What the GDPR Requires from a Cookie Banner

The GDPR and the ePrivacy Directive establish five non-negotiable rules for cookie consent:

• Freely given: Rejecting cookies must be as easy as accepting them.
• Specific: Consent must be requested separately for each purpose.
• Informed: Users must know what they are consenting to before they consent.
• Unambiguous: Pre-ticked boxes and continued browsing do not count.
• Withdrawable: Users must be able to withdraw consent at any time.

Example 1: The “Accept Only” Banner (Non-Compliant)

What it looks like

A small bar with “We use cookies to improve your experience” and one “OK” button. No reject option, no settings.

Why it fails

No genuine choice, no information about cookies, no way to decline. CNIL fined Google EUR 150 million and Facebook EUR 60 million in 2022 for this exact pattern.

Verdict: Illegal under GDPR.

Example 2: Accept All + Tiny “Manage Preferences” Link (Non-Compliant)

What it looks like

A prominent “Accept All” button with a small grey “Manage Preferences” link. No “Reject All” button.

Why it fails

Visual hierarchy pushes users toward accepting. Rejecting requires two clicks while accepting requires one. Multiple DPAs have ruled this is not freely given consent.

Verdict: Non-compliant. Reject must be as accessible as Accept.

Example 3: Equal Accept and Reject Buttons (Compliant)

What it looks like

Two equally sized buttons: “Accept All” and “Reject All.” Below them, a “Manage Preferences” link. Brief explanation of cookie purposes.

Why it works

Genuine free choice, both options equally prominent, one click each. This is the pattern CNIL explicitly recommended.

Verdict: Compliant. The baseline every website should meet.

Example 4: The Cookie Wall (Non-Compliant)

What it looks like

Full-screen overlay blocking all content. The only option is “Accept Cookies.”

Why it fails

GDPR Article 7(4) — consent is not freely given if access to the service is conditional on it. The Dutch DPA concluded cookie walls are generally not permitted.

Verdict: Non-compliant in most EU jurisdictions.

Example 5: Pre-Ticked Checkboxes (Non-Compliant)

What it looks like

Detailed banner showing cookie categories with checkboxes — but all boxes are pre-ticked.

Why it fails

The CJEU Planet49 ruling (2019) settled this definitively: pre-ticked boxes do not constitute valid consent. Consent requires a clear affirmative action.

Verdict: Explicitly illegal per CJEU case law.

Example 6: The Layered Approach (Compliant — Best Practice)

What it looks like

First layer: compact banner with Accept All, Reject All, and Customise buttons. Second layer: detailed preference centre with individual category toggles and vendor list. Third layer: full cookie policy.

Why it works

Balances information with usability. First layer delivers choice, second delivers detail, third delivers full transparency. Explicitly recommended by the EDPB.

Verdict: Best practice. The gold standard for compliance.

Example 7: Misleading Button Labels (Non-Compliant)

What it looks like

“I agree” versus “I do not agree to reject non-essential cookies.” Or: “Accept recommended settings” versus “Use limited version.”

Why it fails

GDPR Recital 42 requires clear, plain language. Double negatives, implied consequences, and guilt-tripping labels like “No thanks, I don’t care about my experience” are manipulative and non-compliant.

Verdict: Non-compliant. Use clear, neutral labels.

Example 8: The Compliant Banner Done Right

What it looks like

A clean bottom bar with: clear headline, brief explanation, three equally styled buttons (Accept All, Reject All, Manage Preferences), and a link to the cookie policy. Manage Preferences opens a preference centre with individual toggles, vendor list, and Save button.

Why it works

Checks every box: free choice, symmetric buttons, layered information, plain language, no pre-ticked boxes, easy withdrawal via cookie settings icon.

Verdict: Fully compliant.

Real Fines for Bad Banners

• Google (France, 2022): EUR 150 million — reject option was harder to find than accept.
• Facebook (France, 2022): EUR 60 million — same asymmetry issue.
• Microsoft (France, 2022): EUR 60 million — advertising cookies set without valid consent.
• TikTok (France, 2023): EUR 5 million — rejecting cookies required more steps than accepting.

Compliance Checklist

• Is there a visible “Reject All” button on the first layer?
• Are Accept and Reject equally prominent?
• Are all checkboxes unticked by default?
• Does the banner display before non-essential cookies are set?
• Can users access granular category controls?
• Is consent logged with a timestamp?
• Can users change consent at any time?
• Is the banner in the user’s language?
• Does clicking Reject actually prevent non-essential cookies?

How FlexyConsent Handles This Out of the Box

FlexyConsent is a Google-certified CMP with IAB TCF 2.3 support. It addresses every compliance requirement:

• Equal Accept and Reject buttons on the first layer
• Layered approach built in (first layer for choice, second for granular controls)
• No pre-ticked boxes — all optional categories unticked by default
• Google Consent Mode V2 integrated out of the box
• 43 languages with auto-detection
• Geo-targeting for region-specific banners
• Consent logging and proof for audits
• Plans from EUR 0/month

Set up a compliant banner in under five minutes at panel.flexyconsent.com.