Skip to main content

Compliance

Cookie Policies and Consent: Getting It Right

Cookies, consent banners and the law behind them.

Quick answer

If your site uses non-essential cookies — analytics, advertising, embedded media — most privacy laws require you to disclose them in a cookie policy and obtain consent before setting them. Essential cookies do not need consent but should still be documented.

A cookie policy explains which cookies you use and why; a consent mechanism lets users accept or reject non-essential cookies before they are set. Together they are a legal requirement in the EU, UK and a growing number of regions.

Check your website

See how your site handles cookie policies and consent: getting it right — free, no account needed.

For business owners

Cookie compliance is highly visible: regulators actively fine sites that set tracking cookies without consent, and customers notice a missing or manipulative banner. Getting it right — a clear policy and an honest consent choice — avoids fines, keeps ad and analytics tools usable, and signals that you respect visitors' privacy.

How it works (technical)

Cookies fall into essential (needed for the site to function — no consent required) and non-essential (analytics, marketing, personalisation — consent required before they are set). A compliant setup: block non-essential cookies until consent, offer a genuine "reject all" as easily as "accept all", record consent, and document each cookie's name, purpose and duration in the cookie policy. "Consent-or-nothing" walls and pre-ticked boxes are generally non-compliant.

Real-world example

An e-commerce site loaded advertising and analytics cookies on page load, with only an "Accept" button. A regulator warned it for setting tracking cookies without consent. Implementing a consent banner that blocked non-essential cookies until the user chose, with an equal "Reject" option, resolved the issue.

Why it matters

Cookie consent is actively enforced and easy for both regulators and scanners to detect. A missing policy or a consent banner that only offers "accept" is a common, avoidable compliance failure.

How to fix it

  1. Audit which cookies your site sets and categorise them (essential vs non-essential).

  2. Block non-essential cookies until the user consents.

  3. Offer "reject all" as prominently as "accept all"; avoid pre-ticked boxes.

  4. Publish a cookie policy listing each cookie's name, purpose and lifespan.

  5. Record consent and let users change it later.

Best practices

  • Make rejecting as easy as accepting.

  • Load tracking scripts only after consent.

  • Keep the cookie list current as tools change.

Common mistakes

  • Setting analytics/ad cookies before consent.

  • Banners with only an "Accept" button.

  • A cookie policy that does not match the cookies actually set.

Frequently asked questions

Do essential cookies need consent?

No. Cookies strictly necessary for the site to function (like a login session or cart) do not require consent, but you should still document them.

Is a cookie banner enough on its own?

No. The banner must actually block non-essential cookies until consent and offer a real reject option, backed by a cookie policy.

Put this into practice

See how your site scores with Plexa Trust — start with a free scan, then unlock the complete audit on Pro.

Scan your website free

See Pro plans · Create account