Privacy Bench
Updated weekly with evidence Published scoring methodology No paid placements

implementation

How to Set Up a Cookie Consent Banner

Step-by-step guide to choosing and implementing a GDPR-compliant cookie consent banner on your website.

At a glance

Difficulty

beginner

Time estimate

30-60 minutes

Last updated

22/02/2025

Disclosure

This playbook may include affiliate links to supporting tools.

Summary

Every website that uses non-essential cookies in the EU needs a consent banner. This playbook walks you through selecting a consent management platform (CMP), configuring it for GDPR compliance, and verifying that cookies are properly blocked until the user consents.

Prerequisites Checklist

  • You know which cookies your site sets (run a cookie scan first)
  • You have admin access to your website or CMS
  • You have a privacy policy published on your site
  • You know whether you need Google Consent Mode v2 support

Decision Tree

Do you run Google Ads or GA4?
├── YES → You need Consent Mode v2 support
│   └── Do you need IAB TCF 2.2 (programmatic ads)?
│       ├── YES → Cookiebot or Usercentrics
│       └── NO → Cookiebot, Usercentrics, or iubenda
└── NO → Any GDPR-compliant CMP works
    └── Do you want an all-in-one legal solution?
        ├── YES → iubenda (includes policy generator)
        └── NO → Cookiebot (focused on consent)

Implementation Steps

Step 1: Choose a CMP

Use the CMP Selector Tool to get a personalized recommendation based on your site type and requirements.

Key criteria:

  • Google Consent Mode v2 support (required if you use Google services)
  • Cookie auto-scanning (saves manual inventory work)
  • Pricing that fits your traffic level
  • Integration with your CMS or tag manager

Time estimate: 10-15 minutes

Step 2: Sign Up and Configure

  1. Create an account with your chosen CMP
  2. Add your website domain
  3. Run the automatic cookie scan (most CMPs offer this)
  4. Review the detected cookies and categories
  5. Verify categories are correct (necessary, analytics, marketing, preferences)

Time estimate: 10-15 minutes

Step 3: Customize the Banner

Configure the consent banner to meet GDPR requirements:

  • Accept and Reject buttons must be equally prominent — no dark patterns
  • List all cookie categories with clear descriptions
  • Link to your privacy policy from the banner
  • Allow granular choice — users must be able to accept/reject by category
  • Provide a way to change preferences later (footer link or floating icon)

Time estimate: 5-10 minutes

Step 4: Install the Script

For WordPress:

  1. Install your CMP’s WordPress plugin
  2. Enter your site ID or API key
  3. Configure the plugin settings
  4. Test on a staging site first

For other sites:

  1. Copy the CMP script tag from your dashboard
  2. Paste it into the <head> of every page — before any analytics or marketing scripts
  3. Verify the script loads on all pages
<!-- Example: Add CMP script before other scripts -->
<head>
  <!-- CMP script goes first -->
  <script src="https://your-cmp-provider.com/script.js" data-site-id="YOUR_ID"></script>

  <!-- Then your analytics/marketing scripts -->
  <script async src="https://www.googletagmanager.com/gtag/js?id=GA_ID"></script>
</head>

Time estimate: 5-10 minutes

If you use Google Analytics or Google Ads:

  1. Enable Consent Mode v2 in your CMP dashboard
  2. Verify the default consent state is set before gtag loads
  3. Confirm consent updates are sent when users make choices

See our Consent Mode v2 Setup Playbook for detailed instructions.

Time estimate: 5-10 minutes

Step 6: Test Your Implementation

  1. Clear all cookies and reload your site
  2. Check that the banner appears on first visit
  3. Reject all cookies and verify:
    • No analytics cookies are set
    • No marketing cookies are set
    • Only strictly necessary cookies remain
  4. Accept all cookies and verify tracking scripts load
  5. Check the preference center works (change consent after initial choice)
  6. Test on mobile — banner must be usable on small screens

Time estimate: 10-15 minutes

Common Pitfalls

Symptom: Analytics or marketing cookies appear before the user interacts with the banner.

Cause: Scripts load before the CMP has a chance to block them.

Fix: Ensure the CMP script is the first script in <head>. Use type="text/plain" on scripts that should be blocked until consent, or use your CMP’s auto-blocking feature.

”Accept All” button is more prominent than “Reject”

Symptom: Your banner has a large “Accept” button but only a text link for “Reject.”

Cause: This is a dark pattern and violates GDPR guidelines.

Fix: Make both buttons the same size and visual weight. Many DPAs have issued fines specifically for this pattern.

Symptom: Users see the consent banner even after making a choice.

Cause: The consent cookie itself is being blocked or has too short an expiry.

Fix: Ensure your CMP’s own cookie is classified as “strictly necessary” so it persists across sessions.

Third-party scripts bypass the CMP

Symptom: Some tracking cookies appear regardless of consent status.

Cause: Scripts added directly to the HTML (not through a tag manager) may bypass CMP blocking.

Fix: Audit all <script> tags and ensure they’re managed by your CMP or tag manager. Add type="text/plain" and a CMP data attribute to defer loading.

Sources

Disclosure: We may earn a commission if you sign up for recommended tools through our links. This never affects our recommendations or methodology.