Cookie ConsentGDPRCookie BannerComplianceBy Gregor Emm· 5 min read

Cookie Consent Examples — Good, Bad, and Non-Compliant

Cookie consent banners are the most visible part of privacy compliance — and the area where most websites get it wrong. Regulators like CNIL have issued millions in fines specifically for banner design.

This guide shows real patterns we see when scanning websites, explains what's compliant and what isn't, and gives you clear rules to follow.

Before the examples, the rules:

  1. No cookies before consent — non-essential cookies must not fire until the user makes a choice
  2. Equal prominence — accepting and rejecting must be equally easy
  3. No pre-checked boxes — cookie categories must be unchecked by default
  4. Granular control — users must be able to choose by category (analytics, advertising, etc.)
  5. Withdrawable — users must be able to change their preferences later
  6. No cookie walls — you can't block content until the user consents
  7. Clear language — no legal jargon or confusing wording

Good Examples

The Two-Button Banner

We use cookies to improve your experience and analyze site traffic.

[Accept All]  [Reject All]  [Customize]

Why it works:

  • Accept and Reject are equally prominent (same size, same row)
  • Customize option for granular control
  • Clear, plain language
  • No manipulation

This is the pattern CNIL explicitly approves. Both buttons same size, same visual weight.

The Category-First Banner

We use cookies for:
☐ Analytics (Google Analytics — understand how visitors use our site)
☐ Advertising (Meta Pixel, Google Ads — personalized ads)
☐ Functional (chat widget, language preferences)
✓ Strictly necessary (always active — login, security, cart)

[Save preferences]  [Accept All]  [Reject All]

Why it works:

  • Categories are unchecked by default (except strictly necessary)
  • Each category explains what it does and names specific tools
  • Three clear actions
  • Transparent about exactly what each cookie does

The Minimal Notice (for cookie-free sites)

This website only uses strictly necessary cookies. No tracking, no analytics.
[OK]

Why it works:

  • If you genuinely don't use non-essential cookies, you don't need consent
  • A simple notice is sufficient (and builds trust)
  • Can be verified with a free scan

Bad Examples (Non-Compliant)

The "Accept Only" Banner

We use cookies to enhance your experience.
[Accept Cookies]

Why it fails:

  • No way to reject — consent isn't freely given
  • No information about what cookies are used
  • CNIL fined Google 150M euros for this pattern
  • Fix: Add an equally prominent "Reject All" button

The Hidden Reject

We use cookies to improve your experience.
[ACCEPT ALL]                    Manage preferences →

Why it fails:

  • "Accept All" is a large, colored button
  • "Manage preferences" is a small text link — reject is hidden behind a second screen
  • This is the most common violation we see when scanning websites
  • CNIL's position: rejecting must be as easy as accepting — same number of clicks
  • Fix: Add a "Reject All" button next to "Accept All" with equal visual weight

The Pre-Checked Banner

Cookie preferences:
✓ Strictly necessary
✓ Analytics
✓ Advertising
✓ Social media

[Save preferences]

Why it fails:

  • All categories are pre-selected — user must actively untick each one
  • GDPR explicitly prohibits pre-checked consent boxes (recital 32)
  • Silence or inactivity does not constitute consent
  • Fix: Only strictly necessary should be checked. All others unchecked by default

The Cookie Wall

┌──────────────────────────────┐
│ Accept cookies to continue   │
│                              │
│ You must accept cookies to   │
│ access this website.         │
│                              │
│ [Accept All Cookies]         │
└──────────────────────────────┘

Why it fails:

  • Consent isn't freely given if the alternative is losing access
  • EDPB guidelines state that cookie walls generally make consent invalid
  • Some DPAs allow "pay or consent" walls for media sites, but this is contested
  • Fix: Allow access regardless of cookie choice

The Confusing Wording

By continuing to browse this site, you agree to our use of cookies.

Why it fails:

  • Implied consent (scrolling/browsing = consent) is not valid under GDPR
  • No active, affirmative action by the user
  • No option to refuse
  • Fix: Require an explicit click and provide accept/reject options

Dark Patterns to Avoid

Regulators specifically target these manipulation techniques:

Asymmetric Design

Making "Accept" visually dominant — larger, colored, prominent — while "Reject" is smaller, gray, or text-only. CNIL's rule: both buttons must have equal visual weight.

