Skip to content
accs-net.com

Press Esc to close

Cookie Banner

Glossary Β· 15 min read Β·

A cookie banner (also called a Consent Management Platform, or CMP) is the on-site UI that captures a visitor’s permission before any non-essential cookie is set. Under the EU’s GDPR and ePrivacy Directive, that permission must be freely given, specific, informed, and unambiguous. In practice that means no pre-ticked boxes, no dark patterns, and a Reject button as prominent as Accept. Since March 2024 the banner is also the required entry point for Google Consent Mode v2. Without it, Google Ads audiences, remarketing, and GA4 modeled conversions stop working for EEA traffic.

A cookie banner is the first layer of a Consent Management Platform. The CMP is the broader system: a JavaScript SDK that displays the banner, stores the user’s choice in a first-party cookie or local storage, exposes that choice to your tag manager, and renews consent when policy changes. The banner itself is the visible piece; the rest is plumbing.

Its job is fourfold. First, inform: tell users which cookies will be set and for what purpose. Second, capture choice: offer Accept, Reject, and Customize as equal-weight actions. Third, enforce: block tags from firing until choice is recorded. Fourth, document: log the consent event with timestamp, banner version, and a privacy-safe identifier so you can prove compliance during a regulator audit.

When I’ve deployed CMPs across portfolios with mixed EU and US traffic, the recurring failure mode is treating the banner as a UI widget rather than an enforcement layer. The banner without the tag-blocking logic is decoration. The blocking logic without proper signals to Google Tag Manager is half-implemented Consent Mode.

The legal stack has three layers, and a cookie banner sits at the intersection of all three. They don’t all say the same thing: knowing which obligation applies to which visitor is the basis for a lawful banner configuration.

The ePrivacy Directive (2002/58/EC, amended 2009) is the actual source of the cookie consent requirement. Article 5(3) says you must obtain consent before storing or accessing information on a user’s device (that’s the cookie itself). ePrivacy is enforced by national laws (CNIL in France, Garante in Italy, ICO in the UK). The GDPR then governs what you do with the personal data once you have it: lawful basis, subject rights, breach notification, the €20M / 4% turnover penalty ceiling.

CCPA/CPRA (California) takes a different philosophy: opt-out, not opt-in. You don’t need a banner before tracking starts, but you must offer a “Do Not Sell or Share My Personal Information” link and honor Global Privacy Control signals. Brazil’s LGPD, Canada’s PIPEDA, and emerging US state laws (Virginia VCDPA, Colorado CPA, Connecticut CTDPA) are mostly hybrid models that the same CMP can serve through geo-detection.

The European Court of Justice’s 2019 Planet49 ruling settled the open question: pre-ticked checkboxes are not valid consent. NOYB (Max Schrems’ organization) has filed hundreds of complaints against sites with non-compliant banners, leading to enforcement actions against Google, Meta, Amazon, and many smaller publishers.

Not every banner does the same job. The choice depends on jurisdiction, audience composition, and whether you run programmatic ads. Here’s the four-tier landscape.

Type What It Does Where It’s Sufficient Where It Fails
Notice-only Banner says “we use cookies” with an OK button. Tags fire immediately. Pure US sites with no EU traffic, no programmatic ads Illegal in EU/UK: no consent captured
Confirmation Accept / Reject buttons. Binary choice. Small EU sites with only one tag category (e.g., GA4) Fails when you have multiple purposes (analytics + ads + functional)
Granular Per-category toggles: Strictly Necessary / Analytics / Marketing / Preference. Plus Accept All / Reject All. Standard EU/UK deployment for most sites Insufficient if you sell ad inventory programmatically (need TCF)
IAB TCF v2.2 Granular plus IAB Transparency & Consent Framework string for ad-tech vendors. Publishers with programmatic ads, ad networks, AdSense, prebid.js Heavyweight, overkill for non-publisher sites

For 90% of sites running GA4 plus Google Ads, a granular banner with TCF disabled is the right answer. Activate TCF only when ad-tech vendors require it. Google AdSense, for example, requires a Google-certified CMP and the IAB string for personalized ads in the EEA.

