How to Set Up Cookie Consent Banners That Follow GDPR Guidelines?

If you run a website for your business, you've probably seen those cookie banners everywhere.

However, a cookie banner isn't just a pop-up you slap on your site to look compliant.

It's actually about how you collect and use personal data through cookies and trackers.

Let me walk you through this in plain English, so you can share it with your dev or marketing team and actually get it done right.

Step 1: Find Out What Cookies You're Actually Using

Before you design anything, you need to know what you're asking permission for.

Here's why this matters: Under GDPR, you can only use non-essential cookies (like analytics, marketing pixels, and tracking tools) if you have proper consent and you clearly explain what you're doing with them.

What to do:

Make a list of every tool on your site that sets cookies:

• Analytics tools (like Google Analytics)

• Advertising and retargeting pixels

• A/B testing tools

• Heatmaps and session recording tools

Then, sort them into two groups:

Strictly necessary cookies – These keep your site working (login systems, shopping carts, security features). You don't need consent for these, but you still need to tell people about them.

Non-essential cookies – Everything else: analytics, advertising, marketing, and behavioural tracking.

For each cookie, write down:

• Why do you use it

• How long does it stay on someone's device

• Which company provides it (especially if it's a third party)

You'll need this info for both your banner and your cookie policy.

Step 2: Design a Banner That Gives People a Real Choice

GDPR is very clear: consent must be freely given, specific, informed, and unambiguous.

That means pre-ticked boxes or "if you keep browsing, we assume you agree" don't cut it.

What your banner should include:

Show the banner before any non-essential cookies get set.

Give people real, balanced options:

• "Accept all"

• "Reject all"

• "Customize" or "Manage preferences"

Use clear opt-in checkboxes – nothing pre-ticked for analytics or marketing. Users must actively choose what they want.

Keep the language simple. Something like:

"We use cookies to make our site work, improve performance, and show you relevant content. You can choose what you want to accept."

Show clear categories:

• Strictly necessary (already on, explained, but no consent needed)

• Analytics/Performance

• Advertising/Marketing

• Functional (things like chat widgets or video players)

Always include a link to your full cookie policy and privacy policy right on the banner.

Step 3: Don't Hide the "Reject" Button

Here's where many companies get into trouble. Data protection authorities across Europe have issued fines to big platforms for making it harder to reject cookies than to accept them.

To stay compliant:

Put "Accept all" and "Reject all" at the same level:

• Same size buttons

• Same number of clicks to complete

• Both clearly visible (don't bury "Reject" in a submenu)

Avoid "cookie walls" – don't block access to your content just because someone refuses advertising or analytics cookies. That's not allowed for non-essential cookies.

Make sure that when someone clicks "Reject all":

• No non-essential cookies get set

• Any existing non-essential cookies will stop being used and will be deleted where possible

Step 4: Back It Up With a Proper Cookie Policy

Your banner is just the front door. You also need a detailed cookie policy that explains exactly how cookies collect personal data.

Your cookie policy should cover, at least:

What data you collect – IP addresses, device info, browsing behavior, etc.

Why you collect it – to improve the site, for advertising, for personalization, for security

Legal basis – consent for non-essential cookies; legitimate interest or contract only where genuinely appropriate (typically not for marketing/tracking)

How long cookies last – retention periods for each type

Third parties – which companies receive data (analytics providers, ad networks, etc.)

Practical tips: Link to your cookie policy from the banner ("Learn more in our Cookie Policy") and in your website footer. Review it regularly – whenever you add or remove tools, and at least once a year.

Step 5: Let People Change Their Minds Anytime

Under GDPR, users must be able to withdraw consent as easily as they gave it. And when they do, you must stop processing their data based on that consent.

Make this practical:

Add a permanent link in your footer or account menu: "Cookie Settings" or "Privacy Settings"

When users click it, let them turn off analytics, marketing, or functional cookies that they previously allowed.

What happens technically:

When consent is withdrawn:

• Stop loading any scripts that depend on that consent

• Stop reading or updating the related cookies

• Delete or deactivate them where technically possible

Continuing to set cookies after someone has refused or withdrawn consent is exactly the kind of behaviour that gets companies fined.

Step 6: Get Your Tech Team on Board

GDPR ties cookie compliance to broader principles like data minimisation and security.

Technical checklist:

1. Default to privacy first – before consent, only strictly necessary cookies should be active

Use a Consent Management Platform (CMP) or custom code that:

• Reads the user's choice

• Only loads tools like analytics and ads after consent for that category

2. Make sure your scripts:

• Don't send personal data to third parties without consent (where consent is required)

• Respect changes in consent, including withdrawals

3. And remember:

• Don't keep cookie-derived personal data longer than necessary

• Make sure your systems respect the retention periods you've declared

Step 7: Keep Records of Consent

Under GDPR, you need to be able to prove that you got valid consent and for what purposes.

The burden of proof is on you as the business owner.

What to log (in a privacy-respecting way):

• Date and time when the user gave consent

• Version of the banner and policies shown at that moment

• Specific choices made (e.g., analytics: yes, marketing: no)

Document internally:

• How your cookie banner works (what scripts load based on consent)

• When you updated text, categories, or providers

This helps both with compliance and with responding to any questions from regulators or users.

Step 8: Make Sure Everything Matches

Your GDPR compliance has three main parts that need to work together:

1. GDPR-compliant privacy policy

2. Valid cookie consent mechanism

3. Proper contracts with providers (data processing agreements where needed)

Check that:

Your banner and cookie policy match what's in:

• Your privacy policy

• Your internal data mapping

• Your contracts with analytics and advertising providers

If you use analytics platforms or ad networks:

• You have appropriate agreements in place

• You understand what data they collect and how they use it

Quick Summary (Save This on Your Phone)

If you only remember a few things, make it these:

🔍 Audit first – know every cookie and tracker, and why you use it

✅ Real consent – no pre-ticked boxes, no "by continuing you agree"

⚖️ Balanced choices – "Accept all" and "Reject all" must be equally easy

📄 Back it up – clear cookie policy + privacy policy, kept up to date

🔁 Easy opt-out – permanent "Cookie settings" link + full withdrawal option

🧩 Technical alignment – scripts only fire after consent, and stop after withdrawal

🗂️ Keep proof – records of how and when consent was obtained

—-

The content of this article is general information based on GDPR requirements, not tailored legal advice for your specific situation. It has a strictly informative and general purpose; the information contained does not constitute legal advice.

Every business is different, and cookie compliance can get technical depending on your tools and setup. For personalised analysis of your website, cookie banner, and overall GDPR compliance, schedule a consultation call or write to us directly at 📧 anamaria@legallyremote.online.