BlueOcean Privacy AI

Guides Guide

GDPR-compliant cookie banners: how to avoid complaints and penalties

A cookie banner on its own does not protect you from complaints or fines — what matters is how it is implemented. This guide shows what a legally sound banner needs to do in 2026 under EU law.

BlueOcean Privacy AI 4 min read

Is a cookie banner mandatory?

A cookie banner is required as soon as a website uses non-essential cookies or trackers — for example for statistics or marketing. The legal basis is the EU ePrivacy Directive (Article 5(3)), implemented in each member state's national law, together with the GDPR.

Without consent, only technically necessary cookies may be set. Everything else — Google Analytics, Meta Pixel, Maps, YouTube — needs the visitor's active consent before it loads. This applies across the EU, because the ePrivacy Directive requires consent for storing or accessing information on a user's device, and the GDPR sets the standard for what valid consent means: freely given, specific, informed and unambiguous.

Anyone who ignores this risks complaints from competitors, consumer associations and data subjects, as well as enforcement action by national supervisory authorities under the GDPR.

What does the banner need to look like?

A legally sound banner needs equally prominent buttons for "Accept all" and "Reject all" on the first level. EU data protection authorities and the European Data Protection Board have repeatedly confirmed that consent must be as easy to refuse as it is to give.

In practice this means:

  • "Reject all" on level 1 — same size, same visual weight, same effort to click as "Accept".
  • No dark patterns — no green "Accept" button next to a greyed-out "Reject" link.
  • Granular choice — visitors must be able to select individual categories.
  • Withdrawal at any time — the decision must be as easy to reverse as it was to make.

National courts and regulators across the EU have applied these principles in concrete cases — in Germany, France and other member states alike — so the rule of thumb is the same everywhere: refusing must be just as visible and just as easy as accepting.

Check if your site is clean in 5 minutes — free. Run a free website scan →

The most common compliance mistakes

The costliest mistakes are: trackers that fire before consent is given, a hidden "Reject" button, and a privacy policy that no longer matches reality.

  • Trackers fire too early. If Google Analytics loads the moment the page opens, that is a clear breach of Article 5(3) of the ePrivacy Directive — no matter what the banner says.
  • The banner appears too late. Many tools kick in only after the page has loaded; by then trackers have long since sent data to third parties.
  • The privacy policy is out of date. A new tool, a new pixel — and the text no longer reflects what actually runs on the site, breaching the GDPR's transparency obligations (Articles 13 and 14).

How to get it right

Use a banner that technically blocks trackers before they load — and keep the privacy policy automatically in sync with the tracking that is actually present.

That is exactly what BlueOcean Privacy AI does: trackers wait for consent, the privacy policy updates itself, and a scan shows you the real GDPR score of your site. The "Reject all" option sits on the first level with equal prominence, and nothing non-essential loads until the visitor has actively agreed.

Not sure whether your pages are clean? Run a free website scan, or book a short consultation and we will look at it together.

Let's take a quick look at your sites

In a 15-minute call you’ll see where your client sites stand — and how to secure them effortlessly.

Run a free website scan Book a free consultation

FAQ

Does "Reject all" have to be on the first level?

Yes. Under the GDPR, consent must be as easy to refuse as to give, and EU supervisory authorities and courts across member states (including in Germany and France) have consistently required an equivalent "Reject all" button directly on the first banner level — visually equal to "Accept".

Is a free cookie plugin enough?

Only if it actually blocks trackers before consent is given and keeps the privacy policy accurate. Many free plugins merely display a banner without blocking anything, which leaves you exposed to complaints and enforcement under the ePrivacy Directive and the GDPR.

What can a cookie violation cost?

There is no fixed amount. Costs can range from complaint and legal fees to administrative fines imposed by national supervisory authorities under the GDPR, which can be substantial depending on the severity and the size of the organisation. The practical point: the risk is real, while preventing it is cheap.

See all guides →