How to Comply With Cookie Laws: A Step-by-Step Guide

Follow 8 steps to comply with cookie laws worldwide: audit, categorize, block before consent, geo-target consent, and record every choice.


by Riad Us Salehin • 5 July 2026


To comply with cookie laws, audit every cookie your site sets and publish a cookie and privacy policy. Show a consent banner that blocks non-essential cookies until the visitor chooses. Record each choice and re-scan on a schedule.

This guide turns that into an 8-step project. It works whether your visitors are in the EU, the UK, the US, or all three at once.

How Do You Comply With Cookie Laws? (Quick Answer)

Cookie compliance follows the same eight-step sequence regardless of which law applies to your visitors.

To comply with cookie laws:

  1. Audit every cookie and tracker your site sets
  2. Categorize your cookies and decide what needs consent
  3. Write a cookie policy and a privacy policy
  4. Add a consent banner that blocks cookies before consent
  5. Match the consent model to each visitor's region
  6. Connect consent to Google and your other tags
  7. Record and store every consent choice
  8. Re-scan and keep your compliance current

The order matters. Auditing before you build a banner tells you exactly what the banner needs to block. Skipping that step is the root cause of most "compliant" banners that quietly leak data anyway.

Which Cookie Laws Apply to You?

The cookie laws that bind your site depend on where your visitors live, not where your business is registered. Which of the privacy laws behind cookie consent apply comes down to visitor location. They split into two consent models: opt-in for the EU and UK, opt-out for the US.

If any visitor connects from the EU, the UK, or a US state with an active privacy law, that law applies to your site. Your own location does not matter. Most commercial websites with international traffic answer to more than one regime at once. That is why the banner has to adapt per visitor, not run one fixed template.

The Opt-In World: GDPR, ePrivacy, and UK PECR

GDPR and the ePrivacy Directive require prior, opt-in consent before you set any non-essential cookie on an EU or UK visitor's device. Consent must be freely given, specific, informed, and given through a clear positive action. A pre-ticked box or a policy buried in fine print does not count. For the full checklist of what a GDPR cookie banner must do, see the dedicated requirements guide.

The ePrivacy Directive, not the GDPR, is the actual source of the banner requirement. The two are read together for full compliance. The planned ePrivacy Regulation that was meant to replace the Directive was formally withdrawn by the European Commission on July 16, 2025. Any guidance telling you to "prepare for the ePR" is out of date.

The UK runs its own version through the Privacy and Electronic Communications Regulations (PECR), alongside UK GDPR. The standard is the same: tell visitors the cookies are there, explain what they do, and get a clear positive action before setting them.

Both regimes exempt strictly necessary cookies, the ones essential to a service the visitor requested, such as a shopping cart or a login session. Everything else, including analytics, needs consent first.

The Opt-Out World: CCPA and US State Laws

The US has no single federal cookie law. More than 20 states, led by California's CCPA and CPRA, require notice and an opt-out instead of prior consent.

Under CCPA/CPRA, you must display a clear "Do Not Sell or Share My Personal Information" link. You must also honor the Global Privacy Control (GPC), a browser-level signal some visitors send to opt out automatically. A January 2026 CCPA regulatory update tightened this further. Businesses must now show visible confirmation that an opt-out request was actually processed, whether it came through a banner, a link, or GPC. See how to become CCPA compliant for the full US opt-out journey, including which states are covered and how the notice requirement works in practice.

Do These Laws Apply if You Are Not in the EU?

Yes. Cookie laws are extraterritorial: they follow the visitor, not your business address. A US-based site with EU or UK visitors owes those visitors GDPR and PECR-level opt-in consent. A site with California visitors owes them CCPA's opt-out mechanics, no matter where the company is incorporated. Canada adds a third layer for Canadian visitors. PIPEDA applies at the federal level, and Quebec's Law 25 runs its own consent regime. Canada's Anti-Spam Legislation requires consent before installing a tracking program, such as a cookie, on a device.

What You Need Before You Start

The prerequisite most site owners miss is a complete inventory of every third-party script and plugin on the site. It is not just the cookies they already know about.

Roles: the site owner remains accountable for cookie compliance, even if a developer or platform built the site. A marketing lead or ops owner typically runs the project day to day.

Time: a lean single-site build takes roughly an afternoon once a scanner, banner tool, and policy generator are in hand. A large or e-commerce site with many third-party embeds takes longer, mostly for the audit and categorization steps, not the banner itself.