The IAB TCF is the ad industry’s standardized way of communicating consent to thousands of vendors at once. Without TCF, every ad-tech partner would need its own integration, which is impractical when a single page may load fifty SSPs, DSPs, and DMPs. The TCF defines a consent string (the tcString), a list of Purposes (1-11), Special Purposes, Features, and a registry of certified Vendors.

Version 2.2, published in May 2023, removed Legitimate Interest as a basis for advertising purposes, simplified the user-facing language, and added Vendor counts to the first layer. Purposes 3, 4, 5, and 6 (ad personalization, ad measurement, content personalization, content measurement) now require explicit consent only, with no LI fallback.

If you’re not a publisher, you can skip TCF entirely. If you are, your CMP must be on the IAB CMP list: Cookiebot, OneTrust, Sourcepoint, Didomi, and Quantcast Choice are the common picks.

Google Consent Mode v2 is the wire that carries the user’s banner choice into every Google tag firing on the page. It does not replace the banner. Your CMP still has to capture the choice. Consent Mode is what GA4, Google Ads, and Floodlight read on each hit to decide what data to send.

Cookie banner consent flow with Google Consent Mode v2 default-denied state, three user choices Accept Reject Customize, and four consent signals ad_storage analytics_storage ad_user_data ad_personalization passed to GA4 and Google Ads
Default-denied state on page load β†’ banner captures choice β†’ 4 signals flow into GTM β†’ GA4 and Ads fire conditionally. Required for EEA traffic since March 2024.

v2 introduces four signals. The first two existed in v1. The last two became mandatory for advertisers using Google Ads, audiences, or remarketing in the EEA as of March 2024.

  • ad_storage: permission to set advertising cookies (Google Ads, remarketing tags).
  • analytics_storage: permission to set analytics cookies, including the GA4 _ga cookie holding a Client ID.
  • ad_user_data: permission to send user data to Google for advertising purposes (v2 mandatory).
  • ad_personalization: permission to use the data for personalized advertising (v2 mandatory).

The flow has two modes. Basic: tags fire only after Accept, meaning no Google data at all when denied. Advanced: tags fire immediately with all signals denied, sending cookieless pings (no first-party cookie, no Client ID, IP truncated). Google then uses conversion modeling to estimate the missing signal, typically recovering 30-50% of the lost conversions. Advanced mode is what Google Ads needs to keep audiences functional.

Twenty-plus CMPs compete in this market. After deploying several across portfolios, four cover the realistic decision space for most sites. Pricing is approximate; vendors revise it constantly.

CMP Best For Free Tier Paid From Google-certified TCF v2.2
Cookiebot SMB to mid-market, GDPR-first deployments Up to 100 pages, 1 domain €11/month per domain Yes Yes
OneTrust Enterprise, multi-jurisdiction, complex vendor lists No (sales contact only) ~$10k+/year quoted Yes Yes
Iubenda SMB needing privacy policy + terms generator bundled Limited free tier €9/month Yes Yes
Termly US sites adding GDPR/CCPA compliance lightweight Up to 1 domain, basic features $10/month Yes Limited
Klaro! (open source) Self-hosted, technical teams, no SaaS dependency Free / MIT license β€” No (manual GCM v2) No

For a 52-site portfolio I lean toward Cookiebot: the auto-scan catches new tags as you deploy them, and the GCM v2 integration is one toggle. OneTrust wins for enterprise multi-jurisdiction setups but the implementation overhead is real. Klaro! makes sense when you don’t trust SaaS to disappear and have a developer to maintain config.

The CNIL, ICO, and EDPB have published guidance on what constitutes a non-compliant banner. The core principle: rejecting must be as easy as accepting. Anything that nudges, hides, or fatigues the user toward Accept is a dark pattern, and dark patterns invalidate consent.

