Cookie Consent for Blogs: Do You Need It, and How to Add It

Learn whether your blog legally needs cookie consent and follow five steps to add a compliant banner that covers AdSense, Analytics, and affiliate links.


by Riad Us Salehin • 5 July 2026


Most blogs need cookie consent once they run Google Analytics, AdSense, or affiliate links. Each of those sets non-essential cookies for readers in the EU, the UK, or California.

Five steps get a blog compliant. Confirm which laws apply, find every cookie, add a blocking banner, wire consent to Google, and publish a policy.

Do you need cookie consent on your blog?

Most blogs need cookie consent. Running Google Analytics, AdSense, affiliate links, or embedded video sets non-essential cookies for readers, and a consent law protects some of them. A blog with zero non-essential cookies and truly no EU, UK, or California traffic is the narrow exception.

Your blog almost certainly needs consent if it does any of the following.

  • Runs Google Analytics or another analytics tool
  • Shows Google AdSense or any other display ads
  • Links to affiliate programs, such as Amazon Associates or ShareASale
  • Embeds YouTube videos, social share buttons, or a comment system
  • Offers a login or single sign-on option

When your blog legally needs a consent banner

Your blog needs a consent banner when it sets non-essential cookies for legally protected readers. GDPR and the ePrivacy Directive apply based on targeting or monitoring EU and UK residents. Where your server sits does not matter.

California's CCPA and similar US state laws apply once your blog collects personal data from those states' residents. A business must also cross that specific law's own applicability threshold, based on traffic or revenue, not a single visit.

The practical test is who reads your blog, not where you registered your domain. A blog run from outside the EU can still target or monitor EU or UK readers under GDPR's extraterritorial reach. That happens once it gets meaningful traffic from search, social, or a newsletter in those regions.

Running AdSense adds a separate requirement on top of GDPR and CCPA. Google's own EU User Consent Policy applies to visitors in the European Economic Area, the UK, and Switzerland, regardless of where the publisher is based.

When you can skip it (and why most bloggers can't)

You can skip a consent banner only in one narrow case. Your blog must set no persistent, non-essential cookies at all, and it must have no meaningful EU, UK, or California readership.

That means no analytics, no ads, no affiliate tracking, and no embedded third-party widgets.

Session-only cookies don't trigger consent requirements. These are the kind that support a shopping cart or a login for the length of one visit.

A common but outdated claim says a blog is exempt from EU cookie rules simply because the owner and the hosting sit outside the EU. That claim misses the actual test. GDPR and the ePrivacy Directive apply based on targeting or monitoring EU and UK residents' behavior, not the publisher's location.

A blog with even modest EU or UK traffic from search or social is targeting those readers under that standard. Saying "I'm not in the EU" does not exempt a blog on its own.

What triggers cookie consent on a blog: AdSense, Analytics, and affiliate links

A handful of common blog tools set the cookies that trigger consent requirements, each for a different reason.

Blog toolCookie type it setsTriggers consent
Google Analytics / GA4Analytics cookiesYes
Google AdSenseAdvertising cookiesYes
Affiliate links (Amazon, ShareASale, etc.)Tracking cookiesYes
Embedded YouTube, social buttonsThird-party cookiesYes
Comment system or loginSession or functional cookiesSometimes

Google Analytics and AdSense are the two most common triggers on ordinary blogs. Both set third-party tracking cookies the moment the script loads, before any reader clicks anything.

Affiliate links work the same way. An Amazon Associates or ShareASale link drops a tracking cookie to attribute a future sale back to your blog, and that cookie persists across sessions.

Embedded content adds a third layer readers rarely think about. A YouTube embed, a social share button, or a live comment widget can each load its own third-party cookie the moment the page renders. A blogger who runs no ads at all can still trigger consent requirements purely through those embeds.

Comment systems and login cookies sometimes qualify as strictly necessary, and strictly necessary cookies don't need consent. The distinction is functional. A session cookie that keeps you logged in for one visit is necessary. A cookie that remembers your comment history across visits for marketing purposes is not.

What you need before you start

The prerequisite most bloggers skip is checking where their readers actually are. Your Google Analytics geography report, not your own location, is the real test.

