GDPR Cookie Banner: The Complete 2026 Guide

A fine from France's data protection authority — the CNIL — for a non-compliant cookie banner can reach 4% of global turnover, or 20 million euros. Google has paid €150M, Amazon €35M. The good news: the rules are clear, and a small business can be perfectly compliant in less than a day.

If your site sets even a single Google Analytics cookie, a Meta pixel, a Hotjar tracker or a third-party ad banner, you are concerned. Not tomorrow, not when you reach 10,000 visitors: from day one. The CNIL has been actively auditing since 2020, and Google Consent Mode v2 has been mandatory since March 2024 for anyone using Google Ads or Google Analytics 4.

In this guide, you will see exactly what GDPR requires of a cookie banner, the 5 mistakes that invalidate your compliance, the actual fines issued by the CNIL in 2024, and how to bring your site into compliance step by step. Without jargon, with concrete examples, and with proof that a properly configured CMP degrades neither your design nor your conversion rate.

GDPR cookie banner: what are we really talking about?

A GDPR cookie banner is an interface displayed on the first load of a page that lets the user accept, refuse or fine-tune the trackers set by the site. It is not a legal gadget: it is the element that materialises the consent required by GDPR and the ePrivacy directive.

You will encounter several terms for the same thing. "Cookie banner" is the standard expression. "Consent banner" is a synonym used widely. "CMP" (Consent Management Platform) refers more technically to the software platform that drives the banner, stores the proof and communicates with your marketing tools. "Cookie pop-up" is the consumer-facing term. In this article, "banner" and "CMP" will be used interchangeably.

Be careful not to confuse the cookie banner with the privacy policy. The privacy policy is a permanent textual document, accessible via a footer link, that details all your data processing activities. The banner is an interactive interface that captures a binary or granular choice, before any non-essential storage. Both are mandatory and complementary: one informs, the other collects consent.

Which sites are concerned? Practically all of them. As soon as you use Google Analytics (even in anonymised mode without strict CNIL exemption), Google Fonts loaded via CDN, Meta Pixel, LinkedIn Insight Tag, Hotjar, Clarity, an Intercom chat, an embedded YouTube video, or any third-party ad banner, you are setting non-essential cookies. A 100% static showcase site without any third-party tool can theoretically do without — in practice, this is extremely rare.

Why it is mandatory: the legal framework in 3 minutes

The French legal foundation rests on three texts that complement each other. Article 7 of the GDPR defines the conditions for valid consent: it must be free, specific, informed and unambiguous. "Unambiguous" means that silence, a pre-ticked box or simply continuing to browse do not count as acceptance. Consent must also be as easy to withdraw as it is to give.

Article 82 of the French Data Protection Act (transposing the ePrivacy directive) specifically covers trackers and cookies. It mandates prior information and the collection of consent before any writing or reading of information on the user's terminal, with the exception of cookies strictly necessary for the functioning of the service requested (shopping cart, logged-in session, language preference).

The CNIL guidelines of September 2020 ended the "implicit consent" approach that had ruled for years. Continuing to browse, scrolling the page, clicking an internal link: none of these actions can be treated as acceptance. The accompanying deliberation establishes a fundamental principle: refusal must be as simple as acceptance. A bright "Accept all" button and a tiny grey "Manage my preferences" link — that is over.

The CNIL's 2022-2023 recommendation adds a useful clarification: certain audience-measurement cookies can be exempt from consent, provided they are strictly limited to producing anonymous statistics, not cross-referenced with other processing, and configured not to track the user's overall navigation. Matomo in anonymous mode or Plausible fall within this scope. Google Analytics 4, even configured with "IP Anonymization", is not considered exempt by the CNIL.

In summary: if your site embeds any non-essential tracker, you have no alternative. The banner is mandatory, its compliance is auditable, and the absence of a banner or its incorrect setup exposes you to direct financial sanctions — without going through a formal warning if the breach is serious.

Fines that hurt: 4 real cases

The numbers speak louder than the texts. Here are four landmark sanctions that illustrate what the CNIL concretely expects.

Case 1 — Google, December 2021: €150 million. The CNIL's restricted committee sanctioned Google LLC and Google Ireland for a precise reason: on google.fr and youtube.com, it was impossible to refuse cookies as easily as accepting them. A one-click "Accept all" button, but a refusal that required several clicks through successive menus. The amount also reflects severity: hundreds of millions of users affected, and a clear economic gain extracted from the imbalance.

