Is a cookie banner mandatory?

The obligation rests on two pieces of EU law that work together:

• ePrivacy Directive, Article 5(3): storing information on, or gaining access to information already stored on, a user's device - cookies, local storage, tracking IDs - generally requires the user's prior consent. The only exception is where storage or access is strictly necessary for a service explicitly requested by the user. This rule has been transposed into national law in every EU member state, so the requirement applies EU-wide.
• GDPR: the data obtained in this way is usually personal data, so its processing - for example for analytics or marketing - needs a valid legal basis. For tracking and marketing cookies, that basis is consent under Article 6(1)(a). A 'legitimate interest' under Article 6(1)(f) is, according to the European Data Protection Board and settled case law, not sufficient for such cookies.

The Court of Justice of the EU confirmed in the Planet49 ruling (C-673/17) that consent must be active and specific - a pre-ticked box does not count. In practice this means: if your site loads Google Analytics, a Meta pixel, embedded YouTube videos, fonts from third-party servers or any other marketing or analytics tool, a consent banner is mandatory - and it must appear before those tools are loaded.

No banner is required if your website uses only strictly necessary cookies and does not embed any service that transfers data to third parties. Typically considered strictly necessary are:

• login and session cookies that keep users signed in
• shopping-cart functions in an online shop
• security and load-balancing functions
• storing the consent decision itself

Important: the bar is high. 'Necessary' means the service does not work for the user without the cookie - not that it is convenient for you or useful for marketing. Audience measurement, A/B testing and conversion tracking practically never fall under this exception.

A common trap: many seemingly harmless building blocks - embedded maps, external fonts, video embeds - load data from third-party servers and therefore trigger the banner requirement. The only reliable way to know whether you need one is to look at every tracker that actually loads on your pages.

From the ePrivacy Directive, the GDPR and the guidance of the European Data Protection Board (EDPB Guidelines 05/2020 on consent), clear minimum requirements can be derived:

• 'Reject all' must be equally available on the first level. Accepting and rejecting must be equally visible and equally easy to reach already in the first layer. Several EU data protection authorities have objected to banners that offered only 'Accept all' and 'Settings' on the first level, forcing users to dig one layer deeper to reject - in Germany, for example, a court found such a design insufficient, and authorities in France and elsewhere have taken the same line. A 'Reject' option hidden behind 'Settings' does not meet the standard.
• Block trackers beforehand. Tools such as Google Tag Manager may load only after valid consent has been given - not as soon as the page opens. If a tracker fires before the user has clicked, the banner is purely cosmetic and the processing is unlawful.
• No dark patterns. Rejecting must not be more cumbersome than accepting. No brightly highlighted 'Accept' button next to a greyed-out 'Reject' link.
• Clear purposes and a complete list of providers. Users must understand what their data is processed for and which third parties are involved (transparency under Articles 12-13 GDPR).
• Withdrawal as easy as consent. The decision must be changeable at any time.

If even one of these points is missing, you risk complaints and, in serious cases, enforcement action and fines from the competent supervisory authority.

• 'Any banner will do.' Wrong. A banner without an equivalent 'Reject' button, or one with trackers that load in advance, does not protect you - it actually documents the breach.
• 'Legitimate interest is enough for analytics.' No. For marketing and analytics cookies, consent is the only sound legal basis across the EU.
• 'Once set, a banner stays compliant.' No. As soon as a new tool, plugin or embed is added, the tracker landscape changes. Without regular scanning, every consent solution becomes outdated.

For web agencies and freelancers managing several client sites this gets messy fast: every website has a different tracker list, and every plugin update can bring new cookies.

Want to be sure? Run the free website scan from BlueOcean Privacy AI. In minutes it shows which trackers your pages really load and whether your banner meets the requirements - for all your clients from one dashboard, hosted in the EU. Scan now on blueoceanprivacy.io or book a free consultation.