  • Roles: Just you. A solo blogger can complete this without a developer.
  • Time: 30 to 60 minutes total, once you know your cookie list and have head-script access to your platform.
  • Inputs: A list of every ad network, analytics tool, affiliate program, and embed your blog uses; head-edit access to your blog's theme or template; a cookie and privacy policy, or the ability to generate one.
  • Tools: A consent management tool or cookie banner tool, and your analytics dashboard to check reader geography.

Step 1: Confirm which laws apply to your readers

The law that applies to your blog depends on who reads it, not where you live. Most bloggers face some combination of three regimes.

GDPR and the ePrivacy Directive cover EU and UK readers. CCPA and other US state laws cover residents of those states. Google's own EU User Consent Policy applies separately if you run AdSense.

Three legal layers typically stack on an ordinary blog:

  1. GDPR and the ePrivacy Directive require opt-in consent before setting non-essential cookies for EU and UK readers. The applicability test is targeting or monitoring their behavior, not the publisher's location.
  2. CCPA, CPRA, and other US state privacy laws apply once a blog collects personal data from a covered state's residents and crosses that law's own threshold. These laws require an opt-out mechanism, typically a "Do Not Sell or Share My Personal Information" link, rather than GDPR's opt-in banner.
  3. Google's EU User Consent Policy applies separately if you run AdSense, Analytics, or Ads. It covers visitors in the EEA, the UK, and Switzerland specifically, and requires consent for cookies and for ad personalization, consent records, and a revocation path.

These three layers overlap but don't substitute for one another. A banner built only for GDPR's opt-in model won't satisfy CCPA's opt-out mechanism. Satisfying Google's policy doesn't automatically cover your independent analytics or affiliate cookies.

Read our full cookie compliance by industry breakdown for the complete law-by-law detail beyond what a single blog needs. A healthcare-adjacent blog carries extra rules; see cookie and pixel compliance for healthcare sites. A blog on a product marketing domain should instead see cookie consent for SaaS sites.

Step 2: Find every cookie and tracker your blog sets

Finding every cookie your blog sets takes two passes. List what you know you installed, then run an automatic scan to catch what you didn't.

AdSense, analytics, affiliate networks, and embedded video all set cookies that don't show up in a manual list. To find your blog's full cookie footprint:

  1. List every ad network, analytics tool, affiliate program, and third-party embed you deliberately added.
  2. Check your theme and plugins for embeds you may have forgotten, like a video widget or a social feed.
  3. Run an automatic scan of your live site to catch cookies set by scripts you didn't directly configure.
  4. Categorize what the scan finds as essential, analytics, advertising, or unclassified.

A manual list alone misses the third-party cookies that ad and affiliate scripts inject on their own. Consently's automatic full-site scan detects cookies, trackers, scripts, and iframes across your blog. It categorizes each one as essential, analytics, or advertising, so you see exactly what AdSense, Google Analytics, and your affiliate embeds actually set.

Step 3: Add a consent banner that blocks ad and analytics cookies until opt-in

A compliant banner blocks non-essential cookies before the reader consents, not after. A banner that only records a choice while ads and analytics scripts have already fired offers no real protection.

Three requirements define a working banner:

  • Prior blocking: ad, analytics, and affiliate scripts wait to load until the reader consents. If cookies fire before the click, the banner is decorative.
  • Equal-weight choices: accept and reject sit at the same visual weight. An oversized accept button next to a hidden reject link is a dark pattern regulators flag.
  • Region-correct model: EU and UK readers see an opt-in banner, where cookies stay blocked until they click accept. US-state readers see an opt-out mechanism instead.

Bloggers who rely only on AdSense's built-in dialog describe a recurring geographic gap. AdSense's message displays only in the regions Google covers. Visitors from every other region see nothing, and your analytics and affiliate cookies stay unblocked for them.

Consently's banner blocks non-essential cookies, scripts, and iframes before consent everywhere. It ships both GDPR opt-in and CCPA and US-state opt-out templates, and it automatically geotargets which model each visitor sees. You're not stitching an EU-only dialog to a separate plugin to cover the rest of your readers.