  • Equal prominence: Accept and Reject buttons same size, same color contrast, same depth in the UI hierarchy. No “Reject” hidden behind a small text link.
  • One click to reject: First-layer Reject All must dismiss the banner with all non-essential consent denied. Forcing users to a second screen to reject is non-compliant per CNIL.
  • No pre-ticked toggles: Per Planet49, every category toggle in the granular layer must default to off. Pre-checked = no valid consent.
  • No deceptive copy: Avoid “Accept and continue” framing without a balanced reject option, “Manage preferences” hidden in tiny text, or guilt-trip language.
  • No cookie wall in most cases: Conditioning content access on Accept is illegal in France, Germany, Spain. The UK and Austria allow “pay or consent” with caveats.
  • Always-visible re-consent: Provide a footer link or floating icon to reopen the banner, since users have the right to withdraw consent at any time, as easily as they gave it.
  • Refresh consent: Re-prompt every 12 months minimum. Refresh sooner if you add new vendors or purposes.

Granular banners group cookies into purpose categories. The four-category split below maps cleanly to the IAB Purposes and to GCM v2’s signal taxonomy.

  • Strictly Necessary: session cookies, CSRF tokens, load balancer routing, shopping cart state. No consent required under ePrivacy Article 5(3) exemption. Always on, never togglable.
  • Analytics / Statistics: GA4 _ga, Hotjar, Microsoft Clarity, server-side analytics that set cookies. Maps to GCM v2 analytics_storage.
  • Marketing / Advertising: Google Ads conversion, Meta Pixel, LinkedIn Insight, programmatic SSP/DSP cookies. Maps to ad_storage + ad_user_data + ad_personalization.
  • Preference / Functional: language preference, region selector, dark mode toggle, video autoplay choice. Some jurisdictions exempt these as “strictly necessary” if user-initiated; conservative position is to ask.

One trap: classify analytics as Strictly Necessary and you’ve broken the banner. CNIL’s 2020 guidance is clear that GA4 is not exempt, even though it’s first-party and the IP is anonymized. Anonymized first-party analytics on a Matomo or Plausible deployment without cookies can qualify, but full GA4 with Client ID does not.

The minimum viable implementation has three pieces: the CMP SDK loaded synchronously in <head>, a default-denied gtag('consent', 'default', ...) call before GTM, and per-tag Built-in Consent settings inside GTM container. Skip any one and the banner is theater.

<!-- 1. Default-denied state, BEFORE GTM loads -->
<script>
  window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments);}
  gtag('consent', 'default', {
    'ad_storage': 'denied',
    'analytics_storage': 'denied',
    'ad_user_data': 'denied',
    'ad_personalization': 'denied',
    'wait_for_update': 500
  });
</script>

<!-- 2. CMP SDK (Cookiebot example) -->
<script id="Cookiebot" src="https://consent.cookiebot.com/uc.js"
        data-cbid="YOUR-CBID" data-blockingmode="auto"></script>

<!-- 3. GTM after consent default -->
<script>(function(w,d,s,l,i){...})(window,document,'script','dataLayer','GTM-XXXX');</script>

Inside GTM, every tag’s Consent Settings tab declares which signals it requires. The GA4 Configuration tag waits for analytics_storage = granted. The Google Ads Conversion tag waits for ad_storage. Custom HTML tags need explicit consent declarations or they bypass the system entirely. Push the consent update from your CMP into the data layer with gtag('consent', 'update', {...}) when the user clicks Accept.

Verify with the GTM Preview mode and Google’s Tag Assistant: the Consent tab shows which signals each tag saw at fire time. If a tag fired with denied, you have a configuration bug, not a CMP bug.

Common Mistakes That Cause Fines

The CNIL alone has fined Google €150M, Meta €60M, and Microsoft €60M between 2021 and 2023 for cookie-banner violations. The pattern is consistent: the same five mistakes show up in every enforcement decision.

