💰 What happens if I don’t get proper cookie consent?

Non-compliance with cookie consent laws can result in significant penalties:

GDPR violations: Fines up to €20 million or 4% of global annual turnover (whichever is higher). Companies like Google (€150M fine) and Facebook (€60M fine) have been penalized for dark pattern cookie banners.

CCPA violations: Up to $2,500 per unintentional violation and $7,500 per intentional violation.

Beyond fines, you risk reputation damage, loss of customer trust, and potential lawsuits from privacy advocacy groups. The cost of non-compliance far exceeds the cost of implementation.

🖱️ Is scrolling or continuing to browse valid consent under GDPR?

No, absolutely not. The European Data Protection Board (EDPB) has explicitly stated that scrolling, browsing, or clicking anywhere on the page does not constitute valid consent under GDPR.

For consent to be valid, it must be:

• Freely given: No coercion or consequences for refusing
• Specific: Separate consent for different purposes
• Informed: Clear explanation of what users are consenting to
• Unambiguous: Requires active, affirmative action (like clicking “Accept”)

Cookie banners that say “By continuing to browse, you accept cookies” are not compliant with GDPR.

⚖️ Why do Accept and Reject buttons need to be equally prominent?

The EDPB 2023 guidelines require that Accept and Reject buttons be equally prominent to ensure consent is “freely given.” If the Accept button is larger, more colorful, or easier to find than the Reject button, it’s considered a “dark pattern” that manipulates user choice.

Both buttons must have:

• Same size and visual weight
• Similar color intensity (no making Reject gray and faded)
• Equal accessibility (both equally easy to click)
• Visible on the first layer (Reject can’t be hidden in settings)

Major companies like Google and Meta have been fined hundreds of millions for violating this principle.

🇺🇸 Do I need a cookie consent banner if my website only has US visitors?

It depends on your state and data practices:

California (CCPA/CPRA): Yes, you need to provide notice and an opt-out mechanism (“Do Not Sell or Share My Personal Information”) if you sell or share user data.

Other US states: Several states (Virginia, Colorado, Connecticut, Utah, Montana) have privacy laws that may require cookie consent or disclosure. Requirements vary by state.

No specific state laws apply: Federal law doesn’t mandate cookie consent banners for most websites. However, it’s still best practice to inform users about cookies for transparency and trust.

Even if not legally required, cookie consent banners demonstrate respect for user privacy and can improve trust with your audience.

🔧 What’s the difference between a cookie banner and a cookie policy?

Cookie Banner (Cookie Consent Banner): A popup or banner that appears when users visit your site, asking for their consent before setting cookies. It provides quick information and action buttons (Accept, Reject, Customize).

Cookie Policy (Cookie Declaration): A detailed legal document that explains what cookies your site uses, why you use them, what data they collect, how long they last, and who has access to the data. It’s like a privacy policy specifically for cookies.

You need both: The banner collects consent, and the policy provides detailed information. Your cookie banner should link to your cookie policy so users can learn more.

🍪 Are cookies considered personal data under GDPR?

Yes, in most cases. Under GDPR, any data that can directly or indirectly identify an individual is considered personal data. Many cookies, especially tracking cookies, contain unique identifiers (cookie IDs) that can be linked to individuals.

Examples of cookies with personal data:

• Cookies containing user IDs or session IDs
• Analytics cookies that track browsing behavior
• Advertising cookies used for targeting
• Social media cookies that track cross-site activity

Since these cookies process personal data, you must obtain consent before setting them under GDPR Article 6 (legal basis for processing) and the ePrivacy Directive.

🔗 Do third-party services (like Google Analytics) need separate consent?

No separate consent needed, but you’re responsible. When you use third-party services like Google Analytics, Facebook Pixel, or advertising platforms, you (as the website owner) are responsible for obtaining consent on behalf of those third parties.

Your cookie consent banner should:

• Disclose that you use third-party cookies
• Block third-party scripts until consent is obtained
• List major third parties in your cookie policy
• Ensure your Data Processing Agreements (DPAs) with vendors address consent

The third-party service typically requires you to have a legally binding agreement confirming you’ll obtain proper consent before their cookies are set.

🚫 Can I use a “cookie wall” that blocks access without consent?

Generally no, cookie walls are illegal under GDPR in most cases. A “cookie wall” is when you prevent users from accessing your website unless they accept cookies.

The GDPR requires consent to be “freely given,” which means users must have a genuine choice without negative consequences. If rejecting cookies prevents them from using your site, consent is not freely given.

Very limited exceptions exist:

• If the service is truly dependent on cookies to function (rare)
• If you offer an equivalent, cookie-free alternative
• For paid subscription services (still debated)

The UK ICO and French CNIL have taken enforcement action against websites using cookie walls. It’s safer to allow users to reject cookies and still access your content, even if with limited functionality.