Is a cookie banner mandatory?

Yes. If your site uses non-essential cookies (analytics, advertising, etc.) and targets EU users, the GDPR and ePrivacy require prior, informed consent through a banner that blocks those scripts until the user accepts.

Can I load Google Analytics without consent?

Not directly. Analytics uses non-essential cookies, so you must block it until consent. The correct way is to combine a banner with Google Consent Mode v2, which keeps Analytics on «denied» by default and enables it on acceptance.

Is an «Accept»-only button enough?

No. Rejecting must be as easy as accepting. A banner with only «Accept», or with «Reject» hidden away, doesn't obtain valid consent and can be penalized by regulators.

Which cookies are exempt from consent?

Strictly necessary ones: session/login, shopping cart, security, load balancing, language preference and the consent preference itself. They don't need consent, but they must still be disclosed in the cookie policy.

How much can non-compliance cost?

The GDPR provides for fines of up to €20M or 4% of global turnover. In practice, for SMBs these are usually fines of thousands of euros, plus reputational damage.

Cookie law & GDPR: how to truly comply in 2026

Having a cookie notice doesn't mean you're compliant. This guide explains, without jargon, what the GDPR requires, which cookies need consent, what a compliant banner looks like and which mistakes can cost you a fine.

What does the cookie law require?

In the EU, the GDPR combines with the ePrivacy Directive (local laws in each country). In practice: before installing non-essential cookies you need prior, freely given, informed, specific and unambiguous consent. Regulators also require that rejecting be as easy as accepting and that no scripts load until the user decides.

Which cookies need consent (and which don't)

Require prior consent

Analytics (Google Analytics, etc.).
Advertising and remarketing (Google Ads, Meta Pixel, TikTok…).
Personalization and social media buttons.
Heatmaps and session recording.

Exempt (no consent required)

Session and login.
Shopping cart.
Language or region preference.
Security and load balancing.
The consent preference itself.

What a compliant banner looks like

A GDPR-compliant banner must, at a minimum:

Ask for consent BEFORE loading any non-essential cookie (real prior blocking).
Offer «Accept» and «Reject» with equal ease and prominence.
Let users choose by category (analytics, marketing, preferences).
Use no pre-ticked boxes and no consent-by-scrolling.
Store proof of consent: who, when and what they accepted.
Let users withdraw consent as easily as giving it.
Link to a clear cookie policy.

Mistakes that invalidate consent

Showing the notice but loading Analytics anyway (the most common).
Only an «Accept» button, or «Reject» hidden in a submenu.
Pre-ticked boxes.
Cookie walls that force acceptance to view the site.
Keeping no proof of consent.

Fines: what it can cost you

The GDPR allows fines of up to €20 million or 4% of global annual turnover. Regulators have already fined companies for banners that didn't allow rejection or that loaded cookies before consent. For an SMB the real risk is fines of thousands of euros, plus the damage to user trust.

How to comply in 5 steps

Inventory your cookies and scripts (analytics, pixels, embeds).
Install a banner that genuinely blocks scripts before consent.
Configure the categories and Google Consent Mode v2.
Publish a clear cookie policy and link it from the banner.
Store the consent log as proof.

With Consentio you cover all 5 steps with a snippet under 8 KB: real blocking, Consent Mode v2, consent logging and policy.

Want to understand Consent Mode v2 in depth? Read our dedicated guide.

Guides by platform

Comparisons with other tools

This guide is informational and does not constitute legal advice.