Introduction
The cookie banner is one of the most heavily scrutinised compliance surfaces under the GDPR. It is also one of the most frequently flagged by European Data Protection Authorities — partly because it is highly visible, partly because the rules are now well established, and partly because most banners are still designed for conversion rather than compliance.
This article walks through the nine most common banner mistakes that European regulators have actively penalised, the precedents that established the bright lines, and the specific design changes that bring a non-compliant banner back inside the law.
Why Banner Design Matters for GDPR
Under Article 4(11) of the GDPR, valid consent must be freely given, specific, informed and unambiguous. The ePrivacy Directive's Article 5(3) adds that storage of, or access to, information on a user's device requires that consent before the access happens — not after. Those two rules, applied together, are why the consent banner exists and why its design is treated as a substantive compliance question rather than a UX preference.
In 2022, the European Data Protection Board issued Guidelines 03/2022 on deceptive design patterns in consent interfaces, codifying what regulators consider unacceptable. National DPAs have used that framework ever since. The result is a clearer rulebook than most teams realise — and a longer list of common mistakes than most banners account for.
Mistake 1: Pre-Ticked Consent Boxes
Pre-ticked checkboxes for non-essential cookie categories are explicitly invalid under both the GDPR and the Court of Justice of the European Union's 2019 Planet49 ruling. Consent must be the result of an active, affirmative action by the user. A checkbox the user has to untick is, legally, not consent at all.
This applies even when the category labels are accurate and the description is honest. The mechanism itself — opt-out rather than opt-in — is the violation.
Mistake 2: No Reject-All Button
A consent banner that offers 'Accept All' but no equivalent 'Reject All' on the same surface is the single most common pattern flagged by regulators in 2022 and 2023. CNIL fined Google €150 million and Facebook €60 million in January 2022 specifically because their banners required additional clicks to refuse cookies than to accept them.
The principle: refusing should be as easy as accepting. Hiding the reject option behind 'Manage preferences' — and requiring two or three additional clicks — does not meet that standard.
Mistake 3: Asymmetric Accept and Reject Paths
A more subtle variant of the missing reject button: the two paths exist but they are not equivalent. Accept resolves in one click; reject opens a settings panel that requires the user to toggle every category off manually, then click Save, then close the dialog.
Regulators count clicks. The EDPB's view, repeatedly upheld in DPA decisions, is that any meaningful asymmetry in friction between Accept and Reject is a deceptive design pattern. The fix is to give both options equal weight on the same screen.
Mistake 4: Trackers Firing Before Consent
The banner itself can be perfectly designed — and the site can still be non-compliant if the tracking scripts load before the user makes a choice. ePrivacy Article 5(3) requires consent before storage or access on the user's device. A Google Tag Manager container that fires on page load, or an analytics script in the document head, sets cookies before any consent banner has even rendered.
Mistake 5: Implied Consent from Continued Browsing
Banners that say 'By continuing to browse this site, you accept cookies' or that treat scrolling, clicking a link, or closing the banner as consent are not valid under GDPR. Continued use of a website is not an unambiguous affirmative action.
The CJEU was explicit on this in Planet49: consent requires an action that demonstrates the user actively chose to consent — not the absence of an action, and not an action with a different purpose.
Mistake 6: Cookie Walls That Force Acceptance
A cookie wall blocks all site content until the user accepts cookies. The EDPB's Guidelines 05/2020 on Consent took a clear position: cookie walls violate the 'freely given' requirement because access to a service cannot be conditional on consent to processing that is not necessary for that service.
A narrow exception exists for genuine 'pay or consent' models on certain publisher sites, but the bar is high and recent EDPB opinions have narrowed it further. Most cookie walls deployed today would not meet the test.
Mistake 7: Treating Analytics as Strictly Necessary
Some banners hide analytics cookies under the 'Strictly necessary' category to avoid the consent requirement. The reasoning is usually that the analytics inform the business about how the website is used. The legal reality is different: 'strictly necessary' means strictly necessary for the service the user actively requested — not strictly necessary for the business operating it.
Standard implementations of Google Analytics, Hotjar, Mixpanel and similar tools are not strictly necessary under that definition and require consent. A narrow exception exists for first-party, anonymous analytics that do not track users across sessions and do not transfer data outside the EEA — but most commercial analytics deployments fall outside this exception.
Mistake 8: Withdrawing Consent Is Harder Than Giving It
Article 7(3) of the GDPR is unambiguous: withdrawing consent must be as easy as giving it. In practice, this is rarely true. A user who accepted cookies with one click and now wants to revoke that consent often has to find a buried 'Cookie settings' link in the footer, open a modal that loads slowly, untick every category, save, and confirm.
The fix is to expose a persistent, low-friction way to revisit consent — typically a small 'Cookie settings' or shield icon that opens the same banner the user originally saw, with their current preferences pre-loaded. The withdrawal flow should take the same number of clicks as the original acceptance.
