Cookie Banner Requirements: US & EU Rules (2026)
Cookie banners are the most visible artifact of privacy law on the internet. Nearly every major website displays one, but the requirements behind those banners differ sharply between the EU and the US. An EU-compliant banner asks permission before tracking. A US-compliant banner offers a way to opt out after tracking has begun. Getting this wrong carries real consequences: the French CNIL fined Google 150 million euros in 2021 over the design of its cookie consent interface.
This guide breaks down exactly what a compliant cookie banner looks like in each jurisdiction, what elements are required, which design choices are illegal, and how to handle the overlap when a single website serves both European and American visitors.
EU Cookie Banner Requirements
EU cookie consent is governed by the ePrivacy Directive (Directive 2002/58/EC, amended by 2009/136/EC) and the GDPR (Regulation 2016/679). The core rule is simple: no non-essential cookies may be placed on a user's device until the user gives informed, affirmative consent.
Required Elements of an EU Cookie Banner
A compliant EU cookie banner must include the following elements.
Clear identification of purposes. The banner must explain, in plain language, what cookies are used for. Vague language like "We use cookies to improve your experience" is insufficient. Each purpose (analytics, advertising, social media, functional enhancements) should be identified.
Accept and reject options with equal prominence. Users must be able to reject non-essential cookies as easily as they accept them. The CNIL and Italian Garante both require a reject button on the first layer of the banner, not hidden behind a "Manage Preferences" link. The reject button must be the same size, color weight, and prominence as the accept button.
Granular consent by category. Users must be able to consent to specific categories of cookies (analytics, advertising, functional) independently. An "Accept All" button is permissible only if accompanied by individual category toggles and an equally prominent "Reject All" option.
Information about cookie duration and recipients. Users must be told how long cookies persist and which third parties receive data through cookies. This information can be in a linked cookie policy rather than the banner itself, but the link must be accessible from the banner.
No pre-ticked checkboxes. The CJEU ruled in Planet49 (Case C-673/17) that pre-ticked checkboxes do not constitute valid consent. All cookie category toggles must default to "off" or unchecked.
Prior blocking of cookies. Non-essential cookies must not load until the user provides consent. This means the banner must block analytics scripts, advertising pixels, and social media embeds from executing until an affirmative choice is made. This is often the most technically challenging requirement.
What a Compliant EU Banner Looks Like
A compliant first-layer EU cookie banner typically includes:
- A brief explanation: "This website uses cookies for analytics, advertising, and social media integration."
- A link to the full cookie policy with detailed cookie inventory
- An "Accept All" button
- A "Reject All" button (same size and visual weight)
- A "Manage Preferences" link that opens granular category-level controls
- All category toggles default to off in the preferences panel
Consent Withdrawal
Users must be able to withdraw cookie consent at any time, and withdrawal must be as easy as giving consent. Most implementations satisfy this through a persistent cookie settings icon or link in the website footer. When a user withdraws consent, previously set cookies should be deleted and the associated tracking should stop.
Consent Records
Organizations must maintain records demonstrating that valid consent was obtained. Records should include the timestamp, the user's consent choices (which categories were accepted or rejected), the version of the cookie banner shown, and the user's IP address or a pseudonymized identifier.
Re-Consent Frequency
The ePrivacy Directive does not specify how often consent should be refreshed. National guidance varies: the CNIL recommends every 6 months, while other authorities suggest 12 months. Best practice is to re-display the consent banner whenever new cookie categories are added or processing purposes change.
US Cookie Banner Requirements
The United States has no federal law requiring cookie consent banners. US cookie banner obligations come from state privacy laws, primarily the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA), with additional requirements from other state privacy laws.
California: CCPA/CPRA Requirements
California's CCPA/CPRA does not require opt-in cookie consent. Instead, it requires businesses to provide specific opt-out mechanisms.
"Do Not Sell or Share My Personal Information" link. Businesses that sell personal information or share it for cross-context behavioral advertising must display a clear link on their homepage and in their privacy policy. This link must lead to a page where consumers can exercise their opt-out rights.
Global Privacy Control (GPC) recognition. Under the CCPA regulations finalized by the California Privacy Protection Agency (CPPA), businesses must treat GPC signals as valid opt-out requests. GPC is a browser-level signal (available in Firefox, Brave, DuckDuckGo, and through browser extensions) that automatically communicates a user's opt-out preference.
No opt-in required (with exceptions). The CCPA/CPRA does not require opt-in consent for cookie placement. However, businesses must obtain opt-in consent before selling the personal information of consumers under 16 years old (with parental consent required for those under 13).
