Do I Need a Cookie Banner? EU Decision Guide

The question "do I need a cookie banner?" has a short answer and a long answer. The short answer: yes, almost certainly. The long answer is the one that helps you understand whether your specific website falls into the small set of exceptions and what to actually do if it does not.

This guide is a decision flow. Three questions, in order. Each one is answered against Article 5(3) of the ePrivacy Directive and the European Data Protection Board guidance on consent. The decision flow applies across every EU member state, with national-law variations only on the procedural side (which authority enforces, what the fine ceiling is).

If you already know the answer is yes and just want to know what the banner has to look like, jump straight to cookie banner requirements under EU law. For a quick check of which cookies your own site actually sets, run a free scan.

The legal foundation in one paragraph

Article 5(3) of the ePrivacy Directive (Directive 2002/58/EC), as amended by Directive 2009/136/EC, prohibits the storing of information, or gaining access to information already stored, in the terminal equipment of a subscriber or user, unless the subscriber or user has given consent on the basis of clear and comprehensive information. The exception is for technical storage or access strictly necessary for the provision of a service explicitly requested. Each EU member state has transposed this rule into its national law. GDPR adds the definition of what constitutes valid consent (Article 4(11), Article 7).

The rule applies regardless of whether the information stored is personal data. A non-personal preference cookie still falls within Article 5(3). Consent or strict necessity is required either way.

Question 1: does your site set any cookies or read any data from the user's device?

If no, you do not need a banner. The Article 5(3) trigger is the storage of, or access to, information on the device. No storage and no access means no trigger.

What counts as storage or access:

• HTTP cookies (first-party and third-party)
• localStorage and sessionStorage entries
• IndexedDB entries
• Cache storage manipulated by service workers
• Reading the Referer header (no, this is in transit, not on the device)
• Fingerprinting through Canvas, WebGL or AudioContext (yes, the EDPB has confirmed device fingerprinting falls under Article 5(3))
• Reading information already present on the device (yes, including User-Agent reads for purposes beyond service delivery)

In practice, the only websites that pass Question 1 with a "no" are:

• Pure static HTML pages with no JavaScript and no embedded resources from third parties
• Some documentation sites or marketing landing pages with no analytics and no fonts loaded from a third party

If your site uses any tracking script, any third-party embed, any consent-management library, or any analytics tool that sets a persistent identifier, the answer to Question 1 is yes and you proceed to Question 2.

Question 2: are all cookies and stored data strictly necessary for the service the user requested?

Article 5(3) exempts cookies that are strictly necessary for the provision of a service explicitly requested by the user. This exception is read narrowly. The table below shows where the line falls.

If every cookie on your site is in the left column, you do not need a banner. If even one is in the right column, you proceed to Question 3.

In practice, very few commercial websites pass Question 2 with a "yes". The simple test: run your site through a cookie auditor (DevTools Application tab works) and see whether any non-essential cookie appears before any user interaction. If anything appears, you need a banner.

Question 3: do you target or are accessible to EU visitors?

GDPR Article 3 and the ePrivacy Directive together apply to:

• Controllers established in the EU, regardless of where data subjects are
• Controllers established outside the EU, where processing relates to offering goods or services to data subjects in the EU, or monitoring their behaviour within the EU

The threshold for "offering goods or services to the EU" is not residence of the controller; it is direction of the business. Signals include:

• Pricing in EUR
• Shipping to EU countries
• EU-language content beyond default English
• Customer support in EU languages
• Marketing campaigns targeting EU consumers
• Top-level domain or branding indicating EU focus

If your business serves EU visitors, the answer to Question 3 is yes and you need a compliant banner.

A US business that incidentally has some EU visitors but does not target them and does not monitor their behaviour is theoretically outside the GDPR scope. In practice, the risk-free approach for any internet-facing business is to assume scope and put up a compliant banner. The cost of compliance is hours. The cost of being wrong about non-targeting is open-ended.

Decision flow summary

Most websites end at the last cell of the table: banner required.

What if you decide a banner is not needed

Document the analysis. The accountability principle in GDPR Article 5(2) applies even when the conclusion is that no obligation arises. A short internal note recording the cookies set, the strictly-necessary classification of each, and the geographic targeting analysis is sufficient. The note is the evidence that the decision was reasoned, in case a complaint or inspection ever surfaces.

Re-run the analysis any time the site changes: a new plugin, a new third-party embed, a new analytics tool can quietly move the site from "no banner needed" to "banner required" overnight.

What if you decide a banner is needed

The cookie banner requirements under EU law guide covers the six concrete requirements: prior consent before non-essential cookies, reject equal to accept, granular categories by purpose, clear information, no dark patterns, withdrawal as easy as giving consent. Implementation typically requires a consent management platform (Cookiebot, OneTrust, Iubenda, or a self-built equivalent) that gates non-essential scripts on the consent event.

For the broader compliance picture, the GDPR compliance checklist covers the other controls that surround the banner.

Common patterns that mislead

These come up repeatedly in conversations with small business owners.

"My analytics is first-party so I do not need consent." First-party vs third-party is irrelevant to the Article 5(3) trigger. The question is whether the data on the device is strictly necessary. First-party analytics is not strictly necessary unless the user explicitly requested analytics, which they did not.

"My site has no users from the EU." Unless the site is geo-blocked, an EU user can visit. If the site does not target EU users, GDPR may not apply. If the site targets globally, it almost certainly applies to incidental EU visitors. Geo-blocking is a binary decision: either you target the EU or you do not. Half measures often fail the legal test.

"My consent management platform handles compliance for me." A CMP is a tool. A misconfigured CMP that loads Google Analytics in the head, or whose Reject button is buried, fails the requirements regardless of the CMP brand. The legal responsibility stays with the controller.

"My CMS has a built-in cookie banner." Some built-in banners are compliant. Many are not. The CNIL and other authorities have fined sites running default WordPress, Shopify or Wix banners that did not meet the granularity or reject-equal-to-accept requirements. Audit the actual behaviour, do not trust the marketing claim.

"I am exempt because I am small." Article 5(3) has no SME exemption. The 250-employee threshold in GDPR Article 30(5) applies only to the record of processing, not to the consent obligation, and even there it is read strictly.

Final checklist

• You have audited the cookies your site actually sets, using DevTools or a scanner
• You can identify, for each cookie, the purpose and the strictly-necessary classification
• You have decided whether your site targets or is relevant to EU visitors
• You have documented the analysis internally for accountability
• If banner required: a compliant banner is in place, with the six requirements met
• If banner not required: the analysis is re-run on every significant site change

---

This is technical analysis, not legal advice. For complex multi-jurisdictional setups, regulated sectors or active supervisory authority investigations, consult a lawyer who specialises in data protection.