Cookies

Cookie consent 101: what you actually need on your website

5 min read ·26 April 2026 ·By Trust Center

If you have a website, you almost certainly have cookies. And if you have non-essential cookies — which most sites using analytics, advertising, or social media integrations do — then you are legally required to obtain consent before setting them. This is one of the most misunderstood areas of data protection law, and non-compliant cookie banners remain one of the most common compliance failures regulators encounter.

What does the law actually require?

Cookie consent in the UK and EU is governed by two overlapping frameworks: the ePrivacy Directive (implemented as PECR in the UK) and GDPR. The key rule is simple: you cannot set non-essential cookies on a user's device without their prior, informed consent.

Prior means before the cookie is set — not after the page has loaded. Informed means the user understands what they are consenting to. Consent means a positive, affirmative action — not merely continuing to browse your website.

Essential cookies — those strictly necessary for the website to function — are exempt. Analytics cookies, advertising cookies, social media pixels, and personalisation cookies are not essential and require consent.

A valid cookie consent mechanism must:

  • Appear before non-essential cookies are set. If your analytics scripts fire on page load before the user interacts with the banner, you are already non-compliant.
  • Offer a genuine choice. "Accept" and "Reject" must be equally prominent. A large green "Accept all" button and a small grey "Manage settings" link buried in the text fails this test.
  • Not use dark patterns. Pre-ticked boxes, confusing language, or design choices that make rejection harder than acceptance are explicitly prohibited.
  • Allow withdrawal of consent. Users must be able to change their cookie preferences after their initial choice — typically via a link in the footer.
  • Not gate access to content on consent. Cookie walls — where users must accept cookies to access the website — are unlawful in most EU jurisdictions.

The common mistakes that make your banner non-compliant

The most frequent non-compliance patterns regulators identify are:

  • Scripts loading before consent is given, particularly Google Analytics with async tags that fire immediately
  • No reject option — only "Accept" and "Manage preferences"
  • Implied consent through continued browsing ("By using our website you agree to cookies")
  • Consent recorded but not maintained — analytics fires even on return visits without a new consent signal
  • Cookie policy that does not match what cookies are actually being set

The solution is to implement a proper Consent Management Platform (CMP) that blocks all non-essential scripts until consent is given, records consent decisions, and respects user choices across sessions. There are good free and paid options available that handle this correctly without requiring any code changes beyond a single script tag.

Ready to simplify your compliance?

Trust Center manages your privacy policies, cookie consent, and DSARs — one platform, all your brands, always up to date.

Get early access →

Related articles

Cookies

ePrivacy vs GDPR: understanding the cookie law distinction

GDPR and ePrivacy are two separate laws that both apply to cookies. Understanding the difference prevents a common compliance mistake that many online businesses make.

5 min read · 26 April 2026
Cookies

The difference between essential and non-essential cookies

Not all cookies need consent. Understanding which cookies are strictly necessary changes how you build your consent experience and what you need to disclose.

4 min read · 26 April 2026