Cookie banners: what sites must ask — and what they may never do
Strictly necessary cookies need no consent. Analytics and tracking cookies do — freely given, no pre-ticked boxes, and “Reject” must be as easy as “Accept”.
Cookie rules come from the ePrivacy Directive (2002/58, Art. 5(3)) working together with the GDPR’s consent standard. Three buckets: (1) Strictly necessary — login sessions, shopping baskets, your cookie choice itself: no consent needed. (2) Analytics — consent required in most countries, though some regulators tolerate privacy-hardened, first-party-only statistics. (3) Tracking/marketing — Facebook Pixel, Google Ads, TikTok Pixel, cross-site profiling: explicit consent, always. What a lawful banner looks like: nothing pre-ticked (CJEU Planet49, C-673/17), rejecting as easy as accepting (a first-layer “Reject all”), no consent walls that break the site, granular per-purpose choice, and withdrawal as easy as giving. “Scrolling = consent” is illegal. “Pay or okay” — consent-or-pay subscriptions — is under sustained regulatory attack: the EDPB’s 2024 opinion says large platforms usually cannot make “pay” the only alternative to tracking, and Meta’s model earned a €200 million DMA fine. Coming up: the EU’s Digital Omnibus package may move cookie rules into the GDPR and standardise one-click refusals — the consumer-facing parts are still being negotiated, so nothing has changed yet. Track it on What’s changing. Annoyed by a banner that has no reject button? Screenshot it and complain to your data protection authority — banner sweeps are a stated enforcement priority.
Verified against the sources above on 18 July 2026. Information, not legal advice.