GDPR Cookie Consent Requirements: What Your Banner Must Do

The six GDPR cookie consent requirements your banner must meet: prior blocking, granular choice, equal reject, plain-language info, records, and easy withdrawal.


by Riad Us Salehin • 5 July 2026


GDPR cookie consent requires a site to get a visitor's freely given, specific, informed, and unambiguous opt-in before any non-essential cookie loads. Banners must offer granular per-category choice, make refusing as easy as accepting, keep consent records, and let visitors withdraw anytime. Sites using only strictly necessary cookies are exempt.

This guide breaks the requirement into six steps. It also covers the mistakes that trigger enforcement and a pending EU reform.

What Is GDPR Cookie Consent?

GDPR cookie consent is the permission a website must collect before storing or reading non-essential cookies on a visitor's device. The consent obligation itself does not come from the GDPR text directly. It comes from the ePrivacy Directive, often called the EU cookie law. Article 5(3) of that directive sets the "get consent before cookies" rule. GDPR then supplies the legal definition of valid consent.

Valid consent under GDPR Article 4(11) and Article 7 must be freely given, specific, informed, and given through a clear affirmative action. That standard is one piece of what the GDPR requires of any site handling EU personal data. Silence, inactivity, or continued browsing never counts. A checkbox pre-ticked by default fails this test even if a visitor never objects.

Not every cookie needs this permission. Strictly necessary cookies are exempt from consent under both GDPR and the ePrivacy Directive. These are cookies a site cannot function without: a shopping cart, a login session, a security token. Everything else, analytics, advertising, and most preference cookies, needs an opt-in first.

What You Need Before You Start

The prerequisite most sites skip is a full cookie audit. You cannot get valid consent for cookies you have not identified. A cookie and tracker inventory comes before any banner design decision.

Five things need to be in place before you configure a consent flow.

  • A cookie and tracker inventory. A scan of every cookie, script, and iframe your site loads, first-party and third-party.
  • A category for each cookie. Necessary, preferences, analytics, and advertising, at minimum.
  • A cookie policy. Plain-language documentation of what each cookie does, matching the scan.
  • A consent mechanism. A consent management platform or a hand-built banner that can block, categorize, and log consent.
  • A place to store consent logs. Proof of what each visitor agreed to, and when.

A site that sets only strictly necessary cookies may not need a consent banner at all. That is rare in practice. Analytics tags, embedded video, and ad pixels almost always introduce non-essential cookies the moment they load.

Step 1: Block Non-Essential Cookies Until the Visitor Consents

No non-essential cookie or script may fire before the visitor takes an affirmative action to agree. This is prior consent, or prior blocking. It is the most technically demanding requirement on this list, because it has to happen automatically, not just in the banner's copy.

Prior blocking means the consent tool intercepts every non-essential cookie, script, and iframe. It holds them at the code level until a visitor clicks Accept, or accepts a specific category. A banner that displays correctly but lets Google Analytics fire in the background is not compliant.

A common failure mode is a banner that loads late. If it appears a second or two after the page renders, non-essential cookies may already be set before the visitor sees any choice. The fix is to load the consent script before any tracking tag, so blocking is active from the first millisecond.

To verify prior blocking works, open a private browser window and load the site cold. Inspect cookies and network requests in developer tools before clicking anything on the banner. If a non-essential cookie is already present, blocking has failed.

Step 2: Let Visitors Choose Cookie Categories, Not All-or-Nothing

Consent must be granular. Visitors accept or reject cookies by category, analytics, marketing, preferences, not through one all-or-nothing toggle. A banner with only "Accept" and "Decline" buttons and no category choice fails the standard for specific consent.

A preference center solves this. It groups every detected cookie into its category and lets the visitor toggle each one independently. Strictly necessary cookies are shown for transparency but cannot be turned off, since they carry no consent requirement.

Consently's preference center groups every cookie a site's scan detects into its category automatically. Visitors toggle analytics, marketing, and preference cookies independently, from the same panel as the Accept and Reject buttons.

Step 3: Make "Reject All" as Easy as "Accept All"

Accept all and Reject all must be equally visible and take equally little effort. Both belong on the first layer of the banner, not buried behind a settings menu. This is the most cited GDPR cookie consent requirement, and the one banners fail most often.

