Get started

Your Cookie Banner Probably Isn't Compliant — Here's Why

myths 7 min read Updated 2026-03-23

Your Cookie Banner Probably Isn’t Compliant — Here’s Why

A cookie banner on your website doesn’t mean cookie compliance. In fact, most banners are compliance theater — they look compliant but don’t actually block non-essential cookies or offer genuine choice. Users see the banner and assume it’s protecting their privacy. Legally, you’ve covered yourself. But you haven’t.

This is the most visible compliance failure in UK digital business. The banner is the one part of cookies that users interact with, so when the banner doesn’t work, they see it fail. Meanwhile, you’re liable under PECR and UK GDPR regardless.

Reality: A banner is only compliant if it (a) appears before non-essential cookies fire, (b) blocks those cookies until consent is given, (c) offers genuine choice to reject, and (d) actually enforces the user’s decision. Most off-the-shelf banner plugins fail on points (b), (c), and (d).

A cookie banner is the user-visible interface to a consent mechanism. The mechanism is what does the work — it blocks scripts from executing, records what the user consented to, and respects withdrawal. A banner without a functional mechanism behind it is decorative.

The most common failure: cookies fire before the banner appears. A page loads Google Analytics, Facebook Pixel, or advertising scripts on initial page load, setting cookies immediately. The banner appears afterward. From a legal perspective, you’ve placed cookies without consent. The banner is too late.

Technical test: clear your cookies, reload your site with the browser’s Network tab open, and watch what requests fire before you interact with the banner. If you see requests to Google, Facebook, advertising networks, or other third parties, those scripts are firing pre-consent. Your mechanism is broken.

Reality: Consent is not a one-time event. Users must be able to change their preferences as easily as they gave initial consent. If your cookie banner disappears after the first visit and there’s no way to revoke or modify consent, your mechanism is non-compliant.

PECR explicitly requires withdrawal rights. Users should be able to change their preferences on return visits without losing functionality. The standard approach is a persistent footer link — often labeled “Cookie preferences” or “Manage cookies” — that opens a preference center.

Many sites bury this link or make it impossible to find. Some remove the banner after the first visit and never offer a way to change preferences. Some make the preference panel harder to navigate than the initial banner. All of these approaches violate the withdrawal requirement.

Practical implication: a user visits your site, accepts analytics, then regrets it. They should be able to open a preference panel, withdraw consent, and have that change persist. If they can’t find the link or the link doesn’t work, you’re in violation.

Myth 3: We Offer Choice — Accept or Reject

Reality: Many banners offer “Accept all” and “Reject all” buttons, but one is much easier to click than the other. If “Accept all” is a large, high-contrast button and “Reject all” is small text or requires navigating elsewhere, consent is not freely given. Both options must be equally prominent.

This is surprisingly common. Banners often place “Accept all” as a prominent button and bury “Reject all” below in smaller text, or make “Reject all” require clicking through a settings page while “Accept all” works in one click. This is not genuine choice — it’s coercion disguised as choice.

PECR explicitly requires “freely given” consent. If one option is harder to select than the other, you’ve violated this requirement.

Accessibility matters too. If “Reject all” is only available via mouse (not keyboard), or if the banner isn’t screen reader compatible, you’re excluding users with disabilities and failing both PECR and accessibility standards.

Myth 4: A Dropdown or Settings Page Counts as Choice

Reality: A banner that offers only “Accept all” with a settings link that lets users drill down and toggle categories is not genuine choice. The test is prominence: if accepting all cookies is a single click and rejecting cookies requires navigating to a settings page and clicking multiple times, you’ve failed the genuine choice requirement.

Compliant patterns include:

  • “Accept all” and “Reject all” side by side, equally prominent
  • “Reject all”, “Customise”, and “Accept all” — all on the initial banner
  • Initial banner with “Reject all” prominent, plus a secondary customization option for users who want granularity

Compliant patterns do not include: “Accept all” as the only prominent option, with settings hidden or requiring multiple clicks.

Myth 5: We Have a Privacy Policy, So We’re Compliant

Reality: A privacy policy covers UK GDPR obligations (what data you collect and why). PECR requires a separate cookie policy listing each cookie, its purpose, provider, and duration. A one-line mention of cookies in your privacy policy doesn’t meet this requirement.

