Cookie Banner Best Practices

Home / Everything About / Everything About Analytics / Cookie Banner Best Practices

The cookie banner is your first interaction with users on privacy. A compliant banner is clear, explicit, and respects choice equally. Many banners are designed to trick users into consenting ("dark patterns"). Regulators have cracked down. A good banner is not just legally safe—it builds trust. Users appreciate transparency, and transparent cookie banners convert better than deceptive ones.

What Makes a Compliant Cookie Banner

The Banner Must Appear Before Tracking

This is the first rule. Before you set any analytics cookies, the user must see your consent banner and actively agree. If you track first and ask later, you're in violation. The banner must appear on page load, before your analytics script fires.

The Banner Must Be Clear and Specific

Your banner must explain what cookies you're setting and why. Vague language doesn't work ("we use cookies to enhance your experience"). Specific language does: "We use analytics cookies to measure page visits and user behavior. We use marketing cookies to show you ads on other sites." Users must understand what they're consenting to.

The Banner Must Make Consent Optional

You cannot force users to consent. You can set essential cookies without consent, but analytics and marketing cookies require optional consent. This means: there must be a clear "Reject" button alongside "Accept." If there's no reject option, the banner is not compliant.

Accepting and Rejecting Must Be Equally Easy

A common dark pattern: "Accept" is a big button, "Reject" is small text you have to hunt for. Compliant banners make both options equally discoverable. If "Accept" is big, "Reject" must be similarly prominent. Better approach: "Accept All" and "Reject All" buttons of equal size, or a "Manage Preferences" option that lets users choose granularly.

The Default Must Be No Tracking

Pre-checked boxes (where consent is assumed unless the user unchecks) are not compliant. Default should be unchecked. Users must actively check boxes to give consent. If you're using a single-button interface, the button should default to "Reject" until the user clicks "Accept."

Best Practices for Cookie Banner Design

Option 1: Simple Accept/Reject

Show your banner with two equal-sized buttons: "Accept All" and "Reject All." Include a link to your full privacy policy. This is the simplest approach and works well for many sites. The downside: users cannot granularly choose which cookies to accept.

Option 2: Simple Accept with Granular Reject

Show "Accept All" and "Manage Preferences." Manage Preferences opens a modal where users can choose which cookie categories to accept. This gives users choice while keeping the initial banner simple.

Option 3: Fully Granular

Show toggles for each cookie type (essential, analytics, marketing, preferences) on the banner itself. Users can toggle each on/off independently. This is more complex but gives maximum user control. Works well if you only have 3-4 cookie categories.

What Works Best

Research shows Option 2 (simple accept/reject with granular manage) balances compliance and usability. Users appreciate the simplicity of the initial banner, but those who want control can access it. Conversion rates are good because the initial friction is low.

Cookie Banner Language and Messaging

Your banner should include: what cookies you use, why you use them, how long they're stored, and how users can manage them (in settings or privacy preferences). This transparency builds trust. Users are more likely to consent when they understand what's happening.

Avoid Dark Patterns

Dark patterns in banners include: small or hidden reject button, pre-checked consent boxes, rejecting requires multiple clicks while accepting is one click, confusing language about what cookies do, or burying the opt-out option deep in settings.

Regulators actively target dark patterns. The EU's EDPB (European Data Protection Board) has issued specific guidance: reject and accept must be equally easy. If you use dark patterns, fines follow.

Consent Banner Retention and Changes

Once a user makes a consent choice, remember it. Store their choice (in a cookie) so the banner doesn't reappear every page load. Typical retention: 12-24 months. After that, ask again.

If you change your cookie practices (new tracking, new vendors), you may need to ask for consent again. Some jurisdictions require re-consent for material changes. Have a plan for how you'll notify users and collect new consent if your practices change.

Third-Party Consent Managers

Services like OneTrust, Cookiebot, Termly, and TrustArc handle cookie banners, consent storage, and integrations with analytics platforms. Using a reputable third-party manager can simplify compliance. They handle the legal details, maintain compliance as laws change, and integrate with your analytics tools automatically.

When to Use a Third-Party Manager

If you're not sure about compliance details, or if you serve multiple jurisdictions with different requirements, a third-party manager is worth the cost. They stay updated as laws change. Building your own banner is cheaper but riskier.

Which design option (simple, managed, granular) actually performs best in practice?

How do I make accept and reject buttons truly equally easy to find?

What exactly counts as a material change requiring re-consent?

Which consent managers integrate best with Google Analytics and GTM?

Are pre-checked consent boxes really a GDPR violation or just a best practice?

If a user rejects consent initially, can I ask again later?