Do You Need a Cookie Banner? Decision Guide by Country (2026)

Quick answer: If your website uses any non-essential cookies (analytics, advertising, social media embeds) and is accessible to visitors in the EU, UK, or Brazil, you are legally required to display a cookie consent banner. If your website only uses strictly necessary cookies (session management, security, load balancing), no banner is required.

The Simple Decision Rule

Ask yourself two questions:

1. Does my website set any non-essential cookies? (analytics, ads, social plugins, chat widgets)
2. Can visitors from the EU, UK, or other regulated countries access my site?

If the answer to both is yes, you need a cookie banner. Period. Not sure what cookies your site uses? Scan your website to find out.

Cookie Banner Requirements by Country

What Does a Compliant Cookie Banner Look Like?

Under EU/UK law, a compliant cookie banner must:

• Appear before any non-essential cookies load — not after the page fully renders
• Offer an equally visible "Accept All" and "Reject All" button
• Allow granular choices (analytics vs. marketing vs. functional cookies separately)
• Not use dark patterns (pre-checked boxes, hidden reject buttons, color manipulation)
• Include a link to a detailed cookie policy
• Make it easy to withdraw consent at any time

When You Do NOT Need a Cookie Banner

You can skip the cookie banner entirely if your website only uses strictly necessary cookies. These include:

• Session cookies for login/authentication
• Shopping cart cookies on e-commerce sites
• Security cookies (CSRF protection)
• Load-balancing cookies
• Cookie consent preference cookies (the cookie that remembers the user's cookie choice)

If you use cookie-free analytics like Plausible, Fathom, or Umami (which don't use cookies at all), you also do not need consent for analytics tracking.

Common Mistakes That Lead to Fines

• Cookie walls: Blocking access unless all cookies are accepted is illegal in the EU
• Pre-checked boxes: Consent must be an affirmative action — pre-toggled switches don't count
• Loading trackers before consent: Google Analytics or Facebook Pixel firing before the user clicks "Accept" is the #1 violation
• No "Reject All" button: Since January 2022, the CNIL requires a reject button at the same level as accept
• Ignoring mobile: Your consent banner must be functional and accessible on mobile devices

How to Check If Your Current Banner Is Compliant

Use PrivacyChecker to scan your website. The audit specifically checks whether:

• A consent banner is present
• Non-essential cookies load before consent
• Both accept and reject options are available
• Your cookie banner implementation matches regulatory requirements

If you're choosing a consent management tool, see our CMP comparison guide.

Frequently Asked Questions

Does a US-only website need a cookie banner?

If your website is only accessible to US visitors and does not target EU residents, GDPR does not apply. However, California's CCPA/CPRA requires a "Do Not Sell or Share My Personal Information" link if you handle the data of California residents. Several other states (Virginia, Colorado, Connecticut, Utah, Texas, Oregon) have similar requirements.

Do I need a cookie banner if I only use Google Analytics?

Yes. Google Analytics sets cookies (including _ga, _gid, and _gat) that track user behavior across sessions. Under GDPR, these are non-essential cookies and require prior opt-in consent. Multiple EU DPAs have confirmed this, with some even ruling that GA4 is not legal without proper consent.

What happens if I don't have a cookie banner?

Regulators can fine you up to €20 million or 4% of global annual turnover under GDPR. In practice, fines for cookie consent violations range from €10,000 to €150,000 for small businesses, and from €90 million to €405 million for large companies.