Mistake 9: Dark Patterns in Visual Design
Even when the buttons and the copy are correct, visual design can still nudge users toward consent in ways that regulators consider deceptive. The EDPB calls these out specifically:
- Bright, high-contrast Accept button against a muted, low-contrast Reject button.
- Confusing wording such as 'No, I want a worse experience' on the reject option.
- Reject button placed below the fold, requiring a scroll to find.
- Accept button labelled simply 'OK' while the reject option requires reading a paragraph.
- Friction added through animations, loading states, or unnecessary confirmation dialogs on reject — but not on accept.
The principle underlying every example: the user's choice should not be influenced by how the options are presented. Visual parity is part of valid consent.
What Regulators Actually Look For
When a Data Protection Authority audits a cookie banner, the inspection follows a predictable pattern based on EDPB Guidelines 03/2022 and 05/2020. The questions they ask:
- 1Does the banner appear before any non-essential cookies are set or any non-essential trackers are loaded?
- 2Is there a clear Reject option on the first surface, with equal prominence to Accept?
- 3Is the number of clicks to reject equal to the number of clicks to accept?
- 4Are categories granular — at minimum analytics, advertising, functional, and essential treated separately?
- 5Are pre-ticked boxes absent from every non-essential category?
- 6Is consent withdrawn as easily as it is given, via a persistent settings entry point?
- 7Does the cookie declaration name every cookie, its purpose, its duration, and the third party that sets it?
- 8Is consent state respected across pages, subdomains and the entire session?
A banner that passes all eight is rarely flagged. A banner that fails two or more is at material risk.
Recent Enforcement Actions
Three reference cases shape current enforcement thinking and are routinely cited in DPA decisions:
| Authority | Date | Subject | Penalty | Violation |
|---|---|---|---|---|
| CNIL (France) | Jan 2022 | €150 million | Reject required more clicks than accept | |
| CNIL (France) | Jan 2022 | Facebook (Meta) | €60 million | Same banner asymmetry pattern |
| CNIL (France) | Dec 2022 | Microsoft (Bing) | €60 million | No reject button on first banner surface |
| Garante (Italy) | Jun 2022 | Caffeina Media | €60,000 | Pre-ticked boxes and cookies set before consent |
| Datatilsynet (DK) | Mar 2023 | Schibsted (Aftenposten) | €875,000 advisory fine | Withdrawal not as easy as consent |
Most fines hinged on a single design choice. The amounts vary with company size, but the pattern is consistent: regulators treat banner asymmetry as a serious GDPR violation, not a technicality.
How to Audit and Fix Your Banner
Most banners can be brought into compliance with a focused half-day of work — assuming the underlying consent management infrastructure supports it. The fixes, in order of impact:
- Add a Reject All button to the first banner surface, with the same visual weight as Accept All.
- Verify the click count: accepting and rejecting should require the same number of clicks.
- Audit your tag manager and script loading order to ensure nothing fires before a consent decision.
- Remove any 'continued browsing equals consent' language from the banner copy.
- Move analytics out of the 'Strictly necessary' category if it is currently there.
- Add a persistent 'Cookie settings' entry point (footer link, floating icon, or sticky badge) that opens the same banner with current preferences.
- Test the withdrawal flow yourself — count the clicks against the consent flow.
- Audit the visual contrast of Accept versus Reject buttons; if they look different, make them match.
How ArgusEdge Helps
ArgusEdge scans your website the way a regulator would. For cookie banners specifically, the scan inspects:
- Whether the banner appears before any non-essential script execution.
- Whether non-essential cookies are set in the pre-consent state.
- The presence and prominence of an Accept All and Reject All option on the first surface.
- The granularity of categories offered.
- Whether consent is correctly persisted and respected across the session.
- Specific dark-pattern signals in the banner's structure.
Each finding is mapped to the specific GDPR or ePrivacy article it relates to, with a short remediation guidance for the engineering team. ArgusEdge does not block scripts or display banners itself — that is the role of a Consent Management Platform. ArgusEdge identifies where your banner is non-compliant so you can fix it, in your CMP or in custom code.
Final Thoughts
Cookie banner compliance is rarely a question of intent. Most teams shipping non-compliant banners are not trying to evade the law — they are using the banner their CMP shipped, or the one their developer added two years ago, or the one that maximised acceptance rates in an A/B test. The pattern is unintentional, then forgotten, then fined.
The good news is that the rules are now clear, the precedents are public, and the technical fixes are well understood. A clean banner — equal weight, equal clicks, no pre-ticked boxes, no pre-consent firing — is straightforward to ship once the team has agreed it matters. The harder part is noticing what your banner actually does today.
Run a free scan, see what comes back, and decide for yourself whether the gap is worth closing.
See where your website actually stands.
Run a free ArgusEdge scan to see how your consent flows, trackers and privacy policy measure up against the requirements covered in this article.