GDPR Cookie Consent Examples: 12 Compliant vs Non-Compliant

See real GDPR cookie consent examples judged against the four-part valid-consent test, plus the non-compliant patterns regulators fine.


by Riad Us Salehin • 5 July 2026


GDPR-compliant cookie consent means a banner that is freely given, specific, informed, and unambiguous, per Article 4(11) and Article 7 GDPR. The examples below show what each condition looks like in practice. They range from GOV.UK's equal accept and reject buttons to the granular preference screens at Rakuten and ING.

Each example is judged against the four-part valid-consent test, then contrasted with the non-compliant patterns regulators have actually fined. The order runs from the criteria themselves to real compliant examples, adaptable consent text, common violations, and real enforcement.

What Makes Cookie Consent GDPR-Compliant? (The Four-Part Test)

Valid consent under GDPR Article 4(11) has four conditions: freely given, specific, informed, and unambiguous. The ePrivacy Directive requires consent for cookies in the first place. GDPR defines what counts as valid consent once you have to get it.

Freely given: refusing is as easy as accepting

Freely given consent means the visitor has a real choice, with no cookie wall and no inappropriate pressure. The reject option must sit on the first layer of the banner. It needs the same number of clicks as accept, never buried behind a menu.

Specific: consent is unbundled and per-category

Specific consent is unbundled by purpose. A visitor consents to analytics cookies separately from marketing cookies, never through one blanket "Accept" that lumps every category together.

Informed: the notice says what data, why, and who

Informed consent names the controller, states why the data is collected, and links to the full cookie or privacy policy. A visitor should never have to guess who is collecting what.

Unambiguous: a clear opt-in action, never a pre-ticked box or "by continuing"

Unambiguous consent requires a clear affirmative action: a click, not a pre-ticked box and not continued browsing. The Court of Justice of the European Union settled this in the Planet49 case (C-673/17, ruled October 1, 2019). A pre-ticked checkbox does not involve active behavior, so it cannot be unambiguous consent.

Equal-Choice Cookie Consent Examples (Accept and Reject on the First Layer)

Freely given consent shows up first in button design: accept and reject at equal size, equal color weight, and equal click depth. Regulators have gone further than the bare GDPR text here, and two separate rulings back it up.

GOV.UK: the reference standard, with its consent text in full

GOV.UK's cookie banner states:

We use some essential cookies to make this service work. We'd also like to use analytics cookies so we can understand how you use the service and make improvements.

The buttons read "Accept analytics cookies," "Reject analytics cookies," and "View cookies," all at equal visual weight.

After a choice, the banner confirms:

You've accepted analytics cookies. You can change your cookie settings at any time.

The GOV.UK Design System also warns against making the banner sticky with position: fixed. A fixed banner can obscure focused content for keyboard and screen-reader users. One gap: the copy is deliberately plain and utilitarian, so it is a compliance model, not a brand-personality model.

The Guardian: a plain opt-in banner that does not nudge

The Guardian's bottom banner offers a genuine opt-in choice with a "Yes, I'm Happy" accept button. It sits alongside a reject and manage-preferences path, plus links to its cookie and privacy policies. Worth noting: warm accept-button copy like "Yes, I'm Happy" can read as a mild nudge when the reject path carries flatter, less inviting wording.

Coventry University: "necessary" vs "additional", spelled out

Coventry University's banner draws a clear line. "Necessary cookies to make our site work" run regardless. The visitor separately chooses whether to "set additional cookies". That split names a clear boundary between what runs regardless and what needs a choice, with accept, reject, and manage options alongside it.

Why Regulators Now Require Reject on the First Layer

Two separate 2025 rulings, in two different countries, reached the same result on equal choice. Germany's Lower Saxony data protection authority, confirmed by the Hanover Administrative Court, found a banner non-compliant when accepting is easier than rejecting. The ruling cites violations under Germany's Telecommunications Digital Services Data Protection Act and the GDPR. It specifically flagged repeated banner pressure and misleading labels such as "optimal user experience" in place of a clear reject option.

Austria's Verwaltungsgerichtshof (Administrative Court) ruled separately on January 16, 2025 (case Ra 2024/04/0424-9). The first level of a cookie banner must include an equally conspicuous reject button. A reject link buried in the footer or a settings page does not satisfy GDPR. The court rejected "industry standard" as a defense for unequal designs.

Strictly, Article 7(3) GDPR only states in its own text that withdrawing consent must be as easy as giving it. The equal-prominence rule for the first choice comes from these regulator rulings, layered on top of that text. It is not a single sentence in the statute itself. In practice, both routes now point the same way: unequal buttons are a live enforcement risk, not a gray area.

