--- title: "Cookie banners, consent, and the lazy compromise we don't recommend." date: 2025-07-08 url: https://remiam.co.uk/notes/cookie-banners-and-consent tags: [Privacy, GDPR, Marketing Tech, UX] read_time_minutes: 9 description: "Cookie banners done well — the legal, ethical, and UX version. What to gate, what not to gate, the patterns regulators are punishing, and a code example of the wiring." --- # Cookie banners, consent, and the lazy compromise we don't recommend. *Published 2025-07-08 · 9 min read · by Liam (Remiam)* Nobody loves cookie banners. The lazy version — accept-everything, hidden reject button — is also the version regulators love to fine. There is a middle path that protects users, satisfies regulators, and quietly improves conversion. Here it is. The lazy cookie banner — three pixels of black text, an enormous 'Accept All', and a 'Reject' option buried behind two more clicks — is now actively dangerous. UK and EU regulators have been fining for it. It also annoys every visitor enough to hurt brand perception. After auditing thousands of cookie banners across client work, here is the honest playbook. ## What the regulators have made clear - Consent must be specific, informed, freely given, and unambiguous. - Reject must be as easy as Accept. Asymmetric buttons are now an enforcement focus. - Pre-ticked boxes don't count as consent. Defaults must be 'off'. - Withdrawing consent must be as easy as giving it. - Consent must be granular — analytics cookies, marketing cookies, personalisation cookies, each can be opted in or out separately. ## Anti-patterns to avoid | Anti-pattern | Why it fails | Regulator response | | --- | --- | --- | | Accept-only banner | No reject option means consent isn't freely given | GDPR enforcement, repeated fines | | Reject hidden behind two clicks | Asymmetric friction biases the choice | Active investigation in UK + EU | | Pre-ticked categories | Defaults must be off; this is opt-out, not opt-in | Direct violation of GDPR | | Banner that comes back daily | Erodes informed consent into reflex | Increasingly criticised | | Cookies fired before consent | The most common technical failure we audit | Highest fine risk | *Cookie banner anti-patterns we keep auditing out of inherited sites.* ## The pattern that actually works - Equal-weight buttons. Accept and Reject are the same size, same colour, same prominence. The user picks freely. - Categorised toggles. Strictly necessary (always on), analytics, marketing, personalisation. Each off by default. - No tags fire before consent. Wire it into GTM consent mode, not into the marketing tag itself. - A real "manage preferences" surface, available later — usually in the footer. - A clear plain-English explanation of what each category does — no legal-speak, no 5,000-word policy. - Persistent storage of the choice for 6-12 months, then ask again. ## Wiring it into Google Tag Manager — consent mode v2 ```javascript consent-mode.js // Default state: deny everything until the user chooses window.dataLayer = window.dataLayer || [] function gtag(){ dataLayer.push(arguments) } gtag('consent', 'default', { ad_storage: 'denied', ad_user_data: 'denied', ad_personalization: 'denied', analytics_storage: 'denied', functionality_storage: 'granted', // strictly necessary security_storage: 'granted', // strictly necessary wait_for_update: 500 }) // When the user accepts (or grants individual categories), update export function grantConsent(categories) { gtag('consent', 'update', { ad_storage: categories.marketing ? 'granted' : 'denied', ad_user_data: categories.marketing ? 'granted' : 'denied', ad_personalization: categories.marketing ? 'granted' : 'denied', analytics_storage: categories.analytics ? 'granted' : 'denied' }) // Persist the choice for next visit localStorage.setItem('consent', JSON.stringify(categories)) } ``` ## What we keep telling clients - Privacy-friendly defaults aren't a compromise — they correlate with higher trust and (in our data) better conversion downstream. - You almost certainly need fewer cookies than you have. Audit the list every six months. - Server-side analytics (Plausible, Fathom, Ackee, Umami) reduce the cookie surface to almost nothing without giving up the signal. - Stop paying for tools you only use because 'we always have'. Most cookie audits we run end with at least three vendors removed. - The banner is the visible bit. The audit underneath is the actual work. > Done well, the banner is briefly visible, instantly dismissible, and never gets in the way again. Done lazily, it's a permanent tax on your relationship with every visitor. ## Where this is heading - Browser-level consent signals (GPC — Global Privacy Control) are increasingly honoured by good actors. - First-party analytics keep eating third-party analytics — and rightly so. - EU enforcement actions against major sites have accelerated through 2024 and 2025. - The 'sensible cookie banner' itself may disappear within five years, replaced by browser-level consent management. The banner is one of the smallest pieces of UI on most sites and one of the biggest signals of how you think about your users. Treat it with the seriousness it deserves. ## References 1. [ICO — Use of cookies guidance](https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/guide-to-pecr/cookies-and-similar-technologies/) 2. [Google — Consent Mode v2 documentation](https://support.google.com/tagmanager/answer/13802165) 3. [Plausible — privacy-friendly analytics](https://plausible.io/) 4. [Global Privacy Control specification](https://globalprivacycontrol.org/)