Quick answer: Cookie banner requirements vary significantly by country. The EU requires opt-in consent before setting non-essential cookies. The UK follows similar rules under PECR. The US has no federal cookie law, but California (CCPA) requires opt-out disclosures. Brazil (LGPD) requires consent. Getting cookie compliance wrong is one of the most common reasons for GDPR fines.
Cookie Banner Requirements at a Glance
| Country/Region | Law | Consent Model | Pre-checked Boxes | Reject Button Required | Max Fine |
|---|---|---|---|---|---|
| EU (all members) | GDPR + ePrivacy | Opt-in | Illegal | Yes (must be equal) | €20M / 4% turnover |
| United Kingdom | UK GDPR + PECR | Opt-in | Illegal | Yes | £17.5M / 4% turnover |
| United States | No federal law | Varies by state | Allowed (federally) | No | Varies |
| California (US) | CCPA/CPRA | Opt-out | N/A | No (opt-out link) | $7,500/violation |
| Brazil | LGPD | Opt-in | Illegal | Recommended | 2% revenue (max R$50M) |
| Canada | PIPEDA | Implied/Express | Context-dependent | Recommended | CAD $100K |
| Australia | Privacy Act | Notice-based | Allowed | No | AUD $50M |
| Japan | APPI | Opt-out | Allowed | No | ¥100M |
| South Korea | PIPA | Opt-in | Illegal | Yes | 3% revenue |
| India | DPDPA 2023 | Opt-in (consent) | Illegal | Yes | ₹250 crore |
European Union: The Strictest Requirements
EU cookie law is governed by two regulations working together: the ePrivacy Directive (cookie-specific) and the GDPR (general data processing). Together, they create the world's strictest cookie consent regime.
What EU Law Requires
- Prior consent: You must obtain consent before setting any non-essential cookies. No cookies can fire on page load except strictly necessary ones
- Granular choice: Users must be able to accept or reject cookies by category (analytics, marketing, functional)
- Equal prominence: "Accept All" and "Reject All" buttons must be equally visible. The CJEU ruled in 2024 that hiding "Reject" behind a settings layer is non-compliant
- No dark patterns: You cannot use larger fonts, brighter colors, or emotional language to nudge users toward acceptance
- Easy withdrawal: Users must be able to change their preferences at any time, just as easily as they gave consent
- Cookie wall ban: You cannot deny access to your website if users reject cookies (with very limited exceptions)
EU Cookie Banner Enforcement Examples
| Company | Fine | Violation | DPA | Year |
|---|---|---|---|---|
| €150M | No easy reject option on cookies | CNIL (France) | 2022 | |
| €60M | No easy reject option on cookies | CNIL (France) | 2022 | |
| TikTok | €5M | Cookie consent not GDPR-compliant | CNIL (France) | 2023 |
| Microsoft (Bing) | €60M | Cookies deposited without valid consent | CNIL (France) | 2022 |
| Criteo | €40M | No valid consent for advertising cookies | CNIL (France) | 2023 |
United Kingdom: Post-Brexit Rules
After Brexit, the UK retained the GDPR as the "UK GDPR" and cookie rules are governed byPECR (Privacy and Electronic Communications Regulations). The requirements are almost identical to the EU:
- Opt-in consent required for all non-essential cookies
- Strictly necessary cookies exempt (session IDs, shopping cart, security tokens)
- ICO (Information Commissioner's Office) enforces compliance
- Maximum fine: £17.5 million or 4% of global annual turnover
- ICO published updated guidance in 2024 emphasizing the "Reject All" button requirement
Key difference from EU: The UK is considering a "legitimate interest" exception for analytics cookies under the Data Protection and Digital Information Bill. This could make the UK slightly more lenient than the EU for basic analytics. As of 2026, this has not yet been enacted.
