A cookie banner for every website.

The GDPR and the ePrivacy Directive operate together for cookies. The ePrivacy Directive Article 5(3) requires prior informed consent for any access to or storage of information on a user's terminal equipment, except for cookies that are strictly necessary for a service the user requested. The GDPR then defines the standard for that consent in Article 4(11) and Article 7: it must be freely given, specific, informed, unambiguous, granular, withdrawable and recorded. In practical terms that means no pre-ticked boxes (Planet49 ruling, CJEU C-673/17, October 2019), no implied consent from continued browsing, a Reject All button as prominent as the Accept All button (EDPB Cookie Banner Taskforce report, January 2023), per-purpose toggles for Analytics, Advertising and Social, an audit-trail log of every consent decision, and a one-click withdrawal mechanism on every page (Article 7(3)). A cookie consent widget that does not block scripts in the Analytics and Advertising categories until consent is granted is not compliant. A widget that places a Reject button in light grey and an Accept button in bright green is a dark pattern under the EDPB 2024 guidelines and exposes you to fines.

California operates an opt-out model, not an opt-in model. The CCPA (2020) and CPRA (2023) require a Do Not Sell or Share My Personal Information link on every page, recognition of the Global Privacy Control (GPC) browser signal as a valid opt-out, sensitive personal information limits, and a clear privacy policy disclosure. As of 2026, similar laws are live in Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon, Montana, Iowa, Tennessee, Florida, Delaware, New Hampshire, New Jersey, Minnesota, Maryland and Indiana. A cookie consent widget intended for US deployment must therefore detect GPC headers, expose a CCPA-style Do Not Sell or Share link, honour the Multi-State Privacy Agreement (MSPA) signal in the IAB Global Privacy Platform, and route Quebec visitors to a Law 25 disclosure (which is much closer to GDPR than to CCPA). One-size US banners no longer work; the US patchwork now requires the same kind of geo-routing the EU has needed since 2018.

The European Data Protection Board issued formal guidelines on deceptive design patterns in March 2022, expanded with the Cookie Banner Taskforce report in January 2023 and a 2024 update on consent flows. The patterns they explicitly call out as non-compliant include: pre-ticked checkboxes for non-essential categories, the absence of a Reject All button at the same level as Accept All, hidden Reject options that require two or more clicks, contrast tricks (a bright green Accept button next to a faint grey Reject button), repeated re-prompting after a visitor has declined, banners that block site interaction with no clear path to refuse, and language nudges (Approve vs Decline rather than Accept All vs Reject All). France's CNIL fined Google 150 million euros and Facebook 60 million euros in January 2022 specifically for these dark patterns. The practical takeaway when you configure any banner: keep the Deny button the same size and color weight as the Allow button, write the message in plain language, do not pre-tick non-essential categories, and give visitors a way to change their mind later. Poper's banner places the Deny button next to Allow at the same size and lets you color them yourself, so it is straightforward to keep the layout balanced.

The technical heart of a consent banner is conditional script loading. Strictly necessary scripts (session, cart, security, load balancing) always run. Everything else (analytics like Google Analytics, advertising pixels, social embeds, A/B testing, session-replay tools) should be held back until the visitor opts in. With Poper's cookie consent widget you do this by adding each tag to the widget and assigning it a category: Strictly Necessary, Functionality, Tracking & Analytics, or Targeting & Ads. In Ask for consent mode, a script in a controlled category is injected into the page only after the visitor grants that category, and only once, so it never double-fires. If the visitor denies, those scripts never load. This is the difference between a banner that genuinely gates trackers and a banner that is purely cosmetic: a cosmetic banner shows a message but the pixels fire regardless. Map every non-essential tag to a category and confirm, in your browser's network tab, that nothing in a controlled category loads before you click Allow.

A lightweight cookie banner widget like Poper's covers the everyday case very well: inform visitors, ask for consent, gate your analytics and advertising tags by category, offer a preference center, and let people revisit their choice. For most marketing sites, blogs, portfolios, and small-to-mid ecommerce stores, that is the whole job. There are situations that call for a dedicated Consent Management Platform instead. If you sell programmatic ad inventory and your ad-tech vendors require a signed IAB Transparency and Consent Framework (TCF) string, you need a CMP that is registered with IAB Europe. If your legal team requires a server-side, tamper-evident log of every individual consent decision for formal auditing, you need a platform built around consent record-keeping. If you must geo-route different banners to different jurisdictions automatically, or push Google Consent Mode v2 signals, that is also CMP territory. Poper's widget does not do TCF strings, server-side consent logs, geo-routing, or Consent Mode v2 signalling. Be honest with yourself about which bucket you are in: most sites are in the first one, and a clean, well-configured banner is exactly what they need.