PECR requires “clear and comprehensive information about each cookie.” This means:

  • Name: The cookie identifier (e.g., _ga, fbp)
  • Purpose: What it does (analytics, marketing, etc.)
  • Provider: Who sets it (Google, Facebook, etc.)
  • Duration: How long it persists (session, 2 years, etc.)
  • Category: Essential, analytics, marketing, etc.

A proper cookie policy is a table or list covering all these fields for every cookie on your site. Many consent management platforms (CMPs) generate this automatically from a scan. If your privacy policy is longer than a few hundred words and doesn’t have a dedicated cookies section, you probably don’t have a compliant cookie policy.

Myth 6: Essential Cookies Exempt Us From Most of This

Reality: Compliant cookie banners still need to display information about essential cookies, even though they don’t require consent. And for non-essential cookies, you need everything above.

The exemption for essential cookies only applies to the consent requirement — not to transparency. Users should still understand what essential cookies do and why you’re using them. Many sites bury this in a settings page. A proper approach is to list essential cookies prominently and explain why they’re necessary.

For non-essential cookies (which is almost everything else), the full consent and disclosure apparatus applies.

Myth 7: We Pre-Tick the Consent Box — Users Can Uncheck If They Want

Reality: Pre-ticked boxes do not constitute consent under PECR. Consent must be affirmative — the user must take action to give it. If a consent checkbox is pre-ticked and the user has to uncheck it to opt out, you’ve assumed consent, not obtained it. This is a direct PECR violation.

Compliant patterns: no checkboxes pre-ticked. All non-essential categories default to unchecked. Users must actively tick the box to consent.

Myth 8: Our Banner Complies — We Tested It Once

Reality: Websites change. New plugins, new integrations, new CMS versions — each can introduce new cookies. A compliant banner today may fail in three months if your site gains new tracking scripts. You need to audit quarterly and update your banner if new cookies appear.

Many sites implement compliant consent mechanisms and then never re-audit. Six months later, a new plugin fires pre-consent. Your mechanism is now broken, and you’re no longer compliant.

Standard practice: scan your site quarterly, check for new cookies, and ensure your consent mechanism covers all of them.

What to Do Instead

A compliant cookie banner needs to be:

  1. Functional, not decorative. It must actually block non-essential cookies until consent is given. Use a consent management platform (CMP) like Cookiebot, CookieYes, or Termly that integrates with Google Tag Manager or your site code to prevent scripts from executing pre-consent.

  2. Pre-consent. Non-essential cookies should not fire before the banner appears. This requires technical configuration — your CMP must be loaded before other tracking scripts.

  3. Offering genuine choice. “Reject all” must be as prominent and easy to click as “Accept all.” Category-level granularity (accept analytics but reject marketing) is helpful.

  4. Documented. You should have a clear cookie policy listing each cookie, its purpose, provider, and duration. Most CMPs generate this.

  5. Withdrawal-enabled. A persistent footer link should let users change preferences on return visits. This must work across sessions.

  6. Regularly audited. Scan your site quarterly to catch new cookies and ensure your mechanism covers them.

If your current banner doesn’t meet all six criteria, it’s time to upgrade.

For a technical audit of your site’s cookie compliance — including pre-consent loading, banner functionality, and policy gaps — Bartram Web screens your site and flags specific issues with remediation guidance. To stay informed about cookie and GDPR compliance updates, subscribe to our fortnightly newsletter.

Updated 2026-03-23

Free newsletter

Get insights like this fortnightly

UK compliance rules are changing fast. Our newsletter covers what changed, what's coming, and what it means for your business.

Subscribe →

Free, fortnightly, no spam. Unsubscribe any time.

Want to check your compliance?

Find out where you stand — and get a prioritised action plan.

Screen your website →

More from this hub

PECR Explained — UK Cookie Law Beyond GDPR

PECR is the UK law that governs cookie placement — separate from GDPR. What it requires, who must comply, what happens if you don't, and how it changed under the 2026 DUAA.

Read article →

We Only Use Essential Cookies — Why That Claim Is Usually Wrong

Why 'we only use essential cookies' is almost always false: most site owners undercount their cookies because they've never audited what's actually loading.

Read article →

Cookie Audit Checklist — 12 Things to Check on Your Website

12-item checklist to audit your site's cookie compliance: pre-consent loading, genuine choice, banner functionality, policy completeness, withdrawal rights, and more.

Read article →