Whether you need a cookie banner depends on where your visitors come from and what cookies you set. Here is a plain-English breakdown by region.
European Union — yes, for non-essential cookies
Under the EU's ePrivacy Directive (implemented differently in each member state but consistently enforced), you must get prior, informed consent before setting any non-essential cookies. Essential cookies — those strictly necessary for the website to function — are exempt. Almost everything else requires consent:
- Analytics cookies (Google Analytics, Hotjar, etc.)
- Marketing and advertising cookies (Meta Pixel, Google Ads)
- Social media sharing buttons
- A/B testing tools
- Personalisation cookies
The consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes and "by continuing to use this site" statements do not meet the legal standard.
United Kingdom — yes, same standard as EU
The UK's Privacy and Electronic Communications Regulations (PECR) requires consent for non-essential cookies. The standard mirrors EU requirements. The ICO has published guidance that "implied consent" is not sufficient.
United States — it depends
There is no federal US cookie consent law. However, California's CCPA/CPRA requires you to allow users to opt out of the "sale" or "sharing" of their personal information, which includes cookies used for targeted advertising. If you serve California residents and use third-party advertising cookies, you need an opt-out mechanism — a "Do Not Sell or Share My Personal Information" link at minimum.
Virginia (VCDPA), Colorado (CPA), and other state laws add similar requirements for targeted advertising.
Canada — consent required for non-essential cookies
Canada's PIPEDA and provincial laws require meaningful consent for the collection and use of personal information, which includes cookies that collect personal data. The OPC has indicated that implied consent may be acceptable for some uses but explicit consent is recommended for tracking and advertising cookies.
Australia — generally yes for tracking cookies
Australia's Privacy Act doesn't specifically address cookies, but the Australian Privacy Principles require transparency and consent for collecting personal information. Cookies that collect personal data fall under this requirement.
What a compliant cookie banner must do
To comply in the EU and UK at minimum, your cookie banner must:
- Appear before non-essential cookies are set (not after)
- Explain what categories of cookies you use and why
- Allow users to accept, reject, or customise their choices
- Make rejecting cookies as easy as accepting them
- Remember the user's choice and honour it
- Allow users to change their choice later (a cookie settings link)
Do you actually need one
If your website only uses strictly essential cookies and no analytics or marketing tools, you technically don't need a consent banner in most jurisdictions. But the moment you add Google Analytics, Meta Pixel, or similar tools, a banner is required for EU and UK visitors. Given that most business websites use at least one of these, the practical answer for most SMBs is yes.