You've seen them everywhere—those banners at the bottom of websites asking about cookies. Some are subtle little bars. Others take up half the screen with walls of text and toggle switches. And some are still using the old "by continuing to use this site, you agree" approach, which, spoiler alert, hasn't been legally acceptable for years.
Cookie consent is one of those areas where there's a massive gap between what the law requires and what most websites actually do. Some businesses overcomplicate it to the point of absurdity. Others ignore it entirely. Neither approach is right.
Why Cookies Need Consent
First, let's clarify what we're actually talking about. Cookies are small text files that websites store on visitors' browsers. They have plenty of legitimate uses—keeping you logged in, remembering your shopping cart, storing your preferences. But they're also used extensively for tracking.
The legal issues arise primarily from the ePrivacy Directive (often called the "Cookie Law") in Europe, combined with GDPR requirements for consent. Under these laws, you generally need consent before placing non-essential cookies on someone's device.
The key word there is "non-essential." Cookies that are strictly necessary for the functioning of the website—like session cookies that keep you logged in—don't require consent. Everything else typically does.
What Qualifies as Valid Consent?
This is where many websites go wrong. Under GDPR, consent must be:
Freely given: Users must have a genuine choice. Consent obtained under pressure or through dark patterns doesn't count.
Specific: Consent should relate to specific purposes. A blanket "accept all cookies" isn't ideal; users should be able to choose which categories they consent to.
Informed: Users need to know what they're agreeing to before they consent. You can't explain cookies only after someone has already accepted them.
Unambiguous: There must be a clear affirmative action. Scrolling, continuing to browse, or pre-ticked boxes don't constitute valid consent.
That last point catches a lot of websites. The "by using this site, you agree to our use of cookies" approach was common before GDPR, but it's not compliant. Neither are cookie banners that make it easy to accept but hide the reject option behind multiple clicks.
Cookie Categories Explained
When setting up cookie consent, it helps to understand the standard categories:
Strictly Necessary Cookies
These are essential for basic website functionality. Session cookies for logged-in users, shopping cart cookies, security cookies—these don't require consent because the website can't function properly without them. But you should still explain what they do in your cookie policy.
Performance/Analytics Cookies
Cookies used to understand how visitors use your website. Google Analytics is the classic example. These typically require consent because they're not essential to delivering the service—they're for your benefit as the site owner.
There's some debate here. Some argue that privacy-respecting analytics (like aggregated, anonymized data) might not require consent. But the safer position is to request consent for any analytics that could identify individuals.
Functionality Cookies
These remember user preferences—language settings, display preferences, whether you've dismissed a particular message. Whether these require consent depends on whether they're truly necessary for the requested functionality or just convenient additions.
Advertising/Targeting Cookies
Used to track users across websites and deliver targeted advertising. These almost always require consent. They're typically set by third parties (ad networks) and can build detailed profiles of user behavior.
Social Media Cookies
Set by social sharing buttons and embedded content from platforms like Facebook, Twitter, or YouTube. These often have tracking capabilities beyond their stated function. Consent is generally required.
Building a Compliant Cookie Banner
A good cookie banner does several things:
Provide Information First
Before asking for consent, briefly explain what cookies you use and why. This can be a short summary with a link to your full cookie policy. Users should understand what they're being asked to accept.
Offer Genuine Choice
Give users clear options to accept, reject, or customize. The reject option should be as easy to access as the accept option. Hiding "reject" behind multiple clicks while making "accept" a single click is a dark pattern that regulators are increasingly cracking down on.
Allow Granular Control
Let users choose which categories of cookies to accept. Some people are fine with analytics but don't want advertising cookies. Giving them this control is best practice and increasingly required.
Don't Block Content Excessively
Your banner shouldn't make the website unusable until consent is given. Visitors should be able to access essential content while deciding about cookies. Forcing acceptance by blocking content isn't freely given consent.
Remember Preferences
Once someone makes a choice, remember it. Don't ask again on every page load. But do provide a way for users to change their preferences later—usually a link in your footer or cookie policy.
Actually Respect the Choice
This sounds obvious, but you'd be surprised. Many cookie banners are just for show—they display options, but cookies load regardless of what the user chooses. This is worse than no banner at all, because it creates a false impression of compliance.
Technical Implementation
From a technical standpoint, implementing proper cookie consent involves:
Blocking Cookies Until Consent
Non-essential cookies should not be set until consent is given. This means your analytics code, advertising pixels, and social media embeds need to be conditional on consent status.
For Google Analytics, this might mean using the consent mode feature. For other third-party scripts, you might need to conditionally load them based on consent.
Script Management
Consider using a consent management platform (CMP) or tag manager to control when scripts load. These tools can automatically block cookies based on user preferences and help you stay compliant without manual coding for every script.
Cookie Scanning
Regularly audit your website to know what cookies are actually being set. Third-party services often add cookies without explicit notice. Tools exist to scan your site and identify all cookies being placed.
Documentation
Keep records of what cookies you use, what they're for, who sets them, and how long they last. This information should feed into your cookie policy.
The Cookie Policy
Beyond the banner, you need a cookie policy explaining your cookie usage in detail. This should cover:
- What cookies are and how they work (brief explanation for non-technical users)
- What cookies your site uses, organized by category
- The purpose of each cookie or cookie category
- Who sets each cookie (first-party vs. third-party)
- How long each cookie lasts
- How users can manage or delete cookies
- How users can change their consent preferences
Many websites include this information in their main privacy policy. That's fine, but a dedicated cookie policy makes it easier for users to find the specific information they need.
Common Mistakes to Avoid
The Cookie Wall
Blocking all access to your website until users accept cookies is called a "cookie wall." European regulators have generally ruled these non-compliant because consent isn't freely given when the alternative is no access at all.
Deceptive Design
Making "accept" big, colorful, and prominent while making "reject" small, gray, and hard to find is deceptive design. Some regulators have started issuing fines specifically for these dark patterns.
Pre-Checked Boxes
Never pre-select consent options. If you're giving users choices, start with everything unchecked. Consent must be an active choice.
Treating Legitimate Interest as Consent
Some consent platforms muddy the waters by mixing consent with legitimate interest categories. These aren't the same thing, and the rules are different. Don't let a complicated CMP confuse your compliance.
Forgetting About Updates
When you add new third-party services, you're probably adding new cookies. Your consent mechanism and cookie policy need to reflect these changes. Make cookie auditing part of your regular maintenance.
Beyond Europe: Other Jurisdictions
While the ePrivacy Directive is European law, cookie consent considerations apply more broadly.
In California, cookies used for targeted advertising may trigger CCPA requirements, including the "Do Not Sell" opt-out.
Brazil's LGPD, Canada's PIPEDA, and various other laws have their own requirements around tracking technologies.
If your website serves a global audience, implementing proper cookie consent based on European standards generally keeps you compliant (or close to it) in most other jurisdictions as well.
Looking Ahead
The cookie landscape is shifting. Browser changes, including the long-anticipated (and much-delayed) deprecation of third-party cookies in Chrome, will change how tracking works fundamentally.
But that doesn't mean consent requirements will disappear. First-party tracking and alternative technologies will still raise privacy concerns. The principles of transparency and user control will remain relevant even as the technical implementation changes.
For now, focus on getting cookie consent right. It's not just about compliance—it's about respecting your visitors' choices about how they're tracked online.