Cookie Consent

    Cookie Banner Mistakes That Can Violate GDPR

    The cookie banner is one of the most heavily scrutinised compliance surfaces under the GDPR — and one of the most frequently flagged by regulators. Here are the patterns that get fined, the rulings that established the precedent, and the specific changes that bring a banner back inside the law.

    May 19, 2026 9 min read· Last updated: May 19, 2026
    Cookie Consent

    Introduction

    The cookie banner is one of the most heavily scrutinised compliance surfaces under the GDPR. It is also one of the most frequently flagged by European Data Protection Authorities — partly because it is highly visible, partly because the rules are now well established, and partly because most banners are still designed for conversion rather than compliance.

    This article walks through the nine most common banner mistakes that European regulators have actively penalised, the precedents that established the bright lines, and the specific design changes that bring a non-compliant banner back inside the law.

    Why Banner Design Matters for GDPR

    Under Article 4(11) of the GDPR, valid consent must be freely given, specific, informed and unambiguous. The ePrivacy Directive's Article 5(3) adds that storage of, or access to, information on a user's device requires that consent before the access happens — not after. Those two rules, applied together, are why the consent banner exists and why its design is treated as a substantive compliance question rather than a UX preference.

    In 2022, the European Data Protection Board issued Guidelines 03/2022 on deceptive design patterns in consent interfaces, codifying what regulators consider unacceptable. National DPAs have used that framework ever since. The result is a clearer rulebook than most teams realise — and a longer list of common mistakes than most banners account for.

    Mistake 1: Pre-Ticked Consent Boxes

    Pre-ticked checkboxes for non-essential cookie categories are explicitly invalid under both the GDPR and the Court of Justice of the European Union's 2019 Planet49 ruling. Consent must be the result of an active, affirmative action by the user. A checkbox the user has to untick is, legally, not consent at all.

    This applies even when the category labels are accurate and the description is honest. The mechanism itself — opt-out rather than opt-in — is the violation.

    Mistake 2: No Reject-All Button

    A consent banner that offers 'Accept All' but no equivalent 'Reject All' on the same surface is the single most common pattern flagged by regulators in 2022 and 2023. CNIL fined Google €150 million and Facebook €60 million in January 2022 specifically because their banners required additional clicks to refuse cookies than to accept them.

    The principle: refusing should be as easy as accepting. Hiding the reject option behind 'Manage preferences' — and requiring two or three additional clicks — does not meet that standard.

    Mistake 3: Asymmetric Accept and Reject Paths

    A more subtle variant of the missing reject button: the two paths exist but they are not equivalent. Accept resolves in one click; reject opens a settings panel that requires the user to toggle every category off manually, then click Save, then close the dialog.

    Regulators count clicks. The EDPB's view, repeatedly upheld in DPA decisions, is that any meaningful asymmetry in friction between Accept and Reject is a deceptive design pattern. The fix is to give both options equal weight on the same screen.

    The banner itself can be perfectly designed — and the site can still be non-compliant if the tracking scripts load before the user makes a choice. ePrivacy Article 5(3) requires consent before storage or access on the user's device. A Google Tag Manager container that fires on page load, or an analytics script in the document head, sets cookies before any consent banner has even rendered.

    Banners that say 'By continuing to browse this site, you accept cookies' or that treat scrolling, clicking a link, or closing the banner as consent are not valid under GDPR. Continued use of a website is not an unambiguous affirmative action.

    The CJEU was explicit on this in Planet49: consent requires an action that demonstrates the user actively chose to consent — not the absence of an action, and not an action with a different purpose.

    A cookie wall blocks all site content until the user accepts cookies. The EDPB's Guidelines 05/2020 on Consent took a clear position: cookie walls violate the 'freely given' requirement because access to a service cannot be conditional on consent to processing that is not necessary for that service.

    A narrow exception exists for genuine 'pay or consent' models on certain publisher sites, but the bar is high and recent EDPB opinions have narrowed it further. Most cookie walls deployed today would not meet the test.

    Mistake 7: Treating Analytics as Strictly Necessary

    Some banners hide analytics cookies under the 'Strictly necessary' category to avoid the consent requirement. The reasoning is usually that the analytics inform the business about how the website is used. The legal reality is different: 'strictly necessary' means strictly necessary for the service the user actively requested — not strictly necessary for the business operating it.

    Standard implementations of Google Analytics, Hotjar, Mixpanel and similar tools are not strictly necessary under that definition and require consent. A narrow exception exists for first-party, anonymous analytics that do not track users across sessions and do not transfer data outside the EEA — but most commercial analytics deployments fall outside this exception.

    Mistake 8: Withdrawing Consent Is Harder Than Giving It

    Article 7(3) of the GDPR is unambiguous: withdrawing consent must be as easy as giving it. In practice, this is rarely true. A user who accepted cookies with one click and now wants to revoke that consent often has to find a buried 'Cookie settings' link in the footer, open a modal that loads slowly, untick every category, save, and confirm.

