Get started

How to Set Up a Compliant Cookie Consent Mechanism

guide 8 min read Updated 2026-03-23

How to Set Up a Compliant Cookie Consent Mechanism

A cookie consent mechanism is the system that blocks non-essential cookies until a user opts in. Most sites don’t have one — they have banners instead. The difference is crucial: a banner is decorative; a mechanism is functional.

This guide covers choosing a consent management platform (CMP), configuring it for genuine choice, blocking pre-consent scripts, writing a policy, and testing that it works.

Why This Matters

A non-functional consent mechanism leaves you exposed. Users see a banner that appears to gather consent, but cookies fire anyway. Legally, you’ve placed cookies without consent. That’s a PECR breach. If those cookies process personal data (which they do), it’s also a UK GDPR breach. The February 2026 DUAA amendments mean breaches can attract fines up to £17.5M or 4% of worldwide turnover.

A functional mechanism protects both your users and your business. It blocks non-essential cookies until consent is given, respects withdrawal, offers genuine choice, and maintains audit trails — all the documentation you need if the ICO investigates.

Step 1: Audit Your Cookies First

Before choosing a CMP, you need to know what cookies your site actually loads.

Quick method: Use an online scanner like Cookiebot, CookieYes, or Similar Web. Paste your URL and let it scan. Download the report. Most scanners cost £50–500 depending on detail level but give comprehensive results.

Free method: Use browser developer tools. Open your site, open the Network and Storage tabs, clear cookies, reload the page, and note every third-party domain contacted and every cookie set before you interact with the page.

Expected outcome: Most sites load 10–30+ cookies, often 2–3x more than the site owner expected. Don’t be surprised by plugins, CMS features, or embedded widgets you forgot about.

A good CMP must:

  • Display a compliant consent banner (customizable to your brand)
  • Actually block non-essential scripts until consent is given
  • Generate a cookie policy from your scanned cookies
  • Store consent records (for audit trail)
  • Integrate with Google Tag Manager (GTM) or your site code
  • Enable consent withdrawal via a persistent preference center

Reputable options:

CMPStrengthsCost
CookiebotExcellent script-blocking integration, good UI, strong international compliance€50–350/month
CookieYesUser-friendly, strong GTM integration, good support$40–200/month
TermlyGenerates privacy policy + cookie policy together, good for new sites$99–600/year
OsanoDetailed reporting, strong documentation, best for larger sitesCustom pricing

If your site uses Google Tag Manager (recommended), choose a CMP with built-in GTM support. This simplifies the configuration because your CMP can manage script execution directly through GTM triggers.

Many CMPs offer free trials. Test one for a week before committing.

Step 3: Install and Configure Your CMP

Most CMPs follow a similar setup:

  1. Create an account on the CMP platform
  2. Add your website URL
  3. Let the CMP scan your site (usually automatic)
  4. Review detected cookies and categorize them (essential, analytics, marketing, functional)
  5. Customize the banner — colors, text, button labels
  6. Generate a cookie policy from the scanned cookies
  7. Configure script blocking — link your CMP to GTM or your site code
  8. Add the CMP code to your website (usually a single script tag)

Most CMPs provide a setup wizard that walks you through these steps. Follow it carefully.

Step 4: Categorize Cookies Correctly

As you configure, classify every detected cookie:

Essential: Does the service function without this cookie? If no, it’s essential. Examples: shopping cart, login session, CSRF protection tokens.

Analytics: Does it measure site usage or user behavior? Examples: Google Analytics (_ga), Hotjar, Matomo.

Marketing: Does it track users across sites for advertising? Examples: Facebook Pixel, Google Ads, LinkedIn tracking.

Functional: Does it improve user experience without direct marketing intent? Examples: live chat widget, language preference, accessibility settings.

Unknown: Can’t determine? Mark it and investigate. Contact the provider if needed.

Be strict about “essential.” Most analytics, advertising, and marketing scripts are not essential — they’re nice-to-have. If in doubt, classify as non-essential.

Step 5: Configure the Banner for Genuine Choice

Once your CMP is installed, configure the banner itself:

Button prominence: “Accept all” and “Reject all” must be equally prominent. Same size, same color, same distance from the top. If “Reject all” is smaller or further down the page, the choice isn’t genuine.

Category granularity: Offer users the ability to accept some categories while rejecting others (analytics yes, marketing no). This isn’t required but users appreciate it.

No pre-ticking: Don’t pre-tick any non-essential categories. Pre-ticked boxes count as assumed consent, which fails the freely given test.

Clear language: Explain what each category does in plain English. Avoid jargon.

Accessibility: Ensure the banner is keyboard navigable, screen reader compatible, and meets WCAG 2.1 AA standards. If it’s not, you’re violating both PECR and accessibility law.

Step 6: Configure Script Blocking

This is the critical technical step. Your CMP must actually prevent non-essential scripts from executing until consent is given.

