Most cookie banners are designed to manipulate, not inform. Here's what the law actually requires, what regulators are doing about it, and how to fix yours.
You know the drill. You land on a website and a banner slides into view. There's a big, bright, beautiful "Accept All" button. Next to it, in grey text roughly the size of a flea's signature, is the word "Manage Preferences." Click that and you'll find yourself in a labyrinth of toggles, categories, and legalese that makes the Terms of Service for a mortgage look breezy. So you do what 90% of people do. You click "Accept All" and get on with your life.
Congratulations. You just consented to having your browsing data hoovered up by anywhere between 50 and 800 third-party advertising companies. Did you know that's what you were agreeing to? Of course you didn't. That was the point.
This is cookie consent theatre. It's the performance of choice without the substance of it. And it's everywhere. According to a large-scale analysis of over 254,000 European websites, only 15% meet the minimum requirements for GDPR compliance. Not 15% are exemplary. 15% clear the bar at all. The rest are, to varying degrees, making it up.
Regulators have finally stopped writing strongly worded letters and started writing very expensive fines though, so if your website is still running one of these manipulative consent flows in 2026, you're now gambling with real money.
The Cookie Wall. "Accept cookies or leave the site." coercion. GDPR requires consent to be freely given, and regulators have been clear that conditioning access to a service on accepting non-essential cookies fails that test. You can still show ads to people who decline tracking. You just can't personalise them. The business model survives but the manipulation doesn't need to.
These were once edge cases but now they're the norm, and the fact that they're so widespread (and because you're easy to audit) is precisely why regulators are finally treating cookie compliance as an enforcement priority.
For years, cookie consent was a bit of GDPR that nobody took seriously. Regulators issued guidance. Companies ignored it. Everyone moved on. That era is comprehensively over.
In September 2025, France's CNIL fined SHEIN a record-breaking €150 million specifically for cookie consent violations. The same month, Google received a €325 million fine for displaying promotional ads in Gmail without prior consent and for using consent designs that steered users towards personalised advertising. Because Google had been warned about similar issues before, the regulator imposed a heavier penalty. Google can afford it after all. Still, it changed behaviour.
Across the Channel, the UK's Information Commissioner's Office launched a systematic review of the country's top 1,000 websites in January 2025. The initial sweep of the top 200 found that 134 of them, roughly two-thirds, were non-compliant with UK data protection law. Warning letters went out. Deadlines were set. And by December 2025, the ICO reported that more than 95% of those top 1,000 sites now meet its cookie compliance standards. Proof, if you needed it, that enforcement works when regulators actually do it.
The ICO isn't stopping at websites either. It's expanding its review to apps and connected TVs, and the Data Use and Access Act 2025 has aligned the maximum fines under the Privacy and Electronic Communications Regulations with those under UK GDPR: up to £17.5 million or 4% of global turnover, whichever is higher. That's a substantial increase from the previous PECR ceiling of £500,000.
Meanwhile, the Dutch DPA warned 50 organisations in April 2025 and announced plans to warn 500 per year, monitoring approximately 10,000 Dutch websites annually. NOYB has built an automated mass-scanning system that can detect non-compliant cookie banners at scale and generate formal complaints, with a target of 10,000 websites across Europe. They've already filed hundreds of complaints with data protection authorities across 18 EU member states, and their work has had a notable spill-over effect, with many websites voluntarily improving their banners simply because enforcement was visibly happening to others.
The cumulative total of GDPR fines has now surpassed €5.88 billion since the regulation took effect. €1.2 billion of that was issued in 2024 alone. The trajectory is clear, and cookie consent is squarely in the crosshairs.
For anyone working in CRO, analytics, or digital marketing.
There's a widespread assumption that a high cookie consent rate is a good thing. More consent means more data means better targeting means more revenue. Ez, right? The problem is that a consent rate inflated by dark patterns isn't consent. It's a number that was built on manipulation and it creates at least three serious problems.
First, the legal risk. If your consent rate is 95% because your banner makes it nearly impossible to say no, you don't actually have 95% consent. You have 0% valid consent. Every cookie set on the basis of that manipulated "agreement" is potentially unlawful. Every data point derived from it is tainted. If a regulator audits your consent flow and finds dark patterns, the fine applies to everything downstream.
Second, the data quality problem. Studies consistently show that when consent banners give users a genuinely equal choice, acceptance rates drop significantly. In Germany, the average consent rate with an equally visible reject button sits at around 40%. In France, fewer than 25% of users accept cookies. These numbers look worse on a dashboard, but they represent real, informed decisions by real people. Data collected from users who actually chose to share it is categorically more valuable than data extracted through manipulation. The people who genuinely opt in are more engaged, more receptive to personalisation, and more likely to convert. The ones you tricked into accepting? They don't even know what they agreed to.
