Cookie Consent Banner Best Practices for 2026

Your cookie consent banner is the first privacy interaction most visitors have with your website. Get it wrong, and you're not just annoying users — you're breaking the law. European data protection authorities have made it abundantly clear: non-compliant cookie banners will result in fines. Here's how to get yours right.

1. Always Include a "Reject All" Button

This is the single most important requirement that websites still get wrong. Under GDPR and the ePrivacy Directive, rejecting cookies must be as easy as accepting them. If your banner has a prominent "Accept All" button but hides the reject option behind a "Manage Preferences" link or settings page, you're non-compliant.

In December 2022, France's CNIL fined both Google (€150 million) and Facebook (€60 million) specifically because their cookie banners made it significantly harder to refuse cookies than to accept them. Google required multiple clicks to reject while offering a single "Accept All" button.

Your banner should present "Accept All" and "Reject All" as equally prominent options — same size, same visual weight, same number of clicks.

2. Offer Granular Cookie Categories

Users must have the ability to consent to cookies by category, not just all-or-nothing. The standard categories are:

• Strictly Necessary: Always on, no consent needed. Session cookies, CSRF tokens, load balancers.
• Functional: Language preferences, theme settings, remembered form data.
• Analytics: Google Analytics, Hotjar, Mixpanel, and similar tools.
• Marketing: Facebook Pixel, Google Ads, TikTok Pixel, retargeting tools.

Each category should have a clear, plain-language description of what it does. Avoid legal jargon. Users should be able to toggle each category independently.

3. No Dark Patterns

Dark patterns in cookie banners are design choices that manipulate users into giving consent they wouldn't otherwise give. Common violations include:

• Color manipulation: Making the "Accept" button bright and prominent while the "Reject" button is gray, small, or styled as a text link.
• Confusing language: Using double negatives like "Don't not allow marketing cookies" or labeling the reject button "Continue with limited experience."
• Hidden options: Burying the reject or customize option deep in a settings panel that requires 3+ clicks to reach.
• Pre-checked boxes: Having all cookie categories toggled on by default. Consent must be opt-in, not opt-out.
• Cookie walls: Blocking access to content unless all cookies are accepted.

The European Data Protection Board (EDPB) issued guidelines in 2023 explicitly banning these practices. Several DPAs have since issued fines based on these guidelines.

4. Block Cookies Before Consent (Pre-Consent Blocking)

This is where most websites fundamentally fail. Showing a cookie banner is not enough — you must actually prevent non-essential cookies from being set until the user consents. If Google Analytics fires on page load before the user clicks "Accept," you're in violation regardless of how compliant your banner looks.

Pre-consent blocking means:

• Analytics scripts don't load until consent is given for analytics cookies.
• Marketing pixels don't fire until consent is given for marketing cookies.
• Third-party embeds (YouTube, social media widgets) that set cookies are placeholder-replaced until consent.

This requires technical implementation, not just a banner overlay. CookieGuard handles this automatically by intercepting and blocking scripts before they execute.

5. Make Consent Easy to Withdraw

Under GDPR Article 7(3), withdrawing consent must be as easy as giving it. This means you need a persistent way for users to revisit their cookie preferences — typically a small floating icon or a link in the footer that reopens the consent manager.

6. Keep Records of Consent

You need to be able to prove that a specific user consented to specific cookie categories at a specific time. This consent log should include a timestamp, the version of your cookie policy, which categories were accepted or rejected, and a unique consent ID. If a DPA audits you, "we had a banner" isn't enough — you need documentation.

Real Fines for Banner Violations

These aren't hypothetical risks. Here are real enforcement actions:

• Google — €150M (CNIL, France): Reject button required multiple clicks vs. one-click accept.
• Facebook — €60M (CNIL, France): Same issue — asymmetric consent mechanism.
• Criteo — €40M (CNIL, France): Dropping advertising cookies without valid consent.
• Vueling Airlines — €30,000 (AEPD, Spain): No option to reject cookies at all.
• Numerous SMEs — €5,000–€100,000: DPAs across Germany, Austria, and Belgium have fined smaller companies for pre-checked boxes, missing reject buttons, and cookie walls.