If you use Google Tag Manager:

  1. In your CMP settings, enable GTM integration
  2. In GTM, apply consent conditions to your tracking tags
  3. Create a rule in GTM that says: “Only fire Google Analytics tag if analytics consent is true”
  4. Do the same for any other tracking tags (Facebook Pixel, LinkedIn, etc.)
  5. Test by loading your site with consent denied — these tags should not fire

If you don’t use GTM:

Your CMP likely provides direct JavaScript methods to check consent status. Wrap your tracking code with a consent check:

if (userConsentsTo('analytics')) {
  // Load Google Analytics or other tracker
}

Your CMP documentation will show the exact method names. Don’t skip this — it’s the difference between a banner and a functional mechanism.

Most CMPs generate a cookie policy automatically from the scanned cookies. Review and customize:

Introduction: Brief explanation of what cookies are and why you use them (2–3 paragraphs).

Consent mechanism: Explain how users can manage their preferences and withdraw consent.

Cookie table: List each cookie with:

  • Name (e.g., _ga)
  • Purpose (what it does)
  • Provider (Google, Facebook, etc.)
  • Duration (session, 2 years, etc.)
  • Category (essential, analytics, marketing)

Contact details: Where to email if users have questions about your cookie use.

Link from banner: Your CMP should automatically link the banner to your cookie policy. Test this.

Link from footer: Add a footer link to your cookie policy and your preference center so users can access them at any time.

Users must be able to change their preferences after initial consent. This requires:

Preference center: A page or modal that lets users toggle categories on/off. Most CMPs provide this out of the box.

Persistent link: A footer link (every page) labeled “Cookie preferences” or “Manage cookies” that opens the preference center.

Functionality test: Click the link. Does the preference center open? Can you change preferences? Does the change persist on reload? If no to any of these, your CMP isn’t configured correctly.

Step 9: Test That It Works

Before going live, verify compliance:

  1. Clear cookies in your browser
  2. Reload your site with the Network tab visible
  3. Check pre-consent requests: Do you see requests to Google, Facebook, advertising networks, or other trackers before you interact with the banner? If yes, your script blocking isn’t working.
  4. Test “Reject all”: Click the reject button. Reload the page. Do the same pre-consent requests fire? They shouldn’t.
  5. Test “Accept all”: In a new session, click accept. Reload. Now do the requests fire? They should.
  6. Test withdrawal: Accept consent, then navigate back and change your preferences. Does the change persist?
  7. Test accessibility: Can you navigate the banner using only the keyboard? Does a screen reader read the button text correctly?
  8. Test mobile: Does the banner appear correctly on mobile? Can you interact with it?

If any step fails, work with your CMP vendor or your developer to fix it before going live.

Step 10: Document Everything

Maintain records:

  • Scan results: Save the cookie scan report from your CMP
  • Consent records: Your CMP should store when each user gave consent, what they consented to, and when they changed preferences
  • Policy version: Keep version history of your cookie policy as it changes
  • Audit trail: Document when you re-audited and found new cookies

These records are your defense if the ICO investigates. They prove you attempted to comply.

Step 11: Schedule Quarterly Re-Audits

Websites change. New plugins, new integrations, new CMS versions — each can introduce new cookies.

Set a calendar reminder: every three months, re-scan your site. If new cookies appear, update your cookie policy and ensure your consent mechanism covers them.

Many CMPs alert you when a new domain is detected, which simplifies this process.

Ongoing Maintenance

Once live, your mechanism requires minimal ongoing work:

  • Quarterly re-audit (as above)
  • Monitor your CMP dashboard for alerts about new scripts
  • Update your cookie policy when new cookies appear
  • Brief your development team that any new plugins or integrations should go through your CMP

If your business adds new tracking tools (new email provider, new analytics platform, new CMS features), these need to go through your consent mechanism. Don’t bypass your CMP for convenience.

What’s Next

A compliant consent mechanism is the visible part of cookie compliance. The invisible part is UK GDPR data processing obligations — privacy policy, retention policy, data subject rights. Cookies are often the entry point; GDPR governs what you do with the data they collect.

For a technical audit of your site’s cookie consent setup, Bartram Web screens your site against PECR standards and identifies gaps in your mechanism, policy, or script blocking. To stay informed about cookie and GDPR regulation changes, subscribe to our fortnightly newsletter.

Updated 2026-03-23

Free newsletter

Get insights like this fortnightly

UK compliance rules are changing fast. Our newsletter covers what changed, what's coming, and what it means for your business.

Subscribe →

Free, fortnightly, no spam. Unsubscribe any time.

Want to check your compliance?

Find out where you stand — and get a prioritised action plan.

Screen your website →

More from this hub

Cookie Compliance for UK Websites — The Complete Guide

Step-by-step guide to cookie compliance in the UK: PECR, GDPR, consent mechanics, policy writing, and the 2026 DUAA changes. How to audit, implement, and verify.

Read article →

Cookie Consent Changes Under the DUAA — What's Shifting in 2026

The February 2026 Data Use and Access Act reformed UK cookie consent: five new exemptions, £17.5M fines, and browser-level signalling. What changed and what it means for your site.

Read article →

Cookie Audit Checklist — 12 Things to Check on Your Website

12-item checklist to audit your site's cookie compliance: pre-consent loading, genuine choice, banner functionality, policy completeness, withdrawal rights, and more.

Read article →