Third, the trust deficit. Research from Usercentrics and Sapio found widespread distrust of how companies handle data online, and deceptive consent flows are a significant contributor to that distrust. Every time someone realises they were manipulated into "agreeing" to something, their relationship with that brand takes a hit. In an era where privacy awareness is rising year on year, this is a terrible long-term strategy.
The smartest operators in digital marketing are already adapting. They're building first-party data strategies that don't depend on tricking people into consent. They're using privacy-preserving measurement tools. They're recognising that the future belongs to organisations that earn trust rather than extract it.
Let's strip away the legalese and state this clearly, because the requirements aren't actually complicated. Companies make them complicated because complexity serves manipulation.
Consent must be opt-in, not opt-out. Nothing pre-ticked. Nothing pre-selected. The user starts with a blank slate and actively chooses what to allow. This is non-negotiable under GDPR, UK GDPR, and an increasing number of privacy frameworks worldwide.
Rejecting must be as easy as accepting. If "Accept All" is one click, "Reject All" must be one click too. Same prominence, same visual weight, same number of interactions. The ICO, CNIL, and EDPB have all been explicit on this point.
Users must understand what they're agreeing to. Technical jargon doesn't count. "Enabling enhanced digital experiences through our partner ecosystem" is not informed consent. Tell people, in plain language, what each category of cookie does, who sets it, and what happens to their data. If you can't explain it simply, that's a sign that what you're doing probably shouldn't require user consent because it shouldn't be happening.
Withdrawal must be as easy as giving consent. If someone accepted cookies on their first visit and later changes their mind, they need to be able to do that without hunting through buried settings pages. A persistent, accessible link in your footer. That's it.
No bundling, no coercion. You can't condition access to your site on accepting non-essential cookies. I'm looking at you news publishers. You can't bundle consent for analytics with consent for advertising. Each category must be independently selectable.
You must keep records. GDPR requires maintaining consent records for at least five years, including when consent was given, what information was provided, and what the user agreed to. This is your evidence if a regulator comes knocking. The absence of evidence will work against you.
Compliance doesn't have to mean a terrible user experience. In fact, the best consent flows are the simplest ones. Here's what good looks like.
Three equal options on the first layer. Accept All. Reject All. Customise. Same button style, same colour, same size. No visual tricks. No hierarchy manipulation. Just three honest options. The data from etracker's 2025 Consent Benchmark shows that compliant banners with equally visible buttons still achieve consent rates around 40-54% (in Germany). That's lower than a manipulative banner would get, but it represents real consent from people who actually made a choice.
A proper preference centre behind "Customise." Categories clearly labelled: Strictly Necessary, Analytics, Marketing, Personalisation. Each with a plain-language description of what it does. Individual toggles. Nothing pre-selected. A prominent save button.
A persistent footer link. "Cookie Settings" or "Privacy Preferences," visible on every page, allowing users to change their mind at any time.
Server-side enforcement. This is the bit most organisations get wrong. Your consent management platform says one thing, but your tag manager fires everything regardless. Consent must actually control what loads. If a user rejects analytics cookies, no analytics scripts should fire. Period. Research found that 43% of websites still set tracking cookies even after users click reject. That's a technical implementation failure, and it's exactly the kind of thing regulators are now looking for.
Regular audits. New marketing tools, new integrations, new tracking scripts. They creep in. Run automated scans regularly. Check that your disclosed cookies match what's actually loading. Update your descriptions when things change.
There's a persistent narrative in digital marketing that privacy regulation is killing the industry. That consent requirements are making it impossible to do effective marketing. That the GDPR ruined everything.
This is, to put it politely, nonsense.
What privacy regulation actually killed was the specific model of surveillance-based advertising that treated people's browsing habits as a commodity to be harvested without their knowledge or meaningful agreement. That model was always ethically bankrupt. The law just caught up.
The organisations that will thrive in the next decade are the ones building on consent rather than around it. First-party data strategies. Contextual advertising. Privacy-preserving measurement. Server-side analytics. These are better approaches that happen to also be legal.
Apple's App Tracking Transparency framework proved the point. When iOS users were given a genuinely neutral prompt asking whether apps could track them across other companies' apps and websites, more than 90% said no. It happened and it wasn't the death of mobile advertising. It was the start of a much more honest version of it. The same transition is happening on the web, whether the ad industry likes it or not.
Cookie consent theatre is a symptom of an industry that got comfortable extracting value from people rather than creating it for them. Fixing your consent banner is as much an existential decision as anything else because its actively deciding what kind of relationship you want with the people who visit your website.
Make it an honest one.
If your consent flow needs an audit, or you want to build one that respects users get in touch. We help organisations across the UK build ethical digital experiences that work for everyone, not just the marketing department. You can also explore our CRO consultancy services or learn about our approach to ethical experimentation.
.png)
.png)
.png)
.png)
.png)
(8).png)
(10).png)
(9).png)
(6).png)
(5).png)
(4).png)
(3).png)
(2).png)
(1).png)
.png)
.png)
(7).png)
.png)