Two enforcement actions confirm this. The UK's ICO published a joint position paper with the Competition and Markets Authority on 9 August 2023. It told organizations their top-level banner needed a Reject All button as prominent as Accept All. It warned of intervention for banners that buried it. On 19 March 2025, Germany's Hanover Administrative Court ruled against a publisher. Its banner offered one-click Accept but forced Reject through several layers of menus. The court held that consent obtained that way was invalid.

Pre-ticked consent boxes fail the same test from a different angle. The CJEU's Planet49 ruling (Case C-673/17) established that a pre-selected checkbox is not a valid affirmative action, because the visitor never actively chose it.

A compliant banner does the following.

  • Shows "Accept All" and "Reject All" as two buttons of matching size and weight, on the first layer.
  • Leaves every optional category toggle off by default.
  • Lets a visitor complete rejection in the same number of clicks as acceptance.

A non-compliant banner does the following.

  • Styles "Accept All" as a solid button and "Reject All" as a plain text link.
  • Requires a visitor to open Settings, then a sub-menu, then decline each vendor individually.
  • Pre-ticks any non-essential category.

Consently's opt-in template ships with Accept, Reject, and Manage Preferences as three buttons of equal weight on the first layer by default. Equal prominence is the starting configuration, not something a team has to design correctly from scratch.

Step 4: Tell Visitors What Each Cookie Does, in Plain Language

Before consent, a visitor needs accurate, plain-language information about each cookie. That means what it stores, why, for how long, and whether a third party can access it. This is the "informed" half of the valid-consent standard. A banner that only says "we use cookies to improve your experience" does not meet it.

The information does not all need to live in the banner itself. A linked cookie policy satisfies the requirement, as long as the banner makes it easy to find before the visitor decides. The policy should list each cookie, its category, its duration, and its first-party or third-party status.

Consently's cookie policy generator produces this document from the site's own scan results. It lists each detected cookie's name, category, and duration in plain language, and the same per-cookie descriptions appear inside the preference center. A generated policy assists with this duty; it does not replace legal review of a site's specific setup.

Step 5: Record and Store Every Consent as Proof

Every consent choice needs to be documented and stored as audit-ready proof: who consented, to what, and when. Under GDPR Article 7(1), the burden of proof for showing valid consent sits with the website operator, not the visitor. Without a log, there is no way to demonstrate compliance if a regulator asks.

A consent log should capture, at minimum, a timestamp and the categories accepted or rejected. It should carry enough identifying detail to tie the record to a visitor session, without over-collecting personal data.

Consently logs each consent event with a timestamp and status automatically. A site can export that log at any time, so the audit trail already exists the moment a visitor makes a choice.

Step 6: Make Withdrawing Consent as Easy as Giving It

Withdrawal has to be as easy as granting consent in the first place. A visitor who accepted cookies last month must be able to change their mind today. A persistent, always-available way to reopen preferences has to exist on every page, not just the first visit.

The mechanism is usually a small floating button or a footer link labeled "Manage Cookie Preferences." It stays visible on every page. Clicking it reopens the same preference center the visitor saw originally. Withdrawing consent has to actually stop the relevant cookies from firing again, not just record the new preference without enforcing it.

Consently's floating revisit button stays visible on every page after the first choice. It reopens the full preference center, so a visitor can change categories or withdraw entirely without hunting for a settings page.

Common GDPR Cookie Consent Mistakes to Avoid

The single most damaging mistake is letting non-essential cookies fire before consent. It invalidates every other compliance step downstream, and it is the easiest violation for a regulator to detect. Five mistakes account for most enforcement actions.

  • Cookies load before consent. A banner that appears late, or a tag manager that fires scripts regardless of consent state, sets cookies the visitor never agreed to. Fix: verify blocking with a cold, private-browsing DevTools check (Step 1) before launch.
  • Reject is harder to find than Accept. A prominent "Accept All" button paired with a buried or link-styled reject option fails the equal-prominence standard the ICO and the Hanover court both enforced. Fix: match the visual weight and click-depth of both options.
  • Toggles default to on. Any non-essential category pre-selected as accepted fails the Planet49 standard for affirmative consent. Fix: every optional toggle starts off.
  • Legitimate interest replaces consent for tracking. Advertising and marketing trackers need consent, not a legitimate-interest justification. Regulators treat this substitution as a clear sign of non-compliance. Fix: use consent, not legitimate interest, for advertising or marketing cookies.
  • The site never rescans for new trackers. A marketing team adds a new pixel or embed, and it fires unblocked because the original scan never saw it. Fix: schedule recurring automatic scans, not a one-time setup check.