Case 2 — Facebook / Meta, December 2021: €60 million. Same day, same reason. facebook.com offered an "Accept cookies" button but no equivalent button to refuse everything. The user had to dive into settings to find a refusal mechanism — which the CNIL qualified as a breach of the freedom of consent. Meta also had to modify its interface within an imposed deadline, under daily penalty.

Case 3 — Amazon Europe Core, December 2020: €35 million. Here the reproach predates the banner: Amazon was setting advertising cookies on the devices of users visiting amazon.fr before any action, without prior information and without collecting consent. Automatic dropping, no opt-in, no visible opt-out. The breach hits the heart of the legal mechanism: before consent, no non-essential tracker.

Case 4 — Voodoo, 2024: €3 million. Less publicised but instructive. The French mobile games publisher was setting advertising identifiers via its apps without a valid consent banner, including on users who had explicitly refused tracking. The case illustrates that the CNIL also audits the effective respect of refusal, not just the presence of the banner.

The CNIL targets small businesses as much as giants. In 2024, 12% of cookie-related fines concerned sites with fewer than 50 employees. SMBs do not escape audits: sanctions are simply proportional to turnover, with a floor of a few thousand euros that remains painful for a small structure to absorb. The right approach is not "too small to be seen" — it is "compliant from day one, at near-zero cost".

The 7 rules a compliant banner must meet

Here is the checklist a GDPR cookie banner must tick to pass a CNIL audit without breaking a sweat.

1. Active and explicit consent. No pre-ticked boxes. No wording such as "by continuing to browse, you accept". The user must perform a positive act — clicking "Accept", "Accept all" or validating a granular selection. Until they have acted, no non-essential cookie can be set, read or written.

2. Refusal as simple as acceptance. This is THE point that concentrates most fines. If "Accept all" is a solid green button at the top right, "Refuse all" must be a button of the same level, same visibility, in the same place, accessible in a single click. Not in two, not in a "Settings" menu, not in light grey. Serious CMPs configure this by default.

3. Granular purposes. The user must be able to accept some categories and refuse others. Typically: accept anonymous audience measurement, refuse behavioural advertising, accept functional cookies, refuse social networks. A banner that only offers "all or nothing" violates the principle of specificity of consent.

4. Explicit and understandable purposes. Done with "personalisation cookies to improve your experience". Each purpose must be phrased in plain language: "Anonymous audience measurement via Matomo", "Targeted advertising via Meta Pixel", "Customer support via Intercom chat". The user must understand what they are accepting without a law degree.

5. Proof of consent stored. Each choice must be timestamped, associated with an anonymised user identifier, and stored in an auditable way. In case of an audit, you must be able to produce to the CNIL the logs showing that a given visitor effectively ticked a given box on a given date. A serious CMP exports these proofs as CSV or JSON on demand.

6. Maximum lifetime of 13 months. A consent given more than 13 months ago is presumed expired: the banner must ask again. Likewise, the lifetime of cookies themselves is capped at 13 months for most trackers (audience measurement, advertising). Some strictly necessary functional cookies may last longer.

7. Withdrawal of consent as simple as giving it. A permanent link, visible at all times, must let the user reopen the banner and modify their choices. The standard placement is in the footer, labelled "Manage cookies" or "Cookie preferences". Withdrawal must not be more complicated than the initial acceptance.

If your banner ticks these 7 rules, you are in substantial compliance. The ConsentLab plans apply these 7 rules by default, without manual configuration.

How to implement a GDPR banner in 5 steps

Here is the process we recommend to our SMB clients. Allow half a day of work for a standard site. If your site runs on WordPress, our WordPress installation guide in 3 steps covers the specific case with screenshots.

1. Scan your current cookies. Before deploying a banner, map what your site actually sets. The CNIL's free Cookiedex tool or CookieServe crawl your pages and list all trackers. You will often discover cookies you had forgotten: an old WordPress plugin, an abandoned rating widget, a Zapier integration. Note what is set before and after consent — this is the basis of your configuration.

2. Choose a suitable CMP. For a small business, no need for a €400/month solution. Several options are free or very affordable: ConsentLab (free up to 5,000 sessions per month, unlimited domains), Cookiebot on the free plan (50 pages), Axeptio freemium. The criteria to check carefully: native Google Consent Mode v2, EU hosting (ideally in France), multilingual interface if you have international traffic, ability to customise colours to match your brand.

3. Configure purposes. Create at minimum 4 categories: essential cookies (always active, no opt-in needed), audience measurement (Matomo, Plausible, GA4), functional (chat, user preferences, embedded videos), advertising and marketing (Meta Pixel, Google Ads, LinkedIn). Associate each tracker with its category. The CMP takes care of blocking scripts as long as the corresponding category is not accepted.

