Skip to content
Back to Blog
ComplianceApril 15, 20266 min read

7 Cookie Consent Banner Mistakes That Can Get You Fined

Pre-checked boxes, missing reject buttons, dark patterns — these common mistakes are exactly what regulators look for.

Why Consent Banners Matter

Your cookie consent banner is the first thing a data protection authority checks during an audit. It's visible, easy to test, and violations are straightforward to prove. Here are the 7 most common mistakes — and how to fix each one.

1. No Reject Button (or a Hidden One)

The violation: Users can click "Accept All" in one click, but rejecting requires navigating to settings, toggling individual categories, and confirming.

The rule: Under GDPR, withdrawing consent must be as easy as giving it. The EDPB (European Data Protection Board) has explicitly stated that the reject option must be available on the first layer of the banner.

The fix: Add a visible "Reject All" or "Only Necessary" button on the same screen as "Accept All." Same size, same prominence.

2. Pre-Checked Checkboxes

The violation: Cookie categories (analytics, marketing) are pre-selected when the consent dialog opens.

The rule: Consent must be "freely given, specific, informed, and unambiguous." Pre-checked boxes fail the "unambiguous" test — silence or inactivity doesn't constitute consent.

The fix: All non-essential cookie categories must be unchecked by default. Only strictly necessary cookies can be pre-enabled (and they shouldn't have a checkbox at all).

3. Cookies Set Before Consent

The violation: Google Analytics, Facebook Pixel, or other tracking scripts fire on page load — before the user interacts with the consent banner.

The rule: Non-essential cookies must be blocked until consent is given. Not "asked for" — actually given.

The fix: Use a consent management platform (CMP) that blocks scripts by default and only unblocks them after the user opts in. Test this by checking your cookies in an incognito window before clicking anything.

4. Cookie Wall (Forced Consent)

The violation: Users cannot access the website at all without accepting cookies. The banner blocks all content.

The rule: Consent must be "freely given." If there's no real choice — accept or leave — it's not free. Most EU data protection authorities consider cookie walls non-compliant.

The fix: Allow users to browse your site with only necessary cookies. If some features require cookies (like a chat widget), explain that specific feature requirement rather than blocking everything.

5. Vague or Missing Information

The violation: The banner says "We use cookies to improve your experience" without specifying what cookies, what data is collected, or who receives it.

The rule: Consent must be "informed." Users need to know what they're consenting to — which cookies, which third parties, what purposes.

The fix: Provide clear, specific information about each cookie category. Link to your full cookie policy. Name the third-party services (Google Analytics, Facebook) rather than just saying "analytics partners."

6. No Way to Change Preferences Later

The violation: Once the user accepts or rejects cookies, there's no way to change that choice without clearing browser data.

The rule: Users must be able to withdraw consent at any time, and it must be as easy as giving consent was.

The fix: Add a persistent "Cookie Settings" link in your footer or a floating button that reopens the consent dialog. Many CMPs support this out of the box.

7. Consent Not Actually Enforced

The violation: The banner looks compliant — it has Accept and Reject buttons — but clicking "Reject" doesn't actually block the cookies. The scripts run regardless.

The rule: Consent must be effective. If the technical implementation doesn't match the user's choice, the banner is just decoration.

The fix: After implementing your CMP, verify it works. Open an incognito browser, reject all cookies, and check what cookies are actually set. Use GDPR Fix to automate this verification.

How to Check Your Banner

The fastest way to verify your consent banner is compliant:

  1. Open your site in an incognito/private browser window
  2. Before clicking anything, check what cookies are set (DevTools → Application → Cookies)
  3. Click "Reject" or "Only Necessary"
  4. Check cookies again — non-essential cookies should not appear
  5. Run a scan with GDPR Fix to get a full automated audit
Free scan

Check your website now

Find out if your site has the issues described in this article. Free scan, results in minutes.

Scan Your Site — Free