United States: A Patchwork of State Laws
The US has no federal cookie consent law. However, several states have enacted comprehensive privacy laws that affect cookie practices:
California (CCPA/CPRA)
- Model: Opt-out (not opt-in)
- You must provide a "Do Not Sell or Share My Personal Information" link
- Must honor Global Privacy Control (GPC) browser signals
- No cookie banner required per se, but disclosure of cookie-based tracking is mandatory
- Fine: up to $7,500 per intentional violation
Other US States With Cookie-Relevant Laws
| State | Law | Effective | Cookie Relevance |
|---|---|---|---|
| Virginia | VCDPA | 2023 | Opt-out for targeted ads and profiling |
| Colorado | CPA | 2023 | Universal opt-out mechanism required |
| Connecticut | CTDPA | 2023 | Opt-out for sale and targeted ads |
| Texas | TDPSA | 2024 | Opt-out mechanism for data sales |
| Oregon | OCPA | 2024 | Universal opt-out signal recognition |
Brazil (LGPD)
Brazil's LGPD follows an opt-in consent model for cookies, similar to the EU:
- Consent must be "free, informed, and unambiguous"
- Users must be able to revoke consent at any time
- The ANPD (national authority) published cookie-specific guidance in 2024
- Maximum fine: 2% of revenue, capped at R$50 million per violation
- Enforcement has increased significantly in 2025-2026
Read our detailed comparison: LGPD vs GDPR: Brazil's Data Protection Law Explained
What Cookies Are "Strictly Necessary"?
Strictly necessary cookies are exempt from consent requirements across all jurisdictions. But the definition is narrow:
| Cookie Type | Strictly Necessary? | Needs Consent? |
|---|---|---|
| Session ID / authentication | Yes | No |
| Shopping cart | Yes | No |
| CSRF tokens | Yes | No |
| Cookie consent preference | Yes | No |
| Load balancer cookies | Yes | No |
| Google Analytics | No | Yes |
| Facebook Pixel | No | Yes |
| Advertising / retargeting | No | Yes |
| Social media embeds | No | Yes |
| A/B testing tools | No | Yes |
| Hotjar / session recording | No | Yes |
How to Build a Compliant Cookie Banner
Minimum Requirements (Works Globally)
- Block all non-essential cookies by default — no scripts fire until consent is given
- Show a clear banner explaining what cookies you use and why
- Provide Accept All and Reject All buttons with equal prominence
- Allow granular control — let users choose cookie categories
- Remember the choice — don't re-ask on every page load
- Allow withdrawal — provide a way to change preferences (footer link or icon)
- Log consent — keep records of when consent was given, by whom, and for what
Technical Implementation
The most reliable approach is a Consent Management Platform (CMP) that handles blocking, categorization, and consent logging. See our CMP Comparison Guide for options.
If implementing manually, the key is to ensure Google Consent Mode v2 is properly configured. This allows Google Analytics and Google Ads to respect user consent choices. See ourGoogle Consent Mode v2 Setup Guide.
Check Your Cookie Compliance
PrivacyChecker scans your website and identifies cookie compliance issues automatically. The scan detects:
- Cookies that fire before consent (pre-consent violations)
- Missing or misconfigured cookie banners
- Third-party trackers loading without user permission
- Google Analytics and advertising cookies compliance
- Missing Consent Mode v2 implementation
Frequently Asked Questions
Do I need a cookie banner if I only use essential cookies?
If your website only uses strictly necessary cookies (session, security, preferences), you donot need a consent banner in most jurisdictions. However, you should still provide a cookie policy explaining what cookies you use. Most websites use at least some analytics or marketing tools that require consent.
Can I use a cookie wall to deny access?
In the EU, cookie walls are generally not allowed. The EDPB has stated that consent is not freely given if the user has no real choice. Some DPAs allow limited exceptions (e.g., if a free ad-supported version is available alongside a paid ad-free version), but the safest approach is to never use cookie walls.
How often should I re-ask for consent?
There is no legally mandated period, but best practice is to re-ask every 6 to 12 months. You must also re-ask whenever you add new cookie categories or change the purposes of existing cookies. The CNIL recommends re-obtaining consent every 13 months maximum.
Do cookie banners hurt my SEO?
Google has stated that cookie consent banners do not negatively impact SEO if implemented correctly. Avoid interstitials that block the main content on mobile — use a bottom or top bar instead of a full-screen overlay.