Topic · CONSENT

Cookie banner requirements

When you need a cookie banner, what it must contain, and how to make it work across jurisdictions.

#	Element	CNIL	TTDSG	Garante	PECR	CCPA
1	Title / opening sentence Plain-language statement that the site uses cookies and similar technologies.
2	Purpose & body text Why cookies are set, who controls them, and how the user can change choices.
3	Cookie categories breakdown Strictly necessary / Analytics / Marketing / Personalisation, distinguished.
4	Privacy policy link Direct link to the privacy notice covering processing details.
5	Cookie policy / per-cookie list Per-cookie inventory (name, purpose, lifespan, provider).
6	Reject all (1 click) Reject must be reachable on the first layer with equal visual prominence to Accept.
7	Granular settings / preferences Per-category opt-in toggles before any non-essential tag fires.
8	Accept all (1 click) Affirmative consent action — clear, unambiguous, before any tag fires.

A cookie banner is required wherever your site reads or writes non-essential information on a user’s device. Under ePrivacy Directive Article 5(3) and GDPR Article 6, the trigger is “access to terminal-equipment” — not whether you call it a “cookie”. Local storage, IndexedDB, fingerprinting, browser-stored consent IDs all count.

Where banners are mandatory

Hard-required across the EU/EEA when any non-essential storage is used: Germany, France, Italy, Spain, Netherlands, Austria, Belgium, Ireland, Sweden, Poland, Portugal, plus the UK under PECR.

Recommended but not statutorily required: Canada, Australia, Japan, Singapore. Not required: California (use a “Do Not Sell or Share” link instead), Virginia, Texas, Switzerland.

Equal-weight reject button on the first layer. EDPB Guidelines 03/2022 — Reject must be as visually prominent and one-click as Accept. CNIL, Garante, DSK and ICO all enforce this. Dark patterns (greyed-out reject, cookie wall) are non-compliant.
Granular categories. Bundled “all cookies” consent is invalid. List analytics, advertising, personalization separately. The user must be able to refuse one and accept another.
No pre-ticked boxes. Confirmed since CJEU C-673/17 (Planet49, 2019).
Withdrawal as easy as giving. A floating “Cookie settings” trigger or persistent footer link.
Pre-consent silence. No tags, no analytics pings, no third-party scripts before the user clicks. Consent Mode v2 cookieless pings still require consent under the strict EDPB reading.

Common mistakes

Loading Google Tag Manager unconditionally before consent. Setting cookies (including cookie_consent itself) longer than 13 months — French CNIL position. Treating “continued browsing” or scrolling as consent — invalid in every EU jurisdiction. Geo-IP gating only the EU when other jurisdictions also require banners.

Templates and tooling

See templates for jurisdiction-specific banner texts. Compare specific jurisdictions side-by-side via /compare/germany-vs-france/ or three-way comparisons like germany-vs-france-vs-italy.

Editorial research, not legal advice. Consult a qualified DPO or attorney before deploying.

Cookie banner requirements

Where banners are mandatory

What every EU banner must contain

Common mistakes

Templates and tooling