"Limit the Use of My Sensitive Personal Information" link. If a business uses or discloses sensitive personal information beyond what is necessary to provide the requested service, it must display an additional link allowing consumers to limit that use.
Other State Privacy Laws
Several other states have enacted comprehensive privacy laws with provisions affecting cookie-based tracking.
Colorado (CPA): Requires businesses to provide opt-out mechanisms for targeted advertising and the sale of personal data. Businesses must honor universal opt-out signals (including GPC) starting July 1, 2024.
Connecticut (CTDPA): Requires opt-out rights for targeted advertising, data sales, and profiling. Mandates recognition of universal opt-out mechanisms.
Virginia (VCDPA): Provides consumer opt-out rights for targeted advertising and data sales. Does not require recognition of universal opt-out signals.
Texas (TDPSA): Effective July 1, 2024. Provides opt-out rights for targeted advertising and data sales.
Oregon (OCPA): Effective July 1, 2024. Includes opt-out rights and requires recognition of universal opt-out mechanisms.
What a US-Compliant Banner Looks Like
A US cookie banner for California compliance typically includes:
- A notice that the site uses cookies and tracking technologies
- A link to the privacy policy
- A "Do Not Sell or Share My Personal Information" link
- A "Limit the Use of My Sensitive Personal Information" link (if applicable)
- GPC auto-detection that honors the signal without requiring user interaction
Unlike EU banners, US banners do not need to block cookies before the user makes a choice. Cookies may load by default, with the banner providing opt-out controls.
Side-by-Side Comparison: EU vs. US
| Requirement | EU (ePrivacy + GDPR) | US (CCPA/CPRA + State Laws) |
|---|---|---|
| Consent model | Opt-in (prior consent required) | Opt-out (default tracking, user can object) |
| Default cookie state | Blocked until consent | Active until opt-out |
| Reject button | Required, equal to accept | Not required; opt-out link suffices |
| Pre-ticked boxes | Illegal (Planet49 ruling) | No prohibition |
| Granular categories | Required | Not required |
| GPC recognition | Not mandatory (supplemental) | Mandatory in CA, CO, CT, OR |
| "Do Not Sell" link | Not applicable | Required in CA, CO, CT, VA, TX, OR |
| Consent records | Required | Opt-out request records required |
| Re-consent period | 6-12 months (varies by DPA) | N/A (opt-out is persistent) |
| Maximum penalty | 20M euros / 4% turnover | $7,500 per intentional violation (CA) |
Common Cookie Banner Mistakes
Both EU and US website operators frequently make compliance errors in their cookie banner implementations.
Dark Patterns
Dark patterns are design choices that manipulate users into accepting cookies against their actual preference. Regulators across the EU have specifically targeted these practices.
Accept-only first layer. Displaying a prominent "Accept All" button on the first layer while requiring users to click through to a second layer to find the reject option. The CNIL, Italian Garante, and Austrian DSB have all found this non-compliant.
Color and size manipulation. Making the "Accept" button large and colorfully highlighted while displaying "Reject" or "Manage Preferences" as small gray text. The EDPB's guidelines on dark patterns specifically address visual manipulation of consent interfaces.
Confusing language. Using double negatives or unclear wording like "Do not opt out of not sharing" that confuses users about what they are agreeing to.
Consent fatigue exploitation. Requiring excessive clicks to reject cookies (e.g., toggling off each of 50 individual cookies) while offering a single "Accept All" button.
Pre-Consent Cookie Loading
Many websites place analytics and advertising cookies before the user interacts with the banner. In the EU, this violates the prior consent requirement. Technically, no non-essential cookie should fire until the user clicks "Accept." This requires the consent management platform to block scripts until consent is given, often implemented through a tag manager that gates script execution on consent status.
Missing Consent Records
Failing to log consent choices makes it impossible to demonstrate compliance during a regulatory audit. Every consent decision (accept, reject, or specific category selections) should be timestamped and stored.
Cookie Wall Violations
Blocking access to the website entirely unless cookies are accepted is generally non-compliant in the EU. The EDPB has stated that "access to services and functionalities must not be made conditional on the consent of a user" to cookie placement. A few national authorities (notably the Netherlands) permit cookie walls under limited conditions, but the safest approach is to allow access regardless of consent choice.
Failing to Honor GPC in the US
Under the CCPA/CPRA, businesses must treat GPC signals as valid opt-out requests. Simply ignoring GPC because the user has not also clicked the "Do Not Sell" link is non-compliant. The California Attorney General's enforcement actions have specifically targeted businesses that failed to honor GPC.
Analytics Without Consent: What Is Possible?
