not a clear affirmative action. The user must actively click Accept or Reject (or otherwise express granular preferences).

This pattern remains common on small-business websites that have not updated their banners since the pre-GDPR era. Each visit to such a site is an infringement.

Cookie walls and pay-or-consent models

A cookie wall conditions access to the website on the user's consent to non-essential cookies. The EDPB Guidelines 05/2020 (consolidated revision 2023) state that consent obtained under such conditions is not freely given.

Some publishers have introduced a "pay-or-consent" model: free access in exchange for consent to advertising cookies, or paid access without advertising. National authorities have taken inconsistent positions. The Austrian DSB and several German authorities have accepted pay-or-consent under tight conditions. The EDPB's Opinion 08/2024 on pay-or-consent (April 2024) tightened the criteria significantly: the paid alternative must be reasonably priced, must be a genuine alternative and must not exploit power asymmetries. Small businesses are advised to avoid this model unless they have specific legal advice.

Enforcement landscape (2024-2026)

National supervisory authorities have moved aggressively on cookie banner non-compliance. Three patterns recur:

• Coordinated EDPB actions: The 2023 Coordinated Enforcement Framework action targeted DPO designations, with cookie banner enforcement following in many national programmes thereafter.
• High-profile fines: CNIL on Google and Facebook (2022), Garante on multiple Italian publishers, AEPD on Vodafone and major Spanish retailers.
• Mass advisory letters: Belgian GBA, Spanish AEPD and others have sent hundreds of advisory letters to non-compliant SMEs, often as a precursor to formal proceedings.

A small business is not a primary target for the multi-million-euro fine bracket, but is well within range of the advisory-letter mass actions that can convert into five-figure fines if not addressed within the deadline.

Practical implementation pattern

For a small business website, the following pattern is what passes inspection in 2026:

1. Consent management platform or self-built equivalent that loads before any non-essential script.
2. Banner on first visit with three clearly labelled buttons: Accept All, Reject All, Manage Preferences. Same visual weight on Accept and Reject.
3. Granular categories in the Manage Preferences view: Strictly necessary (always on), Analytics, Marketing. Add more if applicable.
4. Consent stored for a defined period (typically 6-12 months). The banner reappears after the period or when categories change.
5. Footer link labelled "Cookie settings" or "Cookie preferences" that reopens the banner.
6. Cookie policy linked from the banner and the footer, listing every cookie, third party, purpose and retention.
7. Tag firing gated by category-specific consent events.
8. Server-side logging of consent events for accountability under Article 7(1) GDPR (the controller must be able to demonstrate consent).

Common failure modes from audits

These appear in published decisions and in our own scans of small-business websites.

Analytics loads before the consent event. Most common single failure. The fix is structural, not cosmetic. It requires reorganising script loading.

Reject button missing or buried. Second most common. CNIL and Garante have repeatedly fined companies that hide reject behind a settings panel.

Cookie policy lists cookies that are no longer set, or fails to list cookies that are set. Caused by drift between marketing tooling decisions and the static policy text. Audit the actual cookies set against the policy quarterly.

Single Accept button that bundles all purposes. No granular control. Each purpose needs an independent acceptance signal.

Consent banner reappears too aggressively. Every page load shows the banner because consent is not stored. User-experience problem and a hint to the supervisory authority that consent is being re-extracted.

Withdrawal mechanism non-existent. No footer link, no way to change preferences after the initial decision.

For the broader compliance map, the GDPR compliance checklist covers the other controls that surround the cookie banner.

Final checklist

• Banner appears before any non-essential cookie or tracker
• Reject is at the same visual level and click-count as Accept
• Granular categories visible from the first screen
• No pre-ticked boxes
• No reliance on continued browsing or scrolling as consent
• Cookie policy listed every actual cookie, third party, purpose, retention
• Consent withdrawal accessible from a persistent footer link
• Consent events logged server-side for Art. 7(1) accountability
• No cookie wall conditioning access on consent
• Banner refreshes every 6-12 months and on category changes
• Quarterly audit of cookies actually set vs cookies declared in the policy

---

This is technical analysis, not legal advice. For regulated sectors, pay-or-consent models or active supervisory authority investigations, consult a lawyer who specialises in data protection.