Granular Cookie Consent Examples (Consent by Category, Not All-or-Nothing)

Specific consent means a visitor can say yes to analytics and no to marketing in the same visit. A manage or preference screen makes this possible, rather than one all-or-nothing switch.

A preference center done right: analytics, marketing, and functional, each toggled

A compliant preference center lists each cookie category, analytics, marketing, and functional, as its own toggle, defaulted off for anything non-essential. The visitor can leave analytics on and marketing off without hunting through settings menus.

Rakuten: a maintained vendor list behind the "manage" screen

Rakuten runs a consent banner that automates the ongoing compliance work behind the manage screen rather than treating consent as a one-time setup. The category-level detail is less publicly documented than at some peers, so treat the specific vendor-list mechanics as directionally accurate rather than fully itemized.

ING: one consistent granular choice across every property

ING maintains a consistent, cross-domain consent experience across its digital properties. A visitor's category choices carry the same effect, regardless of which ING site they land on next. Cross-domain consistency like this is invisible to the visitor when it works, which is exactly the point.

If you want the design and layout side of granular banners, not the compliance mechanics, see our cookie consent banner design examples.

Granular consent depends on having settled cookie categories in the first place. It also depends on knowing which cookies need a choice versus which ones are essential and non-essential.

Informed-Notice Cookie Consent Examples (The Banner Text That Actually Explains)

Informed consent means the notice states what data is collected, why, and by whom, in plain language, before the visitor has to decide anything.

The Economist: a full-screen notice that states the purpose before the choice

The Economist uses a full-screen notice that blocks the rest of the page until the visitor makes a choice. It explains why cookies are used and links to preference management. One line to watch: a full-screen interstitial edges toward intrusive if "accept" becomes the only visible exit. That would tip it toward a soft cookie wall.

Financial Times: a short tooltip that still names what and why

The Financial Times uses a compact, left-side tooltip that still sorts cookies into named categories by purpose. It links to a manage-preferences screen. A compact tooltip has less room for a visible reject button. The reject path still needs to sit at the same layer as accept, not one tap deeper.

The consent notice itself sits inside what a cookie banner is and does. Before an example can be judged, it helps to be clear on what cookie consent means under the law.

GDPR Cookie Consent Text Examples You Can Adapt

A compliant consent notice states the purpose, offers a real accept and reject choice, and links the policy, all in plain language. The blocks below are adaptable starting points, not copy-paste legal advice.

Analytics-only banner: "We use essential cookies to run this site, and analytics cookies to see how visitors use it. Choose which you're comfortable with." Buttons: "Accept analytics" / "Reject analytics" / "View cookies." Satisfies: informed, unambiguous.

Analytics plus marketing banner: "We use cookies for essential functions, analytics, and personalized ads. You can accept all, reject all, or choose by category." Buttons: "Accept all" / "Reject all" / "Manage preferences." Satisfies: specific, informed, unambiguous.

Minimal necessary-only banner: "This site uses only the cookies required to function. No tracking or advertising cookies are set." Button: "Got it." Satisfies: freely given (nothing to reject because nothing non-essential loads).

GOV.UK verbatim (the reference example):

We use some essential cookies to make this service work. We'd also like to use analytics cookies so we can understand how you use the service and make improvements.

Buttons: "Accept analytics cookies" / "Reject analytics cookies" / "View cookies." Satisfies: all four criteria.

Non-Compliant Cookie Consent Examples (and the Rule Each One Breaks)

The fastest way to understand valid consent is to see it broken. Each pattern below names the one valid-consent element it violates.

"By continuing to browse, you consent" (implied consent)

Termly documented wording like "by continuing to use our site, you consent to use our cookies" on Adidas's site. It is a historical example of this pattern. It violates unambiguous consent. Browsing is not an affirmative action, and the Planet49 ruling already settled that passive behavior cannot be consent. Brands correct this wording over time, so treat it as the kind of phrasing regulators reject, not as a live accusation against any current site.

The hidden or second-layer "Reject All" (asymmetric choice)

A reject option that only appears after a second click, a settings page, or a footer link violates freely given consent. Both the Lower Saxony/Hanover ruling and the Austrian VwGH ruling in 2025 found this pattern non-compliant because it makes accepting easier than rejecting.

Pre-ticked category boxes (consent by default)

A pre-ticked box for analytics or marketing cookies violates unambiguous consent, because the visitor never took an active step. The CJEU confirmed this directly in Planet49. A pre-ticked checkbox does not meet the standard of active, unambiguous consent, no matter what the visitor does next on the page.

