Cookie Banners: Legal Requirements and Best Practices

If it feels like every site hits you with a cookie banner, that’s because privacy expectations and enforcement have accelerated quickly. For Challenger Brands, these banners are no longer a checkbox. They’re a visitor’s first signal that your brand takes privacy, transparency and user experience (UX) seriously.

At Commit Agency, we design websites that blend storytelling with real compliance and data measurement needs. That balance often begins with the cookie banner.

Why Cookie Banners Exist In The First Place

A cookie banner exists to:

• Tell users what cookie usage happens on your site
• Ask for permission where the law requires it
• Give users meaningful settings they can change at any time

In the EU, this is driven by the GDPR and ePrivacy Directive, which generally require opt-in consent before dropping non-essential cookies. Consent must be “freely given, specific, informed and unambiguous,” meaning no vague language or tricks.

In the United States, the picture is more fragmented. California’s CCPA/CPRA and laws across states, including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and Montana, focus on transparency, data rights and the ability to opt out of the “sale” or “sharing” of personal information, including targeted advertising. This typically means a privacy banner plus a clearly labeled “Do Not Sell or Share My Personal Information” link when cross-site tracking technologies are in play.

Several states, including California, Colorado and Connecticut, require honoring browser- or device-based universal opt-out mechanisms (like Global Privacy Control). These signals complement on-page controls and are now a primary focus of enforcement.

Suppose your audience spans Europe and the United States. In that case, you often need both: opt-in consent for non-essential cookies in the EU and a compliant opt-out experience in the U.S. Many brands use region-specific consent logic behind a consistent front-end interface.

What “Legally Sound” Looks Like Today

Under GDPR

Regulators and the EDPB emphasize:

• No pre-ticked boxes
• No cookie walls that force acceptance (with rare exceptions)
• No implied consent based on scrolling
• Clear explanations of cookie categories
• Equal ability to accept or reject
• Easy withdrawal via a persistent link

Under U.S. state privacy laws

“Legally sound” means:

• Telling users what data you collect and why
• Providing a simple opt-out of sales/sharing
• Honoring universal signals like GPC automatically
• Avoiding dark patterns such as obscured reject buttons

California’s Privacy Protection Agency specifically highlights symmetry between “accept” and “decline,” noting that businesses cannot rely on a consent platform to avoid violations.

In short, your banner must serve as an opt-in for some visitors and an opt-out for others.

Regulators Are Watching (and Fining)

This is no longer just a European issue. U.S. regulators have turned cookie usage and dark patterns into active enforcement areas.

• California AG vs. Sephora (2022): $1.2M settlement centered on third-party tracking, failure to honor GPC and inadequate disclosure.
• California CPPA: Dark patterns are now central to its enforcement agenda.
• Federal Trade Commission: Recent actions (including Amazon Prime interface cases) reinforce that manipulative design patterns are fair game even beyond privacy law.
• EU regulators like France’s CNIL: Aggressive with fines for invalid consent flows and banner designs that favor “accept” or hide refusal options.

Bottom line: mishandling cookie banners is now a genuine compliance and UX risk.

Examples of Cookie Consent Banners Done Well

Bottom banner with clear choices

Used by major publishers. Offers “Accept,” “Reject,” and “Manage preferences,” plus a permanent footer link. Why it works: simple, scannable, tied to a detailed policy.

Branded, layered banner

Used by brands like Pizza Hut. Styled to match the site and provides a first layer with core choices plus a second layer for granular control.

Preference-center modal

Common among SaaS and retail brands. Centered modal with short explanation, clear buttons and category toggles.
This keeps visual identity intact while treating consent as a real privacy decision.

The Hidden SEO, Traffic and Reporting Impact

Cookie banners don’t just affect legal compliance; they reshape analytics.

Studies show strict opt-in designs depress acceptance rates versus legacy opt-out designs. Lower acceptance affects:

• Traffic reporting: Users who decline may still visit but won’t appear in analytics, creating perceived drops.
• SEO: Banners can affect Core Web Vitals if intrusive or poorly implemented.

Tools like Google Consent Mode help recover modeled, privacy-safe trends. In the EEA and UK, Consent Mode v2 is now required to keep ad personalization and conversion measurement active.

Best Practices for Cookie Banners

We approach consent as part of the brand experience. Key recommendations:

Lead with clarity: Explain what you collect, why and how users can control it. Keep brand tone without sacrificing clarity.

Give real choice in one click: Make “Accept all” and “Reject all” equally visible. Avoid dark patterns, low-contrast reject buttons or asymmetrical design.

Block non-essential cookies until consent: Analytics, advertising and social tags should not fire until opted in. For U.S. visitors, honor GPC automatically.

Offer persistent controls: Provide a “Privacy settings” or “Cookie settings” link in the footer so users can change their minds easily.

Plan measurement upfront: Define how unconsented traffic affects KPIs. Configure Consent Mode and dashboards to view consented vs. unconsented data.

Align teams early: Legal, data and brand teams should agree on banner design before launch to avoid conflicts.

Where We Fit In

We help bold brands compete on privacy and trust by:

• Designing cookie banners that feel native but compliant
• Implementing consent platforms that reflect your actual data practices
• Building reporting frameworks that account for changes in opt-in patterns and analytics visibility

If your cookie banner feels misaligned with your brand or analytics, it may be time for a redesign.