Do I Need a Cookie Banner? A Simple Decision Guide

Somebody told you your website needs a cookie banner. Maybe it does. Maybe it doesn't. The answer depends on what your website actually does, not what a WordPress plugin salesperson wants you to believe.

Here's how to figure it out in about five minutes.

The one question that decides everything

Does your website set non-essential cookies or send visitor data to third parties?

If yes, you need a cookie banner with active consent. If no, you probably don't.

That's it. The rest of this guide helps you figure out which side you're on.

What counts as a non-essential cookie

Cookies fall into two categories under the ePrivacy Directive, which works alongside GDPR:

Cookies you can set without consent:

• Session cookies that keep a user logged in
• Shopping cart cookies on an e-commerce site
• Load-balancing cookies that keep the website running
• Cookies that remember a user's cookie preference. Yes, the cookie banner itself needs a cookie.

These are called "strictly necessary" cookies. They make the website function. Without them, the site breaks.

Cookies that require consent before you set them:

• Google Analytics tracking cookies
• Facebook Pixel
• Advertising and retargeting cookies
• Social media sharing buttons that track visitors
• YouTube embeds that set cookies by default
• Chat widgets that track visitor behavior
• A/B testing tools like Optimizely or Google Optimize

If any of these are active on your site, you need a cookie banner that asks for consent before they load.

Common website setups and whether they need a banner

Plain HTML website with no analytics or tracking. No banner needed. If your website is just HTML, CSS and JavaScript with no third-party services, you're not setting tracking cookies. You might still want a simple notice for transparency, but it's not legally required.

WordPress site with Google Analytics. Yes, you need a banner. Google Analytics sets cookies (_ga, _gid, _gat) that track visitor behavior across sessions. These require consent under EU law. The cookie must not be set until the visitor clicks "accept."

WordPress with just a contact form. Probably not. A basic contact form plugin such as Contact Form 7 or WPForms doesn't set tracking cookies by itself. But check your plugins. Many WordPress plugins quietly load third-party scripts. A free website scan can show you exactly what cookies your site sets.

Shopify store. Yes, in most cases. Shopify sets its own analytics cookies, and most store owners also run Facebook Pixel, Google Analytics or both. Shopify has built-in cookie consent support since 2023, but you need to configure it properly.

Wix or Squarespace website. Check your settings. Both platforms offer built-in analytics that set cookies. If you've enabled their analytics features or added Google Analytics, you need consent. Both platforms have cookie banner tools, but they're off by default.

Website with embedded YouTube videos. Yes, if you use standard YouTube embeds. The default YouTube embed sets cookies from youtube.com. The fix: use youtube-nocookie.com in your embed URLs instead. This privacy-enhanced mode doesn't set cookies until the visitor actually plays the video.

Website with Google Maps embedded. This is a grey area. Google Maps embeds can transfer visitor IP addresses to Google's servers, which is a GDPR concern. Some data protection authorities say this requires consent. The safest approach: load the map only after consent, or use a static map image that links to Google Maps.

How to check what cookies your website sets

You don't need to guess. Open your website in Chrome, then:

1. Press F12 to open Developer Tools
2. Click the "Application" tab
3. In the left sidebar, expand "Cookies"
4. Click on your website's domain

You'll see a list of every cookie your site sets. Look for names like _ga, _gid, _fbp, _gcl_au or anything from a domain other than your own.

An even faster method: run a free scan and we'll show you every cookie and third-party connection your site makes, categorized by type.

What a proper cookie banner actually requires

If you do need one, it has to follow specific rules. A lot of cookie banners on the internet are non-compliant.

Consent must be active. Pre-ticked boxes don't count. The visitor must click a button or toggle to accept non-essential cookies. "By continuing to browse, you accept cookies" is not valid consent under GDPR.

Rejecting must be as easy as accepting. If there's a big green "Accept All" button, there needs to be an equally visible "Reject All" button. Hiding the reject option behind a "Manage preferences" menu with 14 toggles is a dark pattern that regulators are actively fining for.

The French data protection authority CNIL fined Google 150 million euros in 2022 partly because rejecting cookies took more clicks than accepting them.

No tracking before consent. This is where most sites fail. The cookie banner shows up, but Google Analytics is already running in the background. The banner is decoration at that point. Scripts that set non-essential cookies must be blocked until the visitor gives consent.

You need to keep records. If someone asks, you should be able to prove that a specific visitor gave consent on a specific date. Most cookie consent tools like CookieYes, Cookiebot and Complianz handle this automatically.

What happens if you get it wrong

The GDPR allows fines up to 20 million euros or 4% of annual turnover. In practice, small businesses rarely get fined that much. But fines do happen.

The Austrian data protection authority fined a small e-commerce shop 5,000 euros in 2023 for running Google Analytics without proper consent. The Belgian DPA fined a news website 50,000 euros for a non-compliant cookie banner. These aren't hypothetical threats.

More commonly, you'll get a complaint. Any visitor can file a complaint with their national data protection authority. That triggers an investigation, which takes time and costs money even if it doesn't result in a fine.

Common questions

Do I need a cookie banner if I only use my site in the Netherlands?

If your site is accessible from the EU and you set non-essential cookies, yes. The ePrivacy Directive applies in all EU member states. The Dutch Autoriteit Persoonsgegevens enforces it in the Netherlands.

Is Google Analytics legal in the EU?

Google Analytics 4 can be configured to work in a privacy-compliant way, but it still requires cookie consent. Several EU data protection authorities have questioned whether GA transfers to US servers comply with GDPR at all. If you want to avoid the issue entirely, consider privacy-friendly alternatives like Plausible or Fathom, which don't use cookies and don't require consent banners.

What about the "legitimate interest" loophole?

Some businesses claim "legitimate interest" as a legal basis for analytics cookies instead of consent. Most EU data protection authorities disagree. The European Data Protection Board has stated that cookies for analytics and marketing generally require consent, not legitimate interest. Don't rely on this loophole.

My cookie banner plugin says it makes me compliant. Is that true?

A plugin is only as good as its configuration. Many cookie banners are installed but not set up to actually block scripts before consent. The banner shows up, the visitor hasn't clicked anything, but tracking cookies are already set. Test it yourself: open your site in an incognito window, don't click the banner and check Developer Tools for tracking cookies.

Can I just remove Google Analytics instead of adding a cookie banner?

Yes, and for many small business websites, this is the smartest move. If you don't actively use your analytics data, removing Google Analytics eliminates the main reason most sites need a cookie banner. You can switch to a cookie-free analytics tool or simply check your hosting provider's server logs for basic traffic numbers.

---

Not sure what cookies your website is setting? Run a free scan at trustyourwebsite.nl and find out in 30 seconds.