A common question for EU-compliant websites is whether any analytics data can be collected without consent. The answer depends on the tool and the jurisdiction.
Server-Side Analytics
Server log analysis (IP addresses, page views, referrers) does not use cookies and therefore falls outside the ePrivacy Directive's cookie consent requirement. However, if IP addresses are considered personal data (they are, under the GDPR), a legal basis is still needed for that processing. Legitimate interest under GDPR Article 6(1)(f) may apply for basic server-side analytics if appropriate safeguards are in place.
Privacy-Preserving Analytics Tools
Some analytics tools are designed to operate without cookies or with only first-party, session-limited cookies. Tools like Plausible, Fathom, and self-hosted Matomo (in cookieless mode) can provide aggregate traffic data without requiring consent under most national implementations of the ePrivacy Directive.
The French CNIL explicitly allows first-party audience measurement cookies without consent under strict conditions: the data must be aggregated, not shared with third parties, used only for audience measurement, and limited in retention period. The tool must also allow users to opt out.
Google Analytics and Consent
Google Analytics 4 (GA4) places cookies that transfer data to Google's servers in the United States. It requires consent in the EU under both the ePrivacy Directive (for cookie placement) and the GDPR (for the international data transfer to Google). The Austrian, French, and Italian data protection authorities have all ruled that Google Analytics transfers violate GDPR's data transfer rules, making it particularly important to gate GA4 on consent.
CCPA "Do Not Sell or Share" Integration
For websites that display both an EU cookie banner and US opt-out mechanisms, integrating the CCPA's "Do Not Sell or Share" requirement into the consent flow requires careful design.
Unified vs. Separate Interfaces
Some consent management platforms offer a unified interface that adapts based on the visitor's location. An EU visitor sees the full opt-in banner. A California visitor sees the "Do Not Sell or Share" mechanism. This approach simplifies the user experience and reduces banner fatigue for US visitors who are not subject to opt-in requirements.
GPC Auto-Detection
For California, Colorado, Connecticut, and Oregon visitors, the website should automatically detect GPC browser signals and suppress advertising and data-sharing cookies without displaying any banner at all. If GPC is detected, the site should treat it as an opt-out and confirm this in its privacy center.
Multi-State Compliance
For US-wide compliance, a best-practice approach combines:
- A "Do Not Sell or Share My Personal Information" link (satisfies CA, CO, CT, VA, TX, OR, and other state opt-out requirements)
- GPC auto-detection (satisfies CA, CO, CT, OR universal opt-out mandates)
- A "Your Privacy Choices" or "Your Opt-Out Rights" footer link (satisfies general notice requirements)
- Age-gating for users under 16 in California (opt-in consent required before selling minors' data)
Best Practices for Cookie Banners
Design Principles
- Place the banner in a fixed position (bottom or center of the screen) that does not completely block content
- Use clear, plain language at an 8th-grade reading level
- Display accept and reject options with identical visual treatment (size, color, font weight)
- Include a "Manage Preferences" option for granular control
- Provide a persistent method to change preferences after initial choice (footer link or floating icon)
Technical Implementation
- Use a consent management platform (CMP) that blocks non-essential scripts until consent
- Integrate with your tag manager to gate script execution on consent status
- Test that no tracking cookies fire before user interaction
- Implement GPC detection for US visitors
- Log all consent events with timestamps and version identifiers
- Audit third-party scripts regularly, as they may introduce new cookies without notice
Accessibility
- Ensure the banner is keyboard-navigable and screen-reader compatible
- Maintain sufficient color contrast for all text and interactive elements
- Provide focus indicators for interactive elements
- Do not use auto-closing banners that disappear before assistive technology users can interact with them
This is general legal information, not legal advice. Cookie banner requirements depend on the specific jurisdictions your website serves, the types of cookies and tracking technologies used, and your organization's data processing activities. Consult a data protection attorney for advice specific to your situation.
Sources and References
Sources and References
- Directive 2002/58/EC - ePrivacy Directive(eur-lex.europa.eu).gov
- CJEU Case C-673/17 (Planet49)(curia.europa.eu).gov
- CNIL Cookie Guidelines(cnil.fr).gov
- Italy Garante Cookie Guidelines(garanteprivacy.it).gov
- EDPB Dark Patterns Guidelines(edpb.europa.eu).gov
- EDPB Consent Guidelines(edpb.europa.eu).gov
- California CCPA/CPRA(oag.ca.gov).gov
- CPPA Regulations(cppa.ca.gov).gov
- GDPR Regulation 2016/679(eur-lex.europa.eu).gov