Extra Clicks to Reject

Accepting takes one click ("Accept All"), but rejecting requires clicking "Manage preferences" → unchecking categories → clicking "Save." CNIL's rule: rejecting must take the same number of clicks as accepting.

Misleading Language

"We care about your privacy" followed only by an accept button. Or "Essential cookies only" as a reject option when you're actually still setting analytics cookies. Say what happens plainly.

Repeated Prompts

Asking again after the user rejected. Once a user makes a choice, respect it. Don't re-prompt on every page or after a timer.

Confirm-Shaming

"No thanks, I don't care about my experience" as the reject option. This is a dark pattern. Use neutral language like "Reject All" or "Decline."

What Regulators Look For

Based on enforcement actions from CNIL, ICO, AEPD, and the Italian Garante:

  1. Is reject as easy as accept? Same number of clicks, same visual prominence
  2. Do cookies actually stop after rejection? Having a banner is not enough — scan your site to verify
  3. Are categories pre-checked? They shouldn't be
  4. Can users change their mind? A persistent "Cookie Settings" link must be available
  5. Is the language clear? No legal jargon, no manipulation
  6. Does the banner match reality? If the banner says "no cookies without consent" but tracking fires anyway, that's worse than no banner at all
  1. Scan your site with Tag Leak — checks if cookies fire before consent and after rejection
  2. Click "Reject All" on your own site and check DevTools > Application > Cookies — are third-party cookies still there?
  3. Clear cookies and revisit — does the banner reappear? It should
  4. Check your footer — is there a "Cookie Settings" or "Privacy Preferences" link?
  5. Compare button sizes — are Accept and Reject equally prominent?
  6. Check mobile — does the banner work and remain accessible on mobile screens?

| Requirement | GDPR | UK GDPR | CCPA | LGPD | |---|---|---|---|---| | Banner before cookies | Yes | Yes | No | Yes | | Accept/Reject equal | Yes | Yes | N/A | Yes | | Pre-checked boxes allowed | No | No | N/A | No | | Granular categories | Yes | Yes | No | Yes | | Cookie wall allowed | Generally no | Generally no | N/A | Generally no | | Consent logging | Yes | Yes | No | Yes | | Withdraw mechanism | Yes | Yes | Opt-out link | Yes |

Share

Frequently Asked Questions

What makes a cookie consent banner GDPR compliant?

A GDPR-compliant banner must: appear before any non-essential cookies fire, offer a clear 'Reject All' option equally prominent as 'Accept All', not use pre-checked boxes, provide granular category controls, not block content behind consent (cookie walls), and link to a detailed cookie policy. The banner must result in actual cookie blocking — not just cosmetic.

Is a cookie consent banner legally required?

Under GDPR and the ePrivacy Directive, yes — if you use non-essential cookies, you need consent before setting them. A banner is the most common way to collect this consent. Under CCPA, a banner isn't strictly required, but a 'Do Not Sell or Share' opt-out mechanism is.

What are cookie consent dark patterns?

Dark patterns are design choices that manipulate users into accepting cookies against their genuine preference. Common examples: hiding the reject button in a secondary menu, making 'Accept' green and prominent while 'Reject' is gray and small, pre-selecting all cookie categories, and requiring more clicks to reject than accept.

Can I just have an 'Accept' button without a 'Reject' option?

No. Under GDPR, consent must be freely given. A banner with only 'Accept' and no equally accessible way to decline is not compliant. France's CNIL fined Google and Facebook specifically for making rejection harder than acceptance.

Related articles

Privacy Enforcement News — Latest Fines & Rulings (2026)

Track the latest privacy enforcement actions worldwide: GDPR fines, CCPA penalties, and global privacy rulings that affect your website's compliance obligations.

EU Data Privacy News — Latest GDPR Enforcement & Fines

Latest EU data privacy enforcement actions, GDPR fines, and regulatory updates from CNIL, ICO, DPC, and national DPAs. Updated regularly.

Should You Accept Cookies? What Actually Happens When You Click Accept

What happens when you accept cookies on a website? Learn what cookies do, which ones track you, when to accept or reject, and how to protect your privacy online.

Tag Leak · Free Tool

Is your site leaking data before consent?

Paste your URL and get a full compliance report in 60 seconds — no signup required. Detects pre-consent tag firing, GCM v2 score, and security headers.

Scan your site free