Cookie banners, consent, and the lazy compromise we don't recommend.

The lazy cookie banner — three pixels of black text, an enormous 'Accept All', and a 'Reject' option buried behind two more clicks — is now actively dangerous. UK and EU regulators have been fining for it. It also annoys every visitor enough to hurt brand perception. After auditing thousands of cookie banners across client work, here is the honest playbook.

What the regulators have made clear

• 01Consent must be specific, informed, freely given, and unambiguous.
• 02Reject must be as easy as Accept. Asymmetric buttons are now an enforcement focus.
• 03Pre-ticked boxes don't count as consent. Defaults must be 'off'.
• 04Withdrawing consent must be as easy as giving it.
• 05Consent must be granular — analytics cookies, marketing cookies, personalisation cookies, each can be opted in or out separately.

Anti-patterns to avoid

The pattern that actually works

• 01Equal-weight buttons. Accept and Reject are the same size, same colour, same prominence. The user picks freely.
• 02Categorised toggles. Strictly necessary (always on), analytics, marketing, personalisation. Each off by default.
• 03No tags fire before consent. Wire it into GTM consent mode, not into the marketing tag itself.
• 04A real "manage preferences" surface, available later — usually in the footer.
• 05A clear plain-English explanation of what each category does — no legal-speak, no 5,000-word policy.
• 06Persistent storage of the choice for 6-12 months, then ask again.

Wiring it into Google Tag Manager — consent mode v2

// Default state: deny everything until the user chooses
window.dataLayer = window.dataLayer || []
function gtag(){ dataLayer.push(arguments) }

gtag('consent', 'default', {
  ad_storage: 'denied',
  ad_user_data: 'denied',
  ad_personalization: 'denied',
  analytics_storage: 'denied',
  functionality_storage: 'granted',     // strictly necessary
  security_storage: 'granted',          // strictly necessary
  wait_for_update: 500
})

// When the user accepts (or grants individual categories), update
export function grantConsent(categories) {
  gtag('consent', 'update', {
    ad_storage: categories.marketing ? 'granted' : 'denied',
    ad_user_data: categories.marketing ? 'granted' : 'denied',
    ad_personalization: categories.marketing ? 'granted' : 'denied',
    analytics_storage: categories.analytics ? 'granted' : 'denied'
  })
  // Persist the choice for next visit
  localStorage.setItem('consent', JSON.stringify(categories))
}

What we keep telling clients

• 01Privacy-friendly defaults aren't a compromise — they correlate with higher trust and (in our data) better conversion downstream.
• 02You almost certainly need fewer cookies than you have. Audit the list every six months.
• 03Server-side analytics (Plausible, Fathom, Ackee, Umami) reduce the cookie surface to almost nothing without giving up the signal.
• 04Stop paying for tools you only use because 'we always have'. Most cookie audits we run end with at least three vendors removed.
• 05The banner is the visible bit. The audit underneath is the actual work.

"

Done well, the banner is briefly visible, instantly dismissible, and never gets in the way again. Done lazily, it's a permanent tax on your relationship with every visitor.

Where this is heading

• 01Browser-level consent signals (GPC — Global Privacy Control) are increasingly honoured by good actors.
• 02First-party analytics keep eating third-party analytics — and rightly so.
• 03EU enforcement actions against major sites have accelerated through 2024 and 2025.
• 04The 'sensible cookie banner' itself may disappear within five years, replaced by browser-level consent management.

The banner is one of the smallest pieces of UI on most sites and one of the biggest signals of how you think about your users. Treat it with the seriousness it deserves.