← Back to blog

Why Your Cookie Consent Banner Probably Isn't Compliant

·5 min read·Ezra Seal

privacy · cookie consent · consent banner · website tracking · dark patterns

Not legal advice

This is an awareness and education piece from a web and UX studio, not legal advice. For how any of this applies to your business, talk to an attorney.

Key takeaways

  • On most small-business sites the cookie banner is cosmetic. The tracking pixels are set to load the moment the page opens, so they fire whether the visitor clicks Accept, clicks Reject, or ignores the banner entirely.
  • A banner that promises a choice the site does not honor can make you more exposed, not less, because it puts a written promise on record that your behavior contradicts.
  • Labeling analytics and advertising cookies as "strictly necessary" so they cannot be turned off is a common and risky move.
  • Real consent means the banner actually blocks non-essential scripts until the visitor agrees, and that Reject is as easy as Accept.
  • You can check your own site in about a minute by watching what loads before and after you click Reject.

Why isn't my cookie banner compliant?

Because on most small-business sites the banner does not actually control the trackers. The pixels are hardcoded into the page or fired through a tag manager on load, so they run before the banner ever has a say. The banner sits on top as a visual, collecting a click that changes nothing underneath. That is the gap: the banner documents a choice, and the site quietly ignores it. A consent banner only means something if it gates the scripts, and most do not.

What does a compliant consent banner actually have to do?

It has to make the choice real. In practice that means the banner blocks non-essential trackers until the visitor opts in, presents Reject as clearly and easily as Accept, labels categories honestly, lets people change their mind later, and honors browser-level opt-out signals like the Global Privacy Control where the law requires it. If any of those are missing, the banner is decorative, and a decorative banner is a promise you are not keeping.

Why does clicking "Reject" often change nothing?

Because the trackers already loaded before you clicked. When a Meta Pixel, Google Analytics, or a session recorder is placed directly in the page or fired on load, it sends its first data the instant the page opens, long before anyone touches the banner. Clicking Reject afterward does not un-send what already left. The data has already traveled out to ad platforms and data brokers like LiveRamp and Acxiom, and the Reject button becomes a formality. This is the single most common thing I find when I look at a small-business site.

Shared from Instagram

Is labeling analytics as "strictly necessary" allowed?

Generally no, and it is a red flag when you see it. Truly necessary cookies are a short list: session management, security, load balancing, and remembering the visitor's consent choice itself. Analytics and advertising tools do not belong in that bucket, and putting them there so they cannot be switched off defeats the entire point of consent. If a banner refuses to let you turn off Google Analytics because it is "required," that is not compliance, it is a workaround.

Are "Accept" and "Reject" supposed to be equally easy?

Yes, and the buried-Reject pattern is one of the clearest signs of a banner built to mislead. A giant Accept button next to a Reject option hidden three clicks deep under "Manage preferences" is a dark pattern, and regulators increasingly treat consent obtained that way as no consent at all. If saying no is meaningfully harder than saying yes, the design is doing the opposite of what consent is supposed to do.

A decorative banner is a promise you are not keeping.

Does a bad banner make me more liable, not less?

It can, and this is the part that surprises owners. A banner is a public statement about how you handle data. If it offers a choice your site does not actually honor, you have created a written promise that your own behavior contradicts, and that gap is exactly what a complaint or a demand letter points to. Doing nothing is a problem, but claiming to do something you do not do can be a worse one. The laws in Washington and Oregon increasingly turn on real consent and honest disclosure, and a theater banner fails both tests.

How do I check whether my banner actually works?

Watch your own site the way a first-time visitor's browser sees it. Open your homepage in a fresh private window, open the browser's network tab, and look at which trackers fire before you click anything. Then click Reject on your banner and watch again. If the same trackers keep firing, your banner is not controlling them. If reading a network tab is not your idea of a good afternoon, our free Exposure Scan does exactly this and hands you the plain-language version: every tracker on the page, how many still fire after Reject, and whether your privacy policy even names them. For the legal backdrop on why this matters in Washington, see whether the My Health My Data Act applies to your site.

FAQ

Do I need a cookie banner at all?

Not by name in most cases, but you do need to disclose your data practices and honor opt-out choices. A banner is only useful if it actually controls what loads.

My banner is from a well-known provider. Doesn't that make it compliant?

Not automatically. The tool can be fine while the setup is wrong. If the trackers still fire before consent, the provider's logo does not fix it.

What are "strictly necessary" cookies, really?

Session, security, load balancing, and remembering the consent choice. Analytics and advertising cookies are not strictly necessary.

Does clicking Reject delete data that already left?

No. Anything that fired on page load has already been sent. That is why the timing of when trackers fire matters so much.

Sources and disclaimer

Sources are linked inline. This reflects the state of these laws as of mid 2026 and is not legal advice. Confirm the current rules with a qualified attorney.