The cookie wall and "pay to reject" (consent that is not freely given)

A cookie wall that blocks all site access until the visitor accepts violates freely given consent. So does a "pay to reject" model that charges a fee to avoid tracking. Data protection authorities have scrutinized these pay-or-consent models specifically, because the visitor's only free choice is to leave the site entirely. Treat this pattern as high-risk and contested, not settled either way.

What Regulators Have Actually Fined (Real Consent Enforcement)

These rules carry real financial consequences. CNIL, France's data protection authority, fined three companies on the same day in 2020 for cookie consent failures.

OrganizationFineDateConsent failure
Google LLCEUR 60,000,0002020-12-10Cookies deposited without consent, insufficient information, defective opposition mechanism
Google Ireland LimitedEUR 40,000,0002020-12-10Same cookie consent violations as Google LLC
Amazon Europe CoreEUR 35,000,0002020-12-10Cookies deposited without consent and lack of information to users

Every one of these fines traces back to the freely given and informed conditions. Cookies fired before a real choice existed, and users were not told enough about what was happening. See the full picture of GDPR fines tied to consent failures.

How to Make Your Own Cookie Consent GDPR-Compliant

Three actions cover most of what separates a compliant banner from a risky one. First, put an equally sized, equally prominent reject button on the first layer, next to accept, never behind a second click. Second, unbundle consent by category with no box pre-ticked, so a visitor can accept analytics and reject marketing in one visit. Third, pair a plain-language notice with a consent record for every visitor and a way to withdraw consent as easily as it was given.

Consently's cookie consent banner ships a GDPR opt-in template with automatic geotargeting and a per-category preference center. Script and iframe auto-blocking runs before consent, so a rejected category is actually blocked rather than just labeled. It logs every consent choice for proof and adds a floating revisit button so visitors can withdraw consent at any time.

Banner fatigue is a real complaint. A low accept rate does not mean the banner is broken; it can mean visitors are making a genuine choice. If that is the concern, work on how to improve your consent rate without weakening any of the four conditions above. For the full build, see our guide to making your site GDPR-compliant.

Build a GDPR-compliant cookie banner

FAQs

What makes cookie consent GDPR-compliant?

Cookie consent is GDPR-compliant when it is freely given, specific, informed, and unambiguous, per Article 4(11). In practice that means equal accept and reject buttons, per-category opt-in, a plain-language notice, and no pre-ticked boxes.

What is a valid consent under GDPR?

Article 4(11) defines valid consent as:

Any freely given, specific, informed and unambiguous indication of the data subject's wishes, by a statement or by a clear affirmative action.

A click counts. Silence, pre-ticked boxes, and continued browsing do not.

What should a GDPR cookie consent banner say?

A compliant banner names the categories of cookies used, states why they are used, and offers accept, reject, and manage options at equal prominence. It links to the full cookie or privacy policy for detail rather than cramming everything into the banner itself.

Do accept and reject buttons have to be equal under GDPR?

Regulator guidance and 2025 rulings in Germany and Austria both require equal prominence between accept and reject on the first layer. The GDPR text itself only states withdrawal must be as easy as consent, but enforcement now treats unequal buttons as a freely given violation.

Are pre-ticked cookie boxes allowed under GDPR?

No. The CJEU ruled in the Planet49 case (C-673/17, 2019) that a pre-ticked checkbox does not involve active behavior, so it cannot count as unambiguous consent. Every non-essential category must start unchecked.

Is implied consent ("by continuing you agree") GDPR-compliant?

No. Consent cannot be implied from browsing, scrolling, or continued site use. It must come from a clear affirmative action, such as clicking an accept button for a named category of cookies.

Does GDPR require a cookie banner, or is that ePrivacy?

The ePrivacy Directive is the law that requires consent before setting most cookies. GDPR defines what counts as valid consent once that requirement applies. That is why both laws get cited together on cookie banners.

How do I create a GDPR-compliant cookie consent banner?

Start with equal accept and reject buttons, then unbundle categories with nothing pre-ticked. Write the notice in plain language naming what data is collected and why. For the complete step-by-step build, see our guide to making your site GDPR-compliant.

AUTHOR

Riad Us Salehin is the content lead at Dorik. He is a passionate content creator who lets the work speak for itself. Focused on taking brands and causes to the next level.

Read More

Subscribe to Consently
Newsletter

Subscribe to our newsletter to stay updated with latest articles from our blog.

Built with ❤️ by the team @ Dorik.com 

GET IN TOUCH

Any questions? Feel free to chat with us or reach out to us at

For any queries:
support@consently.net

Follow us:


©2026 Dorik, Inc. All rights reserved.