Cookie consent law: when & how
When your website needs a cookie consent banner, what it must include, and how we implement one that meets GDPR and CCPA requirements.
If you have visited a website in the past few years, you have seen a cookie banner — usually a pop-up or bar asking you to accept or decline cookies. These banners exist because of privacy laws, primarily GDPR in Europe and similar regulations in California and elsewhere.
This guide explains when your website needs one, what it must say, and how we set it up.
This is not legal advice
Chykalophia is a design and web agency, not a law firm. This article explains cookie consent concepts and the technical best practices we follow. It is not a substitute for legal advice. Cookie and privacy laws vary by jurisdiction and continue to evolve. Please consult a qualified attorney to confirm your obligations.
Quick summary
Most websites that use analytics tools, advertising pixels, or social media trackers need a cookie consent mechanism. Under GDPR, non-essential cookies must not activate until the visitor explicitly consents. Under CCPA, visitors must be able to opt out of data sharing. We implement compliant consent tools as part of every site build and can add one to existing sites. A cookie banner alone is not enough — it must actually block trackers until consent is given.
What are cookies?
A cookie is a small piece of data a website stores in a visitor's browser. Cookies can remember things like your login status, shopping cart contents, and preferences.
Not all cookies are the same. The key distinction is between essential cookies and non-essential cookies.
| Cookie type | Examples | Needs consent? |
|---|---|---|
| Essential / functional | Login session, shopping cart, security tokens | No — these are necessary for the site to work |
| Analytics | Google Analytics, traffic measurement | Yes (under GDPR for EU visitors) |
| Marketing / advertising | Meta Pixel, Google Ads, retargeting | Yes — always |
| Social media trackers | Facebook "Like" button, embedded social feeds | Yes — always |
| Personalization | Saved preferences not strictly necessary | Yes |
Do I need a cookie consent banner?
The short answer: if your site uses any tracking or analytics tools, and EU residents can visit it, yes.
'I don't have EU customers' is not a safe assumption
Unless you actively block EU IP addresses (which is unusual and not something we recommend), EU residents can and do visit most public websites. The safe assumption is that GDPR applies to your analytics and tracking setup.
Here is a quick decision guide:
| Your site uses… | GDPR consent needed? | CCPA opt-out needed (for CA)? |
|---|---|---|
| No tracking at all — just a contact form | No | No |
| Google Analytics only | Yes | Possibly — check with a lawyer |
| Google Analytics + Google Ads / remarketing | Yes | Yes |
| Meta Pixel (Facebook/Instagram ads) | Yes | Yes |
| HubSpot, ActiveCampaign, or similar CRMs with tracking | Yes | Yes |
| YouTube embeds | Yes — YouTube loads cookies | Possibly |
| Live chat tools (e.g., Intercom, Drift) | Yes | Possibly |
What a compliant cookie consent tool must do
This is the most important thing to understand: a cookie banner that only informs visitors is not compliant under GDPR. The banner must block non-essential cookies from loading until the visitor actively consents.
A compliant setup:
Show the banner before any non-essential scripts load. The tracking tools must be paused until consent is given.
Offer a real choice. The visitor must be able to accept all cookies, reject all non-essential cookies, or customize their choices. "Accept" and "Reject" must be equally easy to find and click — not one big button and a tiny link.
Record and store the consent. Your tool should log what the visitor chose and when. This is your record if you are ever asked to prove compliance.
Allow the visitor to change their mind. There should be a way to update cookie preferences at any time — typically a small button or link in the footer.
Not use pre-ticked boxes. Under GDPR, consent must be active and unambiguous. A checkbox that is already checked does not count.
The CCPA difference
Under CCPA/CPRA, the requirement is slightly different. California residents don't need to give "opt-in" consent for tracking — instead, they have the right to opt out of the sale or sharing of their personal information.
This typically means:
- A "Do Not Sell or Share My Personal Information" link in the footer
- Clicking that link activates an opt-out preference that blocks data sharing with advertising networks
- A properly configured consent tool can handle both GDPR opt-in and CCPA opt-out simultaneously
What we use and how we set it up
We implement cookie consent using established platforms designed for legal compliance. The specific tool depends on your site platform and your needs.
When we set up your consent tool, we:
- Configure it to block analytics and marketing scripts until consent is given
- Categorize your cookies correctly (essential vs. analytics vs. marketing)
- Match the banner styling to your brand
- Set up the geo-targeting so the GDPR banner appears for EU visitors and the CCPA opt-out is available for California visitors
- Link the banner to your privacy policy
- Add a preference center so visitors can update their choices later
The tool must match the scripts on your site
A consent tool is only effective if it is properly connected to every third-party script on your site. If you install a new plugin, embed a new video, or add a new tracking pixel after we configure your consent tool, let us know — we may need to update the configuration.
Common pitfalls
- "Dark patterns" in the banner design. Making "Accept All" bright and prominent while hiding "Reject" in small gray text is a dark pattern. EU regulators actively fine companies for this. Acceptance and rejection must be presented equally.
- Installing a consent tool but not blocking scripts. Some quick implementations just show a banner without actually preventing trackers from loading. This is technically non-compliant. We verify that scripts are properly gated.
- Ignoring Google Analytics. Google Analytics is the most common source of cookie compliance gaps. It must be behind the consent gate for EU visitors.
- Set-and-forget. As you add new tools to your site — a live chat widget, a CRM tracker, a new ad platform — your consent configuration needs to be updated.
- Not having a privacy policy. Your cookie banner should link to a privacy policy. If you don't have one, the banner alone is not enough.
Common questions
Related guides
- GDPR basics for businesses
- CCPA & CPRA basics for businesses serving California
- Analytics & tracking: cookies and privacy
- Cookie consent & banners explained
- Data privacy basics for your business
- What is Google Analytics (GA4)?
Need a hand?
Learn more
ADA & WCAG: web accessibility compliance in the US
What the Americans with Disabilities Act and the Web Content Accessibility Guidelines mean for your website, and how we build with accessibility in mind.
HIPAA basics for websites handling health info
What HIPAA means for your website if you work in healthcare or collect health-related information, and the technical safeguards we implement.