Inputs: a list of every marketing, analytics, and advertising tool connected to the site (ad pixels, chat widgets, embeds). You also need a domain to run the scan against.

Tools you need:

  • A cookie scanner or audit tool
  • A consent management tool that can block scripts before consent
  • A cookie and privacy policy generator, or a template you can adapt

You do not need a cookie banner at all in one narrow case. Your site must set nothing beyond strictly necessary cookies, such as a login session or a shopping cart. It must also have no visitors in a region with an active privacy law.

Step 1: Audit Every Cookie and Tracker Your Site Sets

An audit produces a complete list of every cookie, tracker, script, and iframe your site sets. Each item gets tagged with its provider, purpose, duration, and whether it touches personal data.

Manually hunting for this in browser DevTools misses trackers that only fire deep in a checkout flow or a gated funnel page. That is exactly where hand audits fall apart. Consently runs an automatic full-site scan that finds cookies, trackers, scripts, and iframes across your site. It also gives you a manual URL list, so you can add unlinked funnel pages before scanning. For the complete manual and tool-based method, including how to read a scan report line by line, run a full cookie audit.

For each item the audit turns up, capture the following.

  • The cookie or tracker's name and provider
  • Its purpose (session, analytics, advertising, and so on)
  • How long it persists
  • Whether it processes personal data or is shared with a third party

Step 2: Categorize Your Cookies and Decide What Needs Consent

Every cookie your audit found falls into one of four categories, and the category decides whether it needs consent at all.

CategoryExamplesNeeds consent?
Strictly necessaryLogin session, shopping cart, load balancingNo
Functional or preferenceLanguage setting, saved layoutYes (under opt-in law)
Analytics or statisticsGoogle Analytics, heatmapsYes (under opt-in law)
Marketing or advertisingAd pixels, retargeting tagsYes (under opt-in law)

Only the strictly necessary category skips consent under GDPR and PECR. Every other category needs it before it fires for an EU or UK visitor. 💡 Using Consently? The scanner auto-categorizes every detected cookie into these buckets. You can add custom categories or edit the vendor and purpose on any entry the auto-categorization gets wrong. Correct categorization is what makes the banner underneath it legally meaningful, not just decorative.

Step 3: Write a Cookie Policy and a Privacy Policy

You need two documents. A cookie policy names every cookie, its purpose, its duration, and any third parties involved, linked from the banner. A privacy policy covers broader data rights.

A cookie policy is required wherever opt-in consent applies, since visitors must be told what they are consenting to before they consent. 💡 Using Consently? Its policy generators produce cookie, privacy, and terms documents in multiple languages you can embed directly on the site. Treat the output as a starting point, not a substitute for legal review on a complex or high-risk site. Policy generators assist with compliance; they do not replace counsel. See how to create a privacy policy for the full drafting method, including the specific clauses a policy needs.

Step 4: Add a Consent Banner That Blocks Cookies Before Consent

A compliant banner shows on first visit and offers Accept, Reject, and Manage, with Reject exactly as easy to click as Accept. It links the policy, and critically, it blocks every non-essential cookie and script until the visitor makes a choice.

That last requirement is where most banners fail in practice. Scripts written directly into the page head fire the moment the page loads, no matter whether a banner sits on top of them. A visitor who clicks Reject has often already been tracked by the time they see the button. The fix is gating each non-essential script by category. A common method rewrites the tag as <script type="text/plain" data-category="analytics">. A consent tool can then hold it until that category is granted, instead of letting it run and hoping the banner catches up.

A compliant banner must:

  • Show Accept, Reject, and Manage Preferences with equal visual weight
  • Block non-essential cookies and scripts until a choice is made
  • Never hide Reject behind a smaller link or a second click
  • Never assume consent from scrolling or continued browsing
  • Link to the cookie policy from inside the banner itself

Cookie walls that block all site access until the visitor clicks Accept are generally non-compliant under GDPR. Consent obtained that way is not freely given. Consently's auto-blocking holds non-essential cookies and scripts, including iframes, until consent is granted, with an editable placeholder shown where a blocked iframe would normally load. Its banner ships Accept, Reject, and Manage as equal-weight actions, plus a preference center and a floating button so visitors can revisit their choice later. Here is how to add a cookie banner to your site the right way. The mechanism that makes this work is to block cookies and scripts before consent.