    The fix is to expose a persistent, low-friction way to revisit consent — typically a small 'Cookie settings' or shield icon that opens the same banner the user originally saw, with their current preferences pre-loaded. The withdrawal flow should take the same number of clicks as the original acceptance.

    Mistake 9: Dark Patterns in Visual Design

    Even when the buttons and the copy are correct, visual design can still nudge users toward consent in ways that regulators consider deceptive. The EDPB calls these out specifically:

    • Bright, high-contrast Accept button against a muted, low-contrast Reject button.
    • Confusing wording such as 'No, I want a worse experience' on the reject option.
    • Reject button placed below the fold, requiring a scroll to find.
    • Accept button labelled simply 'OK' while the reject option requires reading a paragraph.
    • Friction added through animations, loading states, or unnecessary confirmation dialogs on reject — but not on accept.

    The principle underlying every example: the user's choice should not be influenced by how the options are presented. Visual parity is part of valid consent.

    What Regulators Actually Look For

    When a Data Protection Authority audits a cookie banner, the inspection follows a predictable pattern based on EDPB Guidelines 03/2022 and 05/2020. The questions they ask:

    1. 1Does the banner appear before any non-essential cookies are set or any non-essential trackers are loaded?
    2. 2Is there a clear Reject option on the first surface, with equal prominence to Accept?
    3. 3Is the number of clicks to reject equal to the number of clicks to accept?
    4. 4Are categories granular — at minimum analytics, advertising, functional, and essential treated separately?
    5. 5Are pre-ticked boxes absent from every non-essential category?
    6. 6Is consent withdrawn as easily as it is given, via a persistent settings entry point?
    7. 7Does the cookie declaration name every cookie, its purpose, its duration, and the third party that sets it?
    8. 8Is consent state respected across pages, subdomains and the entire session?

    A banner that passes all eight is rarely flagged. A banner that fails two or more is at material risk.

    Recent Enforcement Actions

    Three reference cases shape current enforcement thinking and are routinely cited in DPA decisions:

    AuthorityDateSubjectPenaltyViolation
    CNIL (France)Jan 2022Google€150 millionReject required more clicks than accept
    CNIL (France)Jan 2022Facebook (Meta)€60 millionSame banner asymmetry pattern
    CNIL (France)Dec 2022Microsoft (Bing)€60 millionNo reject button on first banner surface
    Garante (Italy)Jun 2022Caffeina Media€60,000Pre-ticked boxes and cookies set before consent
    Datatilsynet (DK)Mar 2023Schibsted (Aftenposten)€875,000 advisory fineWithdrawal not as easy as consent

    Most fines hinged on a single design choice. The amounts vary with company size, but the pattern is consistent: regulators treat banner asymmetry as a serious GDPR violation, not a technicality.

    How to Audit and Fix Your Banner

    Most banners can be brought into compliance with a focused half-day of work — assuming the underlying consent management infrastructure supports it. The fixes, in order of impact:

    • Add a Reject All button to the first banner surface, with the same visual weight as Accept All.
    • Verify the click count: accepting and rejecting should require the same number of clicks.
    • Audit your tag manager and script loading order to ensure nothing fires before a consent decision.
    • Remove any 'continued browsing equals consent' language from the banner copy.
    • Move analytics out of the 'Strictly necessary' category if it is currently there.
    • Add a persistent 'Cookie settings' entry point (footer link, floating icon, or sticky badge) that opens the same banner with current preferences.
    • Test the withdrawal flow yourself — count the clicks against the consent flow.
    • Audit the visual contrast of Accept versus Reject buttons; if they look different, make them match.

    How ArgusEdge Helps

    ArgusEdge scans your website the way a regulator would. For cookie banners specifically, the scan inspects:

    • Whether the banner appears before any non-essential script execution.
    • Whether non-essential cookies are set in the pre-consent state.
    • The presence and prominence of an Accept All and Reject All option on the first surface.
    • The granularity of categories offered.
    • Whether consent is correctly persisted and respected across the session.
    • Specific dark-pattern signals in the banner's structure.

    Each finding is mapped to the specific GDPR or ePrivacy article it relates to, with a short remediation guidance for the engineering team. ArgusEdge does not block scripts or display banners itself — that is the role of a Consent Management Platform. ArgusEdge identifies where your banner is non-compliant so you can fix it, in your CMP or in custom code.

    Final Thoughts

    Cookie banner compliance is rarely a question of intent. Most teams shipping non-compliant banners are not trying to evade the law — they are using the banner their CMP shipped, or the one their developer added two years ago, or the one that maximised acceptance rates in an A/B test. The pattern is unintentional, then forgotten, then fined.

    The good news is that the rules are now clear, the precedents are public, and the technical fixes are well understood. A clean banner — equal weight, equal clicks, no pre-ticked boxes, no pre-consent firing — is straightforward to ship once the team has agreed it matters. The harder part is noticing what your banner actually does today.

    Run a free scan, see what comes back, and decide for yourself whether the gap is worth closing.

    Take action

    See where your website actually stands.

    Run a free ArgusEdge scan to see how your consent flows, trackers and privacy policy measure up against the requirements covered in this article.