Step 4: Wire consent to Google (Consent Mode v2 and the AdSense requirement)

You do not need a cookie banner to apply for or get approved into AdSense. Serving ads to readers in the EEA, the UK, or Switzerland changes that. Google then requires a certified consent management platform that passes Consent Mode v2 signals.

Consent Mode v2 tells Google whether it can use cookies for ads and analytics for a given visitor. It passes four signals to do this.

  • ad_storage governs whether Google can store advertising cookies.
  • analytics_storage governs whether Google can store analytics cookies.
  • ad_user_data controls whether Google can send that visitor's data to Google for advertising.
  • ad_personalization controls whether Google can use that data for personalized ads.

When a reader declines, those signals switch to denied. Google then serves non-personalized ads instead of blocking ad delivery outright.

PathWhat it coversWhat it misses
AdSense's built-in Privacy & messaging dialogAd consent disclosure for supported regions (EEA, UK, Switzerland)Your own Google Analytics, affiliate, and embed cookies; doesn't scan or block anything
A certified CMP with Consent Mode v2AdSense's consent requirement, plus Analytics, affiliate, and embed cookies, all in one bannerNothing, if it also scans and blocks the rest of your trackers

AdSense's free built-in dialog satisfies the ad-consent disclosure Google requires for supported regions. It doesn't scan your site, doesn't block your own analytics or affiliate cookies, and leaves readers outside its covered regions with no notice at all.

Consently sends Consent Mode v2 signals to Google automatically, with no manual gtag('consent') code to write. It also supports the IAB TCF standard for publishers who run programmatic advertising. That combination satisfies Google's EU User Consent Policy and blocks the cookies AdSense's own dialog leaves untouched, in one tool.

Read Google's own AdSense EU User Consent Policy and Consent Mode guidance for the primary source on this requirement.

Step 5: Publish a cookie policy and log consent

Two obligations remain once your banner is live. Publish a cookie and privacy policy that explains what you collect, and keep a record of each reader's consent choice as proof.

Your cookie and privacy policy should include:

  • What cookies your blog sets, grouped by category (essential, analytics, advertising)
  • Why you collect each type and which third parties, such as Google or affiliate networks, receive the data
  • How a reader can withdraw or change consent after their first visit
  • Contact information for privacy questions

A consent log matters because a banner alone can't prove compliance during a complaint or an audit. You need a timestamped record of what each visitor chose. Consently generates cookie, privacy, and terms and conditions policies from a guided workflow. It also stores exportable consent logs with timestamp, region, and status for every visitor, so your policy, banner, and audit trail come from one tool.

Cookie consent on Blogger, WordPress, and Ghost

Installation differs by platform, but the underlying banner and consent logic stay the same everywhere. Blogger shows a built-in notice by default; WordPress and Ghost both accept a script through head access.

Blogger, Google's own hosted platform, shows visitors from the EU a built-in cookie notice by default. Google's own Blogger help documentation states plainly that this default notice is not a complete compliance solution.

"If you have edited your blog in a way that hides this notice, it will be your responsibility to notify your visitors about cookies used on your blog and if necessary, obtain consent."

That default notice covers only Google Analytics and AdSense cookies. Any other third-party tracker you add yourself needs its own consent coverage. You install a separate banner on Blogger through Theme → Edit HTML, pasting your banner script into the page head.

WordPress accepts either a plugin or a head-script installation, and both routes work. Many free plugins skip prior blocking or don't send Consent Mode v2 signals. That leaves the two gaps this guide covered in Steps 3 and 4.

Ghost accepts a script through its built-in code injection setting in the site header. That's the same head-script pattern WordPress and most other platforms support.

Consently installs on Blogger, WordPress, Ghost, or any platform that allows a script in the page head, using the same one-line install everywhere. If you manage consent across several platforms at once, see who Consently is for for how the setup differs by audience. If you manage cookie consent across several client blogs, our cookie consent for agencies guide covers multi-site setup.

Common blog cookie consent mistakes to avoid

The most damaging mistake is assuming AdSense's built-in dialog covers everything. It leaves your other cookies unblocked and your non-EEA readers without any notice at all.

