Most cookie banners fail on three counts: dark patterns that make rejecting harder than accepting, scripts that fire before consent is given, and missing or buried reject buttons. Regulators are actively testing these technical implementations, not just checking if a banner exists. The fix is a CMP that blocks scripts by default, provides equal-weight accept/reject options, and maintains auditable consent records.
Eight years after the GDPR took effect, the majority of cookie banners on the web are still not compliant. Not in a minor, technical way. In ways that regulators are actively fining companies for. Just look at the enforcement actions from CNIL, the EDPB, and NOYB over the past few years. The same violations keep showing up, over and over, on websites of all sizes.
This isn't because compliance is hard. It's because most websites prioritize ad revenue over user rights, and many CMP tools make it easy to deploy non-compliant banners by default.
The most common violations
1. No reject button (or a hidden one)
The single most common violation: a giant "Accept All" button with no equivalent "Reject All" option. Some banners hide the reject option behind a "Manage Preferences" link that opens a separate panel with dozens of toggles. The GDPR requires that rejecting cookies must be as easy as accepting them.
Google was fined €150 million by France's CNIL specifically for this. Their cookie banner had a prominent "Accept All" button but required multiple clicks to reject. Meta received a €60 million fine for the same issue on Facebook.
2. Scripts fire before consent
This is the technical violation that most website owners don't even know they have. The banner appears, but Google Analytics, Meta Pixel, and other tracking scripts have already loaded and set cookies before the user makes any choice. The GDPR requires prior consent, meaning non-essential scripts must be blocked until the user actively consents.
3. Pre-ticked checkboxes
Some cookie preference panels show up with all categories pre-selected, requiring users to manually untick each one. The CJEU ruled in the Planet49 case (2019) that pre-ticked checkboxes do not constitute valid consent. Consent must be an active opt-in.
4. Cookie walls
"Accept cookies or leave." Cookie walls that block access to the website unless all cookies are accepted. The EDPB has stated that this does not meet the requirement for freely given consent. If the user has no real choice, it's not consent.
Some websites have moved to a "pay or consent" model (accept cookies or pay for an ad-free experience). This approach is contested. Austria's DPA accepted it in some cases, while others like the EDPB have expressed skepticism.
5. Misleading language and dark patterns
Dark patterns in cookie banners are increasingly common:
- "Accept" in green, "Reject" in gray, using color psychology to push acceptance
- "We use cookies to improve your experience" without mentioning advertising or tracking
- "By continuing to browse, you accept cookies." Implied consent is not valid under GDPR
- Guilt-tripping: "Are you sure? You'll miss out on a personalized experience"
- Confusing toggle labels where "on" means different things for different categories
- "Accept All" as the only button on the first layer, with "Manage" leading to a complex second layer
6. No consent storage
Even if the banner works correctly, many websites don't store consent records. If a DPA asks you to prove that a specific user consented, you need to be able to show: who consented, when, to what categories, and how they were presented with the choice. "We had a cookie banner" isn't sufficient evidence.
7. Consent that never expires
Some websites set consent cookies that last forever, never re-prompting users. Most DPAs recommend renewing consent at least every 6-12 months. France's CNIL recommends 6 months. If your consent cookie expires in 10 years, that's a red flag.
Why CMPs aren't automatically compliant
A common misconception: "I installed a CMP, so I'm compliant." Not necessarily. Many CMPs ship with non-compliant defaults:
- Default templates that don't include a reject button on the first layer
- Script blocking disabled by default. The banner shows but doesn't actually block anything
- Pre-ticked checkboxes enabled in preference panels
- Consent Mode not configured. Banner works but Google tags don't respect the consent state
- No geo-targeting. Showing the same (non-GDPR) banner to EU and non-EU visitors
The CMP is a tool. A misconfigured tool gives you a false sense of security while leaving you exposed.
How regulators are responding
Enforcement has shifted from education to penalties:
- France's CNIL has been the most active, issuing hundreds of cookie-specific enforcement actions since 2020
- NOYB (the privacy advocacy group led by Max Schrems) has filed hundreds of complaints against websites with non-compliant banners across Europe
- Multiple DPAs now use automated scanning tools to detect non-compliant banners at scale
- Complaint-driven enforcement means any user can trigger an investigation by filing a complaint with their national DPA
- The trend is toward larger fines and more frequent enforcement, not less
What a compliant banner actually looks like
A GDPR-compliant cookie banner needs to check every box:
| Requirement | What It Means |
|---|---|
| Equal accept/reject | Reject All button on the first layer, same visual prominence as Accept All |
| Prior blocking | Non-essential scripts don't load or fire until consent is given |
| Granular choices | Users can accept/reject by category (analytics, marketing, functional) |
| No pre-ticked boxes | All non-essential categories off by default |
| Clear language | Plain explanation of what cookies do and who sets them |
| Consent records | Stored proof of who consented, when, and to what |
| Easy withdrawal | Persistent link/icon to reopen preferences and change consent |
| Geo-targeting | GDPR banner for EU, CCPA opt-out for California, appropriate for each region |
| Consent renewal | Re-prompt every 6-12 months |
| No cookie walls | Website accessible regardless of consent choice |
How to audit your own banner
Quick self-audit you can do right now:
- Visit your site in an incognito window from an EU IP (use a VPN if needed)
- Check: Is there a visible Reject All button on the first layer of the banner?
- Check: Open your browser's developer tools (Application > Cookies) before interacting with the banner. Are cookies already set?
- Check: Open the preference panel. Are any categories pre-ticked?
- Check: Reject all cookies. Then check your analytics. Are page views still being recorded?
- Check: Can you easily reopen the preference panel after making your choice?
If any of these checks fail, your banner isn't compliant, regardless of which CMP you're using.
The bottom line
Most cookie banners exist to create the appearance of compliance, not actual compliance. With enforcement accelerating and automated complaint tools making it easy for anyone to report violations, the gap between "has a cookie banner" and "is actually compliant" is becoming expensive.
The fix isn't complicated. It just requires a CMP that's compliant by default, one that blocks scripts before consent, offers equal accept/reject options, stores consent records, and handles geo-targeting automatically. That's exactly what we built AutoCMP to do.