  1. No Reject button on the first layer. The single most-cited violation. Reject must be one click, not “Manage preferences β†’ uncheck β†’ Save.”
  2. Pre-ticked category toggles. Planet49 settled this in 2019. Every toggle defaults to off; the user opts in, not out.
  3. Tags fire before consent. The banner displays but GA4 has already set _ga. Either you’re missing the tag-blocking logic or your CMP is in “info-only” mode. Verify with browser DevTools β†’ Application β†’ Cookies on first pageview.
  4. “Accept” highlighted, “Reject” muted. CNIL has explicitly cited buttons where Accept is colored and Reject is gray-text-link as a dark pattern.
  5. No way to withdraw consent. Article 7(3) GDPR: withdrawal must be as easy as giving consent. Without a re-consent link, every banner is one revocation away from being unlawful.
  6. Cookie wall on news/content sites. Conditioning content on Accept is illegal in most EU jurisdictions. “Pay or consent” is a narrow exception that requires careful legal review.
  7. Vague purpose descriptions. “We use cookies to improve your experience” is not a specific informed consent. Name the purposes: analytics, advertising, content personalization, functional.

Frequently Asked Questions

Do I need a cookie banner if I only use GA4 and no advertising tools

Yes for EU/UK traffic. The CNIL, Garante, and other supervisory authorities have ruled that GA4’s _ga cookie and Client ID are personal data requiring consent under ePrivacy Article 5(3), independent of whether you also run ads. The only exempt analytics deployments are cookieless tools like Plausible or properly configured Matomo without persistent identifiers.

Is a notice-only banner (“we use cookies, OK”) legal anywhere

For EU/EEA/UK traffic: no. Article 5(3) of ePrivacy and the Planet49 ruling require explicit opt-in before non-essential cookies. Notice-only banners are common in the US, where CCPA’s opt-out model accommodates them, but adding a “Do Not Sell or Share” link is still required for California residents.

Can I use Google Consent Mode without a cookie banner

Technically yes: you’d hardcode all signals to denied and rely on cookieless pings, but you’d also have no way to ever capture consent, so audiences and remarketing stay broken permanently. Google’s documentation assumes a CMP captures the choice and pushes the gtag('consent', 'update', ...) call. Without a banner you have GCM, but no Consent.

What’s the difference between Consent Mode v1 and v2

v1 had two signals: ad_storage and analytics_storage. v2 added ad_user_data and ad_personalization, and as of March 2024 these are mandatory for advertisers using Google Ads features, audiences, or remarketing for EEA traffic. If you don’t pass v2 signals, your remarketing lists shrink rapidly and modeled conversions stop being computed.

Should I use Basic or Advanced Consent Mode

Advanced gives you 30-50% more measurable conversions because cookieless pings preserve aggregate signal even from non-consenters. The catch is that some EU regulators (notably CNIL) have not formally blessed the practice (they accept Google’s position), but legal teams in stricter sectors prefer Basic. Default recommendation: Advanced unless your DPO objects in writing.

How often does consent need to be refreshed

The European Data Protection Board (EDPB) recommends maximum 12 months between re-prompts. Refresh sooner if you add new vendors, new purposes, or change the legal basis. The CMP should also re-prompt when the user clears cookies and returns. Persisting consent for 24 months (the GA4 cookie default) without a re-prompt is a documented enforcement target.

Can I track UTM parameters before consent is given

UTM parameters in URLs are not cookies; reading them from the URL bar is fine before consent. Storing them client-side in localStorage for later attribution is a gray zone; most CMPs treat that as a tracking cookie requiring consent. The compliant path is to forward the UTM via the Measurement Protocol in your default-denied cookieless ping, which works under Advanced Consent Mode.

  • GDPR: what governs the personal data once consent is captured
  • Cookie: what the banner is gating in the first place
  • First-Party Cookie: why GA4 cookies still need consent despite being first-party
  • Data Layer: where consent updates are pushed for GTM to read
  • Tag Management: the system that enforces consent at fire time
  • Container: GTM unit holding the consent-aware tags
  • Event: track consent interactions for compliance reporting
  • Measurement Protocol: server-side path that survives cookie denial
  • Cross-Device Tracking: what breaks when consent is denied
  • Conversion: Google’s modeled conversions when consent is denied
  • UTM: URL params that work without consent

Related Terms

Cookie First-Party Cookie GDPR Cross-Domain Tracking Cross-Device Tracking
Tom Martin
Written by

Tom Martin

Web analytics specialist with deep expertise in Google Analytics, Tag Manager, and e-commerce tracking. Helping businesses understand their data without the noise β€” practical guides, honest reviews, and real-world implementation experience.