  • Relying on AdSense's dialog alone. AdSense's message only covers ad consent in its supported regions and doesn't scan or block your analytics or affiliate cookies. The fix: add a CMP that scans your full site and blocks everything, not just ad cookies.
  • A banner that doesn't block cookies until consent. If your analytics and ad scripts fire before the reader clicks anything, the cookies are already set. The fix: use prior blocking, so nothing non-essential loads before consent.
  • Assuming "I'm not in the EU" means exemption. The applicability test is whether you target or monitor EU and UK readers' behavior, not where you or your host are located. US state laws can also apply based on your reader base. The fix: check your analytics geography before assuming you're exempt.
  • No consent record. A banner with no log can't prove what a reader chose if a complaint or audit happens. The fix: keep timestamped consent logs for every visitor.
  • Consent fatigue and dark patterns. An oversized accept button next to a hidden or gray reject link pressures readers and draws regulator attention. The fix: give accept and reject equal visual weight.

Add compliant cookie consent to your blog

A blog can cover the banner, cookie scan, blocking, Consent Mode v2 signals, and all three legal policies in one affordable tool. That replaces stitching together AdSense's partial dialog, a free plugin, and a separate policy generator. Consently includes every feature on every plan, starting at $99 a year for a single blog with 100,000 monthly pageviews. It ships a 14-day free trial with no credit card required. Start free with Consently

FAQs

Is Google AdSense's built-in GDPR message enough for my blog?

No. AdSense's built-in dialog covers ad consent disclosure in the EEA, the UK, and Switzerland. It doesn't scan your site, doesn't block your own Google Analytics or affiliate cookies, and shows nothing to readers outside those regions.

Do I need a cookie banner before applying for AdSense?

No. AdSense approval depends on having a legitimate, policy-safe site with a privacy policy, not on having a cookie banner. You need the banner and Consent Mode v2 once you're approved and serving ads to EEA, UK, or Swiss readers.

Do I need cookie consent if my blog only uses Google Analytics?

Yes. Google Analytics sets non-essential, persistent tracking cookies the moment its script loads. That triggers consent requirements for EU, UK, and other covered readers, whether or not you run any ads.

Is there a free cookie consent option for blogs?

Free plugins and AdSense's own dialog exist, but each has a gap. Many free plugins skip prior blocking or don't send Consent Mode v2 signals, and AdSense's dialog only covers its supported regions and ad cookies. A paid CMP that scans, blocks, and sends Consent Mode v2 signals closes both gaps for a low annual cost.

Do I need cookie consent if I'm not based in the EU?

Not automatically exempt. GDPR and the ePrivacy Directive apply based on whether you target or monitor EU and UK readers' behavior. Where you or your host are located does not matter. CCPA and other US state laws can apply separately.

Does Google AdSense use cookies?

Yes. AdSense sets advertising cookies to serve and measure ads, including personalized ads where a reader consents. Those cookies are non-essential, so serving AdSense to EEA, UK, or Swiss readers triggers Google's consent requirement and Consent Mode v2.

How do I add a cookie banner on Blogger?

Go to Theme → Edit HTML in your Blogger dashboard and paste your banner's install script into the page head, above other tracking scripts. Blogger's own built-in EU notice stays active by default. It only covers Google Analytics and AdSense cookies.

What happens if I ignore cookie consent on my blog?

You risk GDPR or state-law fines if a regulator investigates. Google can also flag or suspend your AdSense account or your Blogger site for violating its EU User Consent Policy. For a small blog, that account action is often the more immediate consequence.

How long does it take to set up cookie consent on a blog?

About 30 to 60 minutes for a typical blog, once you have your cookie list and head-script access to your platform. Most of that time goes to listing your tools and running the scan; the banner install itself takes a few minutes.

AUTHOR

Riad Us Salehin is the content lead at Dorik. He is a passionate content creator who lets the work speak for itself. Focused on taking brands and causes to the next level.

Read More

Subscribe to Consently
Newsletter

Subscribe to our newsletter to stay updated with latest articles from our blog.

Built with ❤️ by the team @ Dorik.com 

GET IN TOUCH

Any questions? Feel free to chat with us or reach out to us at

For any queries:
support@consently.net

Follow us:


©2026 Dorik, Inc. All rights reserved.