$ cat blog/do-i-need-a-cookie-consent-banner.md

Do I Need a Cookie Consent Banner?

If you have EU or UK visitors and you run analytics or ads, yes, and it has to ask before anything tracks. Here is what a correct banner does, and the version that quietly breaks the rules.

saasreview·June 16, 2026·5 min read

If people in the EU or UK can visit your site and you run anything beyond strictly necessary cookies, you need to ask for consent before those cookies run, and a banner is the usual way to do it. The rule that matters here is not really about the banner at all. It is about timing: non-essential cookies and tracking scripts must not fire until the visitor has actively agreed.

Which cookies actually need consent?

Only non-essential cookies need consent, but that category is bigger than founders expect. The split is simple once you see it.

  • No consent needed (strictly necessary): login sessions, shopping carts, security tokens, and the cookie that remembers the visitor's consent choice. These keep the app working.
  • Consent needed (non-essential): Google Analytics, Meta or TikTok pixels, Hotjar or other session recording, ad retargeting, and most third-party embeds (a YouTube video, an Intercom widget) that set their own cookies.
  • The trap: product analytics you added 'just to see signups' counts as non-essential. So does anything your AI tool wired in when you asked it to 'add tracking'.

What does a correct banner do?

A correct banner holds all non-essential cookies until the visitor chooses, and makes saying no as easy as saying yes. Concretely, it should:

  1. 1.Block first, ask second. No analytics or ad scripts load until the visitor clicks accept. Most consent tools have a 'blocking' mode, or you can use Google Consent Mode, to enforce this.
  2. 2.Offer a real reject. 'Reject all' should be on the first screen, as prominent as 'Accept all'. No pre-ticked boxes, no reject buried two menus deep.
  3. 3.Remember the choice so you are not nagging on every page, and so you can show you obtained consent.

//The most common failure

A banner that appears while Google Analytics has already loaded in the background. The visitor sees a friendly 'We use cookies' bar, but the tracking happened on page load, before any consent. This is exactly the pattern EU regulators have fined, and it is the default outcome when an AI tool drops an analytics snippet into your head tag.

How do I check my own site?

Open your site in a private window, open the browser developer tools, go to the Network tab, and reload without clicking anything. Look at what loads. If you see requests to google-analytics.com, googletagmanager.com, a Meta pixel, or similar before you interact with the cookie banner, those trackers are firing without consent. Then click 'Reject' and reload: if they still fire, your reject does nothing.

This is one of the checks the Compliance check runs automatically. It visits your site fresh, watches which cookies and trackers fire before consent, looks at whether a real reject exists, and reports each issue with the rule it touches, privately, written so your AI coding tool can fix it.

Want to know if your trackers fire before consent? Run a Compliance check and get a private list of exactly what to fix.

Run a Compliance check
// faq

Frequently asked questions

Do I need a cookie banner if I only use Google Analytics?

Yes, for EU and UK visitors. Google Analytics sets non-essential cookies and sends data about your visitors, so it needs consent before it runs. A banner that loads Analytics on page load, before the visitor agrees, does not meet the requirement.

Do US-only sites need a cookie consent banner?

US law is different. There is no blanket federal cookie-banner rule, but California and other states require letting users opt out of the sale or sharing of personal information, which often means a 'Your Privacy Choices' link rather than a consent banner. If any EU or UK visitors can reach you, you also need EU-style consent.

Is it enough to have an Accept button on my banner?

No. Regulators expect rejecting non-essential cookies to be as easy as accepting them, on the same first screen. An accept-only banner, or one where reject is hidden, is treated as not obtaining valid consent and is a common enforcement target.

What cookies can I use without consent?

Strictly necessary ones: login sessions, security tokens, shopping carts, and the cookie that stores the visitor's consent choice. Anything for analytics, advertising, or non-essential third-party features needs consent first.

Check what fires before consent

A Compliance check visits your site fresh and reports which trackers run before consent, whether reject works, and what to fix, privately, with the rule behind each issue.

Run a Compliance check
$ ls related/

Keep reading

Compliance for people who built with AIguide

Does My SaaS Need to Be GDPR Compliant?

If anyone in the EU or UK can sign up for your app, the short answer is yes. Here is what that actually means for a small, AI-built SaaS, in plain English, and how to find the gaps before a regulator or a demand letter does.

June 16, 2026·8 min readread →
Compliance for people who built with AI

Do I Need a 'Do Not Sell My Info' Link? CCPA for Indie Founders

If you have California users and run ad or analytics tools that share data, you probably need a 'Your Privacy Choices' link, even if you do not think you 'sell' anything. Here is the plain version.

June 16, 2026·5 min readread →
Compliance for people who built with AI

What the EU AI Act Means for Your AI App or Chatbot

Most indie AI apps are not 'high-risