If your website displays a cookie banner, you might feel like your compliance boxes are checked. Unfortunately, a banner alone does not protect you. Cookie consent and privacy notice requirements have grown more specific, more enforceable, and more consequential than most website owners realize.
Regulators in the European Union and the United States have moved well past awareness campaigns. The EU data protection authorities issued over 4.2 billion euros in GDPR fines between 2018 and 2024. California’s Attorney General has opened enforcement actions under the CCPA and its amendment, the CPRA. The FTC continues to pursue companies that misrepresent their data practices.
At TOS Lawyer, we help website owners and digital businesses build privacy compliance programs that actually hold up — from cookie audits and consent manager configuration to full privacy policy drafting and opt-out implementation.
Cookie Consent and Privacy Notices: What Your Website Legally Needs in 2026
What Are Cookies and Why Do They Trigger Legal Obligations?
Cookies are small text files that a website places on a visitor’s browser. They serve a range of purposes: keeping a user logged in, remembering cart items, measuring traffic via analytics tools, and tracking behavior across sites for advertising.
The legal obligations kick in because cookies — particularly tracking and advertising cookies — collect personal data. When a website identifies a visitor’s device, location, browsing history, or purchasing behavior, that activity falls under the definition of personal data processing under GDPR and personal information collection under CCPA.
The type of cookie matters. Most laws permit strictly necessary cookies without consent. But analytics cookies, social media pixels like Meta Pixel, advertising cookies, and preference cookies generally require either prior consent or a clear opt-out mechanism, depending on the applicable law.
GDPR and Cookie Consent: What US Websites Need to Know
When GDPR Applies to Your Site
The General Data Protection Regulation (GDPR) applies based on where your users are located, not where your business is incorporated. If your website is accessible to and used by people in the EU or EEA, GDPR likely applies to you — even if your company is based in Texas or New York.
The regulation uses two triggers: you offer goods or services to EU residents, or you monitor the behavior of EU residents. Most commercial websites satisfy at least one of these conditions. If you run ads targeting EU users, accept orders shipping to EU countries, or use analytics tools that track EU visitors, you are within GDPR’s reach.
What Valid Consent Requires Under GDPR
GDPR sets a high bar for consent. Under Article 7, consent must be freely given, specific, informed, and unambiguous. In practical terms, this means:
- Cookie banners must not use pre-checked boxes — consent requires an affirmative action
- Declining cookies must be as easy as accepting them; a single “Accept All” button with no visible “Reject” option does not constitute valid consent
- Consent must be granular — users should be able to accept analytics cookies without accepting advertising cookies
- You must document consent — if a regulator asks, you need records showing when and how a user consented
France’s CNIL has also published specific technical requirements for consent managers, including that clicking outside a consent banner does not count as consent and that options must appear simultaneously — not in a sequence designed to nudge users toward acceptance.
CCPA and Cookie Tracking: California’s Requirements
“Do Not Sell or Share” and Opt-Out Mechanisms
The California Consumer Privacy Act, expanded by the CPRA effective January 2023, takes a different approach than GDPR. Rather than requiring prior consent for cookies, it requires that California residents be given the right to opt out of the sale or sharing of their personal information.
Sharing your site visitor data with ad networks — even if no money changes hands — qualifies as “sharing” under the CPRA. Your website must include:
- A “Do Not Sell or Share My Personal Information” link, displayed clearly on your homepage and any page where personal information is collected
- A Global Privacy Control (GPC) mechanism — California law now requires that websites honor the GPC signal automatically
- An updated privacy policy that describes categories of data collected, purposes for collection, and California residents’ rights
In 2023, the California AG settled with Sephora for $1.2 million over failures to honor opt-out requests and GPC signals — signaling that the GPC requirement is not optional.
What a Compliant Cookie Notice Must Include
A cookie notice — sometimes called a cookie policy or cookie disclosure — is a standalone document or section of your privacy policy that explains your site’s cookie use. A compliant notice in 2026 should address:
- What categories of cookies your site uses (strictly necessary, functional, analytics, advertising, third-party)
- The specific cookies being set, or a clear description of their function and the third parties involved (e.g., Google Analytics, Meta Pixel)
- The duration of each cookie (session cookie vs. persistent cookie with a defined expiration)
- The legal basis for each category under GDPR, where applicable
- How users can manage, withdraw, or change their cookie preferences at any time
- A link to your full privacy policy for more detail on data processing practices
Privacy Notices vs. Privacy Policies: The Difference That Matters
These two terms are often used interchangeably, but they serve distinct legal functions.
A privacy policy is a comprehensive document describing all your data processing activities: what personal data you collect, how you collect it, why, who you share it with, how long you keep it, and what rights individuals have. The FTC has used its Section 5 authority to pursue companies whose actual data practices did not match their published privacy policies, treating the mismatch as a deceptive trade practice.
A privacy notice, by contrast, is a shorter, context-specific disclosure given at the point of data collection. When a visitor lands on your site, the cookie banner with a brief summary of what you collect and why is functioning as a privacy notice. GDPR specifically requires privacy notices at the time of data collection under Articles 13 and 14.
You need both. Many websites publish a thorough privacy policy but deliver no meaningful notice at the moment of collection — creating a compliance gap even when the policy itself is well-drafted. A technology lawyer familiar with privacy law can help you identify and close these gaps.
Common Cookie Consent Mistakes That Create Legal Risk
- Pre-checked boxes and implied consent — if your banner defaults to analytics and advertising cookies already enabled, you have not collected valid GDPR consent
- Making it harder to decline than to accept — dark patterns targeting this design have drawn enforcement actions in France, Germany, and Belgium
- No mechanism to withdraw consent — GDPR Article 7(3) requires users to be able to withdraw consent as easily as they gave it
- Ignoring the Global Privacy Control signal — if your site uses ad tracking but does not honor the GPC signal, you are violating California law for every GPC-enabled visitor
- Outdated cookie lists — adding new third-party tools without updating your disclosures means uncovered cookies collecting data without proper consent
- Using a generic privacy policy template — a template not reviewed for your actual data practices can create documented misrepresentations
Frequently Asked Questions
Does my small business website really need a cookie consent banner?
If your site collects any data from EU visitors, yes. GDPR applies based on where your visitors are, not the size of your business. For US-only visitors, the requirement depends on whether you meet CCPA thresholds, but best practice is to implement a consent mechanism regardless. The cost of a proper banner is far lower than the cost of an enforcement action.
Is a free cookie consent plugin enough?
A plugin provides the technical framework, but it does not make your site compliant by itself. You still need to configure it correctly, map all the cookies your site actually sets, assign accurate legal bases, and connect it to your privacy policy. Many free plugins are set up incorrectly by default, with all cookie categories enabled rather than disabled until consent is given.
What happens if I ignore cookie consent requirements?
Under GDPR, fines can reach 20 million euros or 4 percent of global annual revenue, whichever is higher. Under CCPA, the California AG can seek civil penalties of up to $2,500 per unintentional violation and $7,500 per intentional violation. Beyond fines, you face reputational damage and the cost of remediation under a regulatory deadline.
Do I need separate consent for each type of cookie?
Under GDPR, yes. Consent must be granular — users should be able to accept or decline different categories of cookies independently. A single Accept All/Decline All binary still satisfies GDPR minimum requirements, but granular controls are increasingly expected by regulators and recommended by the European Data Protection Board.
Cookie compliance is not a one-time setup. It requires accurate documentation, a jurisdiction-appropriate consent mechanism, and a privacy policy that reflects your actual data practices. Contact TOS Lawyer today to schedule a consultation and get your website’s cookie consent and privacy notices done right.