Regulators can escalate unresolved violations to GDPR fines of up to EUR 20 million or 4 percent of global annual turnover, whichever is higher.

Are GDPR Cookie Consent Rules Changing? (The 2025 to 2026 Reform)

Current GDPR and ePrivacy cookie consent obligations have not changed. In November 2025, the European Commission proposed the Digital Omnibus package. It would move cookie consent rules into the GDPR through new Articles 88a and 88b. One provision, a browser-level machine-readable consent signal, could let visitors set their preference once instead of clicking every banner.

That proposal is not law. The Council's negotiating position, finalized on 18 June 2026, deleted the proposed new consent articles, 88a, 88b, and 88c, including the browser-signal provision, entirely. Member states including Germany, France, and Poland pushed for their removal. The European Parliament has not yet taken its own position, and a final law needs both institutions to agree. The outcome remains unsettled.

Until any change is adopted, every requirement in this guide still applies exactly as written. Prior blocking, granular consent, equal prominence, plain-language information, records, and withdrawal all remain mandatory. A consent platform built around explicit consent today already meets the current standard. It would need only configuration changes, not a rebuild, if a browser-signal model is eventually adopted.

How Consently Helps You Meet GDPR Cookie Consent Requirements

One consent management platform can cover all six requirements from a single setup. That includes an opt-in banner with automatic blocking, a preference center, a policy generator, consent logs, and a revisit button.

RequirementConsently feature
Prior blockingAutomatic cookie, script, and iframe blocking until consent
Granular consentPreference center with per-category toggles
Equal accept/rejectGDPR opt-in template with equal-weight buttons by default
Plain-language infoCookie policy generator built from the site's own scan
Consent recordsTimestamped, exportable consent logs
Easy withdrawalFloating revisit button on every page

A generated banner, policy, and consent log assist with these duties. They support compliance; they do not replace legal review of a site's specific situation.

FAQs

Does GDPR require consent for all cookies?

No. Strictly necessary cookies are exempt from consent under both GDPR and the ePrivacy Directive. These include a shopping cart or a login session. Every non-essential cookie, including analytics and advertising, still needs an opt-in first.

Is a cookie banner legally mandatory under GDPR?

Only if the site sets non-essential cookies. A site that genuinely uses only strictly necessary cookies may not need a banner at all, though disclosing those cookies is still good practice.

Does GDPR cookie consent apply to websites outside the EU?

Yes, if the site targets or monitors visitors in the EU or UK. GDPR applies based on who GDPR actually applies to, not where the site's server sits.

Can I use "legitimate interest" instead of consent for cookies?

Not for advertising or marketing tracking. Consent is required for those categories. Regulators treat legitimate interest as a widely misused workaround for tracking cookies that should go through consent instead.

What happens if my cookie banner is not GDPR-compliant?

A non-compliant banner can trigger complaints to a supervisory authority and a formal investigation. Enforcement can escalate to fines of up to EUR 20 million or 4 percent of global annual turnover.

How long is GDPR cookie consent valid before I must ask again?

There is no fixed statutory period. Common regulator practice treats consent as valid for roughly 6 to 12 months, or until the site's cookie use changes materially. Most sites re-ask on that cadence rather than waiting for a fixed deadline.

Is implied or scroll consent allowed under GDPR?

No. Consent requires a clear affirmative action, a click or a toggle. Scrolling, closing the banner, or continuing to browse never counts as valid consent.

Now that you know the six things a GDPR cookie banner must do, the harder part is building them correctly. It gets harder still keeping them that way as your site changes. Consently sets up all six in one pass:

  • An opt-in banner with auto-blocking
  • A granular preference center
  • Equal accept and reject by default
  • A generated cookie policy
  • Exportable consent logs
  • A revisit button for withdrawal

See the GDPR cookie consent solution built around this exact standard. Or start your free trial and add a GDPR-ready banner in minutes. No credit card required.

Next, see the full GDPR compliance steps for everything beyond cookie consent, or run through a GDPR compliance checklist to confirm nothing is missed.

AUTHOR

Riad Us Salehin is the content lead at Dorik. He is a passionate content creator who lets the work speak for itself. Focused on taking brands and causes to the next level.

Read More

Subscribe to Consently
Newsletter

Subscribe to our newsletter to stay updated with latest articles from our blog.

Built with ❤️ by the team @ Dorik.com 

GET IN TOUCH

Any questions? Feel free to chat with us or reach out to us at

For any queries:
support@consently.net

Follow us:


©2026 Dorik, Inc. All rights reserved.