4. Install Google Consent Mode v2. Mandatory since March 2024 for Google Ads and Google Analytics 4. Your CMP must emit the ad_storage, analytics_storage, ad_user_data and ad_personalization signals to Google according to the user's choices. Without these signals, Google considers your campaigns non-compliant and deliberately degrades your data. Modern CMPs handle GCM v2 natively — you tick a box, no need to touch the code.

5. Test with the CNIL Cookiedex. A critical phase, often rushed. After deployment, run a Cookiedex scan on your site in "before click" mode. Verify that no non-essential cookie appears. Click "Refuse all", rescan: no new cookie. Click "Accept all", rescan: all trackers appear. Export a proof of consent from your CMP interface. If these 3 checks pass, you are ready.

The ConsentLab documentation details the exact procedure for each CMS (WordPress, Shopify, Webflow, custom Next.js).

ConsentLab vs competitors: 2026 comparison

For a French SMB or small business, the differences between CMPs play out less on technique — all serious solutions are now compliant — than on the generosity of the free plan and the simplicity of setup. Here is the comparison of the 4 main players in the European market:

The criterion that makes the difference in 2026: unlimited domains from the free plan. For an agency managing 10 client sites, or for an SMB with a main site, a blog on a subdomain and a separate landing page, that is the difference between free and €200/month with the competitors. The other criteria are largely on par between mature solutions.

The 5 mistakes that invalidate your banner

These five mistakes appear in 80% of unfavourable CNIL audits. Audit your current banner against this list.

1. Pre-ticked "Accept" box. A direct, frontal violation of GDPR. A box already ticked by default can never count as active consent. Fine almost guaranteed in case of audit, with no tolerance.

2. "Close" that counts as acceptance. A cross at the top right that, if the user clicks it to dismiss the banner, records it as consent given: explicitly sanctioned by the CNIL since 2020. Closing must block all trackers until an active decision is made.

3. Refusal buried in a sub-menu. The €150M Google case in person. If your "Refuse all" requires 2 clicks or more, or sits in an "Advanced settings" screen, you are breaking the law. The symmetry principle is non-negotiable.

4. Vague or fuzzy purposes. "Improve your experience", "personalise content", "technical cookies" without precision: these are not valid purposes. You must name the processing (audience measurement, targeted advertising, social network) and ideally the provider (Matomo, Meta, LinkedIn).

5. No stored proof. In case of an audit, the CNIL asks for consent logs. If you have nothing to produce, it is as if no consent had been collected. The burden of proof rests on you, not on the user or the CNIL.

FAQ — GDPR cookie banner

Do I need a banner if my site only uses essential cookies? No. Cookies strictly necessary for the functioning of the service (logged-in session, shopping cart, language preference) are exempt from consent under article 82 of the French Data Protection Act. But as soon as you add Google Analytics, Google Fonts loaded via CDN, a Meta pixel or an Intercom chat, you leave that zone and the banner becomes mandatory.

Can I use a simple "I understand" button? No, this has been explicitly forbidden since the CNIL deliberation of September 2020. A single button that does not give the choice between accepting and refusing is not a consent banner — it is mere information, insufficient under GDPR. You must offer at minimum two symmetrical options: "Accept all" and "Refuse all".

How long do I have to keep the proof of consent? 13 months minimum, to be able to justify the consent throughout its validity period. The CNIL however recommends keeping proofs for 3 years to cover potential later disputes or claims. Logs must be timestamped, attributable to an anonymised identifier, and exportable on demand.

Are third-party cookies allowed? Yes, provided you have collected the user's explicit consent for each corresponding purpose. A Meta Pixel cookie assumes opt-in on the "advertising" purpose. A YouTube embed cookie assumes opt-in on "social networks" or "functional". Without consent for the relevant purpose, the third-party cookie must not be set.

What about users outside the EU? GDPR applies as soon as the user is physically in the EU, regardless of your own location. For users outside the EU, local legislation prevails (LGPD in Brazil, CCPA in California, etc.). In practice, most sites apply GDPR to all their visitors: it is simpler to manage, and it has become a quality standard.

My Shopify e-commerce has a native banner — is it compliant? Shopify's default banner is NOT GDPR-compliant. It lacks granular purposes, refusal symmetric with acceptance, and auditable storage of proof of consent. To comply, you must install a dedicated app — ConsentLab offers a native Shopify integration that installs in 2 minutes via a Theme App Extension.