The cookie banner is the most-seen, most-mocked and most-misconfigured part of online privacy. Behind it sits a real legal requirement that combines the ePrivacy rules with GDPR’s consent standard — and getting it right is a visible, frequently enforced part of GDPR compliance.
This guide explains which cookies need consent, what valid cookie consent looks like, how to build a compliant banner, and the dark patterns and mistakes to avoid.
Two rules govern cookies
Cookie consent sits at the intersection of two regimes: the ePrivacy rules (in the UK, PECR), which specifically require consent for storing or accessing information on a user’s device, and the GDPR, which sets the standard for what valid consent looks like. Together they shape every cookie banner you see.
So “GDPR cookie consent” is really ePrivacy plus GDPR — ePrivacy says you need consent for non-essential cookies, and GDPR says that consent must be freely given, specific, informed and unambiguous.
Not all cookies need consent
The crucial distinction is between strictly necessary cookies and the rest. Cookies essential to provide a service the user explicitly requested — keeping them logged in, holding a shopping basket, basic security — do not need consent. Everything else — analytics, advertising, personalisation — does.
So GDPR does not ban cookies or even require consent for all of them; it requires consent for the non-essential ones.
Free resource
GDPR Policy Templates
Get cookie policy and consent-banner templates to get it right.
The main cookie categories
It helps to group cookies into four buckets: strictly necessary (no consent needed), functional (remembering preferences), analytics (understanding usage), and advertising/tracking (targeting and measuring ads). All but the first generally require consent.
Categorising your cookies this way is the first practical step, because it tells you exactly what needs consent and what doesn’t.
What valid cookie consent looks like
Because GDPR sets the standard, cookie consent must be a clear opt-in: an affirmative action, not pre-ticked boxes or “by continuing to browse you agree”. It must be granular (separate choices for analytics and advertising), informed (clear information about each category), and as easy to refuse as to accept.
If accepting is one click but rejecting takes several, the consent is not freely given.
Consent before cookies are set
A common technical failing: non-essential cookies must not be set until the user has consented. Many sites fire analytics and advertising cookies on page load, before the banner is even answered — which is non-compliant no matter how good the banner looks.
Your implementation must genuinely block non-essential cookies until consent is given, not just record a preference after the fact.
Make rejecting easy
Regulators have been clear that a balanced banner is required: a “Reject all” option should be as prominent and easy as “Accept all”. Banners that bury the reject option, use confusing wording, or nudge users toward acceptance with design tricks are increasingly enforced against.
These manipulative designs — “dark patterns” — undermine the freely-given requirement and attract regulatory attention.
Easy withdrawal
Just as consent must be easy to give, it must be easy to withdraw. Users should be able to change their cookie choices at any time — commonly through a persistent link or icon that reopens the preferences. Withdrawal should be as straightforward as the original consent.
A “set and forget” banner with no way to revisit choices does not meet the standard.
The cookie policy
Alongside the banner, you should provide clear information about your cookies — often a cookie policy or a section of your privacy notice — listing the cookies you use, their purpose, and their duration. This is part of the “informed” requirement.
Keep it accurate: a cookie policy that doesn’t match the cookies actually set is a common and easily spotted gap.
Keep records of consent
As with any consent, you must be able to demonstrate it: which categories a user accepted or rejected, and when. Consent management platforms typically log this automatically, giving you the evidence you need if challenged.
Records also let you respect prior choices and avoid re-prompting users unnecessarily.
Audit your cookies regularly
You cannot manage cookies you don’t know about. Scan your site to discover every cookie and tracker — including those set by third-party scripts and embeds — categorise them, and make sure your banner and policy reflect reality.
New tools and tags add cookies over time, so a periodic audit keeps your consent setup accurate.
Consent management platforms
Most organisations use a Consent Management Platform (CMP) to implement all this: presenting the banner, blocking non-essential cookies until consent, recording choices, and offering easy withdrawal. A well-configured CMP handles the heavy lifting — but configuration matters.
A CMP set to nudge acceptance or fire cookies early is no better than a hand-built banner with the same flaws.
Common cookie mistakes
Typical failings include setting cookies before consent, no “reject all” option, pre-ticked categories, banners that block the site until you accept, an inaccurate cookie policy, and no way to withdraw consent. Each undermines the validity of the consent.
Most are fixable with a properly configured CMP and a genuine commitment to giving users a real choice.
How ISpectra helps
Getting cookie consent right is one of the most visible parts of GDPR compliance — it is the first thing visitors and regulators see. ISpectra Technologies helps organisations audit their cookies, categorise them, configure a compliant consent banner and CMP, write an accurate cookie policy, and maintain consent records.
If your banner fires cookies early or hides the reject button, a short review will put it right.
In one paragraph
Cookie consent is governed by the ePrivacy rules (which require consent for non-essential cookies) and GDPR (which sets the standard for valid consent). Strictly necessary cookies need no consent; analytics, advertising and functional cookies do. Valid consent is a granular opt-in — no pre-ticked boxes — with rejecting as easy as accepting, non-essential cookies blocked until consent, easy withdrawal, an accurate cookie policy, and consent records. Audit your cookies regularly and use a well-configured consent management platform. Avoid dark patterns: a banner that nudges acceptance or fires cookies early is non-compliant however polished it looks.
Free consultation
Need help with GDPR?
Talk to our data-protection specialists — we’ll map your fastest path to compliance.
Why regulators care so much
It is reasonable to ask why a humble cookie banner attracts such regulatory attention. The answer is that it is the most public test of whether an organisation respects consent. Regulators cannot easily see inside your databases, but they — and every user — can see your banner in seconds. If it nudges people toward “accept all”, hides the reject button, or fires trackers before anyone clicks, it signals that the organisation treats consent as an obstacle to be engineered around rather than a genuine choice to be offered. That impression colours how everything else about your data practices is judged.
This is why cookie enforcement has become a priority across Europe, with regulators issuing detailed guidance and fines over manipulative banners. The practical lesson is to design your banner as if a regulator were watching — because in effect they always are. A clear, balanced, honest banner that makes accepting and rejecting equally easy, blocks non-essential cookies until a real choice is made, and lets people change their minds later is not just compliant; it quietly tells visitors that you can be trusted with the data you do collect. In an era of widespread tracking fatigue, that trust is worth far more than the marginal analytics gained by tricking a few extra people into clicking “accept”.