If you've ever built a website, you've probably asked yourself this question. The answer isn't a simple yes or no — it depends on what technologies your site uses, where your visitors are, and what data you collect. Here's a straightforward guide.
The short answer
You need a cookie consent banner if your website sets non-essential cookies or uses tracking technologies that store data on the visitor's device. If your site only uses strictly necessary cookies (or no cookies at all), you can skip the banner entirely.
Let's break down what that means in practice.
What the law actually says
Two main laws govern cookie consent in Europe:
The ePrivacy Directive (sometimes called the "Cookie Law") says you need consent before storing or accessing information on a user's device. This applies to cookies, localStorage, and similar technologies, regardless of whether personal data is involved.
The GDPR defines how that consent must be collected: freely given, specific, informed, and unambiguous. Pre-ticked boxes, implied consent, and "by continuing to browse you agree" banners are all invalid. The 2019 Planet49 ruling from the Court of Justice of the EU made this crystal clear — consent must be an active, affirmative choice.
In February 2025, the European Commission formally withdrew the long-awaited ePrivacy Regulation that was supposed to replace the directive, so these rules remain the law of the land. A "Digital Omnibus" proposal from November 2025 would let users set cookie preferences at the browser level rather than site-by-site, but that won't take effect before 2027 at the earliest.
When you DO need a cookie banner
You need a consent banner if your website uses any of these:
- Analytics cookies — Google Analytics, Adobe Analytics, Hotjar, and similar tools that set cookies to track visitor behavior
- Advertising cookies — ad networks, retargeting pixels, Google Ads conversion tracking
- Social media tracking — Facebook Pixel, Twitter tracking, embedded social widgets that set cookies
- Third-party cookies of any kind — chat widgets, A/B testing tools, or any embedded service that stores data on the visitor's device
The test is simple: if you disable the cookie, does a feature the user explicitly requested break? If the site Works fine without it, the cookie isn't strictly necessary and requires consent.
Google Analytics specifically
Google Analytics 4 sets first-party cookies and sends data to Google's servers in the US. Multiple European regulators, in Austria, France, Italy, Denmark, and Norway, have ruled that using Google Analytics violated the GDPR. The EU-US Data Privacy Framework (adopted July 2023) provides a legal basis for the data transfer, but that framework is currently being challenged at the CJEU and its political foundations are uncertain.
Even if the data transfer is legal, GA4 still sets cookies. That means a consent banner is required, and you can only load the tracking script after the user consents. Studies consistently show that 50-60% of visitors reject cookies when given a genuine choice — meaning your GA4 data is incomplete from day one.
When you DON'T need a cookie banner
Strictly necessary cookies
You never need consent for cookies that are essential to a service the user explicitly requested:
- Session cookies for login/authentication
- Shopping cart cookies on e-commerce sites
- CSRF tokens for security
- Load balancing cookies
- The cookie consent preference cookie itself
These are exempt under the ePrivacy Directive because they serve the user's request, not the site owner's interests.
Cookie-free analytics
If your analytics tool doesn't set cookies and doesn't store data on the visitor's device, the ePrivacy Directive doesn't apply. No cookie banner needed.
Privacy-first analytics tools like Plausible, Fathom, and Fairlytics take this approach. They measure page views, referrers, and device types without setting any cookies or collecting personal data. You get the traffic insights that matter without the legal overhead.
The CNIL audience measurement exemption
France's CNIL offers a specific exemption: analytics cookies can skip consent if they're used exclusively for audience measurement and meet strict criteria — first-party only, limited to 13-month lifetime, data retained no more than 25 months, no cross-site tracking, no data sharing with third parties. CNIL updated these guidelines in July 2025 and published a self-evaluation tool.
Important caveat: Google Analytics does not qualify for this exemption, regardless of configuration, because data is processed by a third party (Google).
What about outside the EU?
United Kingdom
The UK has its own rules under PECR (Privacy and Electronic Communications Regulations), which work similarly to the EU's ePrivacy Directive. Prior consent is required for non-essential cookies. The Data (Use and Access) Act, which received Royal Assent in June 2025, increased the maximum fine to GBP 17.5 million or 4% of global turnover, a massive jump from the previous GBP 500,000 cap.
United States
There's no federal cookie consent law in the US. State privacy laws like CCPA/CPRA follow an opt-out model, not opt-in. You don't need a cookie banner per se, but if your cookies feed advertising or data-sharing systems, you need a "Do Not Sell or Share My Personal Information" link. Connecticut's CTDPA specifically targets dark patterns in cookie banners, and their AG has begun enforcement sweeps.
Brazil
Brazil's LGPD requires opt-in consent for non-essential cookies, similar to the EU approach.
Canada
PIPEDA requires consent before collecting personal information. Implied consent may be sufficient for low-risk analytics, but tracking cookies generally require express consent.
The enforcement reality
This isn't theoretical. Regulators are actively fining companies for cookie violations:
- Google was fined EUR 325 million by France's CNIL in 2025 for displaying ads without consent — their third cookie-related fine, up from EUR 150 million in 2022 and EUR 100 million in 2020
- SHEIN received a EUR 150 million fine from CNIL in 2025 for placing advertising cookies without consent
- TikTok was fined EUR 5 million for making it harder to refuse cookies than to accept them
The pattern is clear: dark patterns (making rejection harder than acceptance) are the top enforcement target. And fines are escalating.
A 2025 study by Aarhus University found that only 15% of cookie banners actually meet minimum GDPR requirements. 43% of sites set tracking cookies without valid consent. Just because everyone has a cookie banner doesn't mean they're doing it right.
A simple decision flowchart
- Does your site set any cookies? → If no, you don't need a banner.
- Are all your cookies strictly necessary (login, cart, security)? → If yes, you don't need a banner.
- Do you use cookie-free analytics that don't store anything on the visitor's device? → If yes, you don't need a banner for analytics.
- Do you use Google Analytics, ad pixels, or other tracking cookies? → You need a banner. It must have equally prominent Accept and Reject buttons. You can only load tracking scripts after the user consents.
The simplest path: don't use cookies at all
The easiest way to avoid cookie banners is to not need one. Replace Google Analytics with a cookie-free alternative, remove ad pixels you're not actively using, and audit your site for third-party scripts that set cookies without your knowledge.
Many site owners are surprised to discover that half their cookies come from third-party scripts they added years ago and forgot about. A quick audit with your browser's developer tools (Application → Cookies) can reveal what's actually being set.
For analytics specifically, tools like Fairlytics give you page views, top pages, referrers, browsers, and countries, all in a 510-byte script that sets zero cookies. You get the data you need to make decisions without the consent management overhead.
Top comments (0)