On specific platforms the steps differ slightly, for example making a Shopify store compliant or getting a WordPress site GDPR compliant. Equivalent guides cover the install path whether you are on Squarespace, Webflow, or Wix.

Step 5: Match the Consent Model to Each Visitor's Region

A single banner cannot use one consent model everywhere. EU and UK visitors need opt-in, while US visitors need opt-out with a Do-Not-Sell link. The banner has to detect visitor region and switch templates automatically.

Consently's automatic geotargeting serves the GDPR opt-in template, blocked by default, to EU and UK visitors. US visitors get the CCPA/US opt-out template instead, with country-code-based script loading underneath. Honoring US opt-out preference signals like GPC is a separate obligation from geotargeting the banner template. Verify your consent tool's exact GPC-handling behavior, since not every consent platform auto-detects and responds to GPC signals. For multilingual sites, translate your cookie banner for each visitor's language so every region sees the right consent model in its own words.

Step 6: Connect Consent to Google and Your Other Tags

If you run Google Analytics or Google Ads, the visitor's consent choice has to reach Google itself. That happens through Google Consent Mode v2, typically wired through Google Tag Manager.

Consent Mode v2 has been required for personalized advertising signals on EU Google Ads traffic since March 2024. Expect your raw analytics numbers to drop once a banner blocks non-consented tracking. That drop is not a bug; it is the banner working. Consent Mode v2's modeled conversions estimate the traffic you can no longer directly measure, recovering some of that visibility without violating consent.

Consently signals Consent Mode v2, Google's Additional Consent (AC v2), and IAB TCF. It installs through a GTM Custom HTML tag or through Cloudflare Zaraz. You can set up cookie consent in Google Tag Manager to gate every tag, and collect consent for Google Analytics without losing all your data. The same gating applies if you block the Meta pixel until consent: any third-party ad pixel needs the same before-consent blocking as Google's own tags.

Step 7: Record and Store Every Consent Choice

You must be able to prove what a visitor consented to and when. That means logging every choice with a timestamp and keeping that log exportable for an audit.

This is the step DIY banners skip most often, and it is the first thing a regulator asks for. Consently keeps consent logs with export and tracks consent analytics over time. It also persists a visitor's choice across pages and subdomains, so the banner does not reappear and ask again after a valid choice.

Consent is only part of the compliance picture. A consent log alone does not cover a visitor's separate right to request their data. You also need a way to handle a data subject access request when one arrives.

Step 8: Re-Scan and Keep Your Compliance Current

Every new plugin, embed, or ad tag you add can introduce a new cookie your banner never accounted for. Re-scanning on a schedule is what keeps a compliant setup from silently drifting out of compliance.

Verify the banner is actually blocking. Open the site in a private browser window and check DevTools before and after making a consent choice. If analytics requests fire before you click anything, the blocking is not working, regardless of what the banner claims. 💡 Using Consently? It runs an initial scan at setup, a weekly scheduled scan after that, and an on-demand scan whenever you want one. A scan history lets you compare over time and catch new trackers as they appear.

Follow this basic re-scan checklist.

  • Re-scan after adding any new plugin, embed, or tag
  • Spot-check with a private-window DevTools test monthly
  • Update the cookie policy when the cookie list changes
  • Review consent logs periodically for anomalies

Common Cookie Compliance Mistakes to Avoid

The single most damaging mistake is a banner that looks compliant but does not actually block non-essential cookies before the visitor consents. That means the site is collecting data it has no legal basis to collect.

  1. Scripts fire before the choice is made. Tags written directly in the page head load regardless of the banner sitting on top of them, so data gets collected before consent and the banner becomes theater. Gate every non-essential tag by category, or use a tool that blocks by default until consent is granted.
  2. Unequal Accept and Reject buttons. Hiding Reject behind a smaller link, a duller color, or a second click is a dark pattern regulators actively fine for. CNIL has sanctioned companies for exactly this. Make Reject and Accept equally visible and equally easy to click.
  3. Cookie walls that block all access. Forcing a visitor to click Accept before they can see any content at all is generally non-compliant under GDPR, since it removes the "freely given" element of consent. Keep the site usable if the visitor rejects.
  4. Pre-ticked boxes and legitimate-interest abuse. Assuming consent through a pre-checked box, or leaning on "legitimate interest" for marketing cookies, is invalid consent. Regulators including the Dutch DPA have fined companies for pre-checked defaults. Default every non-essential category to off, and let visitors opt in deliberately.
  5. Never re-verifying, so new cookies go untracked. A banner configured once and never checked again quietly falls out of compliance as new plugins and tags get added over time. Re-scan on a schedule and spot-check with DevTools.

