Topic · CONSENT
Cookie banner requirements
When you need a cookie banner, what it must contain, and how to make it work across jurisdictions.
A cookie banner is required wherever your site reads or writes non-essential information on a user’s device. Under ePrivacy Directive Article 5(3) and GDPR Article 6, the trigger is “access to terminal-equipment” — not whether you call it a “cookie”. Local storage, IndexedDB, fingerprinting, browser-stored consent IDs all count.
Where banners are mandatory
Hard-required across the EU/EEA when any non-essential storage is used: Germany, France, Italy, Spain, Netherlands, Austria, Belgium, Ireland, Sweden, Poland, Portugal, plus the UK under PECR.
Recommended but not statutorily required: Canada, Australia, Japan, Singapore. Not required: California (use a “Do Not Sell or Share” link instead), Virginia, Texas, Switzerland.
What every EU banner must contain
- Equal-weight reject button on the first layer. EDPB Guidelines 03/2022 — Reject must be as visually prominent and one-click as Accept. CNIL, Garante, DSK and ICO all enforce this. Dark patterns (greyed-out reject, cookie wall) are non-compliant.
- Granular categories. Bundled “all cookies” consent is invalid. List analytics, advertising, personalization separately. The user must be able to refuse one and accept another.
- No pre-ticked boxes. Confirmed since CJEU C-673/17 (Planet49, 2019).
- Withdrawal as easy as giving. A floating “Cookie settings” trigger or persistent footer link.
- Pre-consent silence. No tags, no analytics pings, no third-party scripts before the user clicks. Consent Mode v2 cookieless pings still require consent under the strict EDPB reading.
Common mistakes
Loading Google Tag Manager unconditionally before consent. Setting cookies (including cookie_consent itself) longer than 13 months — French CNIL position. Treating “continued browsing” or scrolling as consent — invalid in every EU jurisdiction. Geo-IP gating only the EU when other jurisdictions also require banners.
Templates and tooling
See templates for jurisdiction-specific banner texts. Compare specific jurisdictions side-by-side via /compare/germany-vs-france/ or three-way comparisons like germany-vs-france-vs-italy.
Editorial research, not legal advice. Consult a qualified DPO or attorney before deploying.