Having a cookie banner on your website is a good start, but many banners — even well-intentioned ones — are technically non-compliant. Here's what GDPR actually requires, and the most common mistakes to avoid.
The five requirements for valid cookie consent
Under GDPR, consent must be: (1) Freely given — you cannot bundle consent with your terms of service or make it a condition of using the site. (2) Specific — users must be able to consent to different categories of cookies separately (analytics vs marketing, for example). (3) Informed — users must know what they're consenting to and who is processing their data. (4) Unambiguous — there must be a clear affirmative action. Pre-ticked boxes don't count. (5) Easily withdrawable — users must be able to withdraw consent as easily as they gave it, at any time.
What your banner must show
A compliant cookie banner must clearly explain why you use cookies, list the categories of cookies used, give users a genuine choice to accept or decline each category, and provide a way to change their preferences later. Critically, you cannot design your banner to nudge users towards accepting — so making "Accept all" bright and prominent while hiding "Decline" is now considered a dark pattern and has been the basis for enforcement action.
The "Decline" button problem
One of the most common compliance failures is making it harder to decline cookies than to accept them. Regulators have fined companies for designs where the decline option required multiple clicks, was visually hidden, or was absent entirely. A compliant banner must offer a "Reject all" or "Decline" option that is at least as easy to use as "Accept all".
Storing consent records
GDPR requires you to be able to demonstrate consent — meaning you should keep a record of when consent was given, what was consented to, and what version of your policy was in place. MyCookieKit logs consent events automatically so you have an audit trail if you're ever challenged by a regulator.
Scripts must not load before consent
Perhaps the most technically important requirement: tracking scripts cannot fire before the user has given consent. Simply showing a banner isn't enough if your analytics or advertising scripts are already running in the background. Your consent solution needs to block those scripts until consent is granted, and then load them immediately after.
Cookie policies and privacy policies
A cookie banner alone isn't sufficient. You also need a cookie policy (or a cookie section in your privacy policy) that lists every cookie your site uses, its purpose, and how long it persists. You must link to this from your banner.