Your Cookie Banner Is Probably Decorative. Here’s What “Actually Compliant” Looks Like in 2026 — and What Happens When Regulators Check.

Open your website right now. Click around for 10 seconds. Then open your browser’s developer tools (F12 → Network tab) and look at what loaded.

If you see Google Analytics, Facebook Pixel, Hotjar, LinkedIn Insight Tag, or any advertising script firing before you clicked “Accept” on the cookie banner — your banner is decorative. It exists for show. It doesn’t do what GDPR requires.

You’re not alone. The vast majority of cookie banners on the internet are non-compliant. But in 2025, regulators stopped looking the other way. CNIL issued 83 sanctions worth €486.8 million. Cookie violations and advertising trackers accounted for the majority.

This article shows you the difference between a decorative banner and a compliant one, which companies got fined and why, what regulators actually check, and how to fix it for €139.

Total cookie-related fines from CNIL alone: over €800 million.

Notice the last entry: €3,000 fine for a small company. Any company with a non-compliant banner is in scope — regardless of size.

The only way to tell the difference is checking your browser’s DevTools. Here’s exactly what to look for.

Decorative (non-compliant): Banner appears, but Google Analytics, Facebook Pixel, and marketing scripts have already loaded and started tracking before the user interacts with the banner.

Compliant: Zero non-essential scripts load until the user clicks “Accept.”

How to check your own site: 1. Open your website in Chrome Incognito 2. Open DevTools (F12) → Network tab 3. Reload the page 4. Before clicking anything, search for: google-analytics, googletagmanager, facebook, hotjar, linkedin, doubleclick 5. If any of these loaded → your banner is decorative

Decorative (non-compliant): Big green “Accept All” button. Tiny gray “Manage Preferences” link that leads to a multi-step process to reject cookies.

Compliant: “Accept All” and “Reject All” buttons side by side, same size, same visual weight.

The Google €150 million fine (2022) and Facebook €60 million fine (2022) were specifically for making it harder to refuse cookies than to accept them. The CNIL stated both companies “do not allow the refusal of cookies as easily as their acceptance.”

The rule: Reject must be as easy as Accept. Same number of clicks. Same visual prominence.

Decorative (non-compliant): One “Accept” button that enables everything. No category breakdown. Or categories exist but are pre-checked.

Compliant: Clear separation: - Necessary (always active, no consent needed — session cookies, CSRF tokens) - Analytics (Google Analytics, Hotjar — requires opt-in consent) - Marketing (Facebook Pixel, Google Ads, LinkedIn — requires opt-in consent) - Preferences (language, theme — requires opt-in consent)

No pre-checked boxes. Analytics cookies require consent — period.

Decorative (non-compliant): No record of who consented, when, or to what. If a regulator asks “can you prove this user consented to analytics cookies?” — you have no answer.

Compliant: Every consent action logged: timestamp, categories, banner version, user identifier.

GDPR Article 7(1): *“Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented.”* If you can’t demonstrate it — you don’t have valid consent.

Decorative (non-compliant): User clicks “Reject All” → banner disappears → all scripts continue running exactly as before. The banner was a visual element only.

Compliant: User clicks “Reject All” → analytics scripts are removed, cookies deleted, no further tracking. User clicks “Accept Analytics only” → only analytics loads, marketing scripts remain blocked.

The Yahoo/Microsoft case (€10 million, 2023): Yahoo placed approximately 20 tracking cookies after users rejected consent. The banner showed “Reject” but the scripts kept running.

*“The storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent.”*

Translation: You cannot store or read cookies on a user’s device without their prior consent. The only exception: cookies that are “strictly necessary” for the service the user explicitly requested (e.g., shopping cart, login session).

*“Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes.”*

Four requirements: - Freely given: No cookie wall (blocking access until consent). No bundling consent with terms of service - Specific: Consent for analytics is separate from consent for marketing - Informed: The user must know which cookies, for what purpose, for how long - Unambiguous: Active action required (clicking a button). Scrolling or closing the banner does NOT constitute consent

*“The controller shall be able to demonstrate that the data subject has consented.”*

You must have proof. If a regulator asks — you need timestamped records showing who consented, when, and to what.

In October 2024, the EDPB finalized Guidelines 2/2023, expanding the scope of consent beyond traditional cookies to include: - Tracking pixels - URL tracking parameters - IP-only tracking - Browser fingerprinting

What this means: Even if your site doesn’t use cookies but tracks users through fingerprinting or URL parameters — you still need consent.

Our cookie consent banner setup is technically functional, not decorative:

The honest answer: yes, partially. And that’s by design.

When you implement a compliant cookie banner, some percentage of users will click “Reject All.” Those users will not be tracked by Google Analytics. In practice, 20–40% of EU visitors reject analytics cookies.

But here’s what happens if you don’t implement it: - Your analytics data is illegal — collected without valid consent - A €3,000–€325 million fine is waiting - Your data can’t be used as evidence in any legal proceeding

The alternative: Google Analytics Consent Mode v2

Google’s Consent Mode v2 provides modeled data for users who don’t consent. Instead of tracking them directly, Google uses machine learning to model their behavior based on consented users. You lose some granularity but retain directional insights — legally.

We configure Consent Mode v2 as part of our €139 setup.

Step 1: Incognito mode test Open your site in Chrome Incognito. Before touching the cookie banner, open DevTools → Network tab. Search for google, facebook, hotjar, linkedin. Any results = non-compliant.

Step 2: Reject test Click “Reject All” (if it exists). Navigate to 2–3 more pages. Are tracking scripts still loading? If yes = decorative banner.

Step 3: Visual test Is “Accept All” bigger or more prominent than “Reject”? If yes = dark pattern = non-compliant.

Step 4: Withdrawal test Can you find a way to change cookie preferences after dismissing the banner? Check the footer for “Cookie Settings.” If none — non-compliant.

If your banner failed even one of these tests — it needs to be replaced, not patched.

A compliant cookie banner protects your visitors’ privacy rights. But it also protects your company from fines, complaints, and regulatory investigations.

CNIL issued 83 sanctions in 2025 alone. Cookie violations are the most frequently enforced GDPR category. And enforcement is expanding beyond France — authorities in Germany, Austria, Belgium, and the Netherlands are increasing cookie enforcement.

€139 and 5 business days. That’s all it takes to replace a decorative banner with a real one.