How Consently Helps You Do the Website Side of Cookie Compliance

Consently covers the technical and documentation side of this guide from one script. That means scanning, blocking before consent, a region-based banner, Consent Mode signaling, an exportable consent record, and the policy generators. All of it ships on every plan, not gated by tier.

It is the tooling, not the compliance itself. Deciding which laws bind your specific business, and any legal judgment beyond a starting-point policy, stays a decision for you or your counsel. What Consently removes is the manual work: hunting for cookies by hand, wiring up blocking logic yourself, and building a separate consent log from scratch. Consently's consent platform handles the website side from one script, so try it against your own site.

FAQs

How do I make my website comply with cookie laws?

Audit every cookie your site sets, categorize each one, and write a cookie and privacy policy. Add a banner that blocks non-essential cookies before consent, match the consent model to each visitor's region, and connect consent to Google's tags. Log every choice, and re-scan on a schedule.

Do I need a cookie banner if I only use Google Analytics?

Yes. Google Analytics sets non-essential analytics cookies, which need consent under GDPR and PECR for EU and UK visitors. A site running Analytics without a consent mechanism is out of compliance for those visitors, no matter how the tool is used.

Do US websites have to comply with cookie laws?

Yes, if the site has EU, UK, or California (or other covered US state) visitors. Cookie law follows the visitor's location, not the business's. More than 20 US states now have their own privacy laws layered on top of CCPA and CPRA.

Is a cookie policy required by law?

Yes, under GDPR and the ePrivacy Directive. Visitors must be told what a cookie does and why before they can meaningfully consent to it. A privacy policy is a separate, broader requirement covering data rights beyond cookies specifically.

What is the difference between opt-in and opt-out consent?

Opt-in, used by the EU and UK, blocks non-essential cookies by default until the visitor actively agrees. Opt-out, used by US states like California, allows cookies by default. It requires a visible way to decline, such as a Do Not Sell or Share link.

How much does cookie compliance cost for a small website?

A small site can get compliant for close to nothing beyond a modest monthly tool cost. A scanner, banner, and policy generator bundled into one tool cover the entire technical requirement. The real cost is time, not money, and a lean single-site setup typically takes an afternoon.

What are the penalties for not complying with cookie laws?

GDPR fines reach EUR 20 million or 4% of global annual turnover. Post-2025 UK PECR fines reach GBP 17.5 million or 4%. CNIL fined Google EUR 325 million and SHEIN EUR 150 million in September 2025 for cookie consent failures. CCPA fines run up to $2,663 per unintentional violation and $7,988 per intentional one.

Do I still need consent if my banner loads after the scripts?

No, that setup is not compliant. If analytics or advertising scripts fire before the banner resolves, the visitor has already been tracked no matter what they choose afterward. The fix is gating those scripts to load only after consent, not just displaying a banner on top of them.

Do I need consent for cookies my third-party plugins set?

Yes. You are responsible for every cookie your site sets, including ones added by a plugin, embed, or third-party widget you did not write yourself. Those cookies need the same audit, categorization, and consent treatment as any first-party tracker.

Consently handles every technical step in this guide from one script.

  • Scans your cookies
  • Blocks them until consent
  • Shows the right banner for each visitor's region
  • Signals Google Consent Mode
  • Keeps an exportable consent record

It also generates your cookie, privacy, and terms policies, so the paperwork lives in one place. Start your free 14-day Consently trial (no card required) and get the website side of cookie compliance handled in an afternoon.

AUTHOR

Riad Us Salehin is the content lead at Dorik. He is a passionate content creator who lets the work speak for itself. Focused on taking brands and causes to the next level.

Read More

Subscribe to Consently
Newsletter

Subscribe to our newsletter to stay updated with latest articles from our blog.

Built with ❤️ by the team @ Dorik.com 

GET IN TOUCH

Any questions? Feel free to chat with us or reach out to us at

For any queries:
support@consently.net

Follow us:


©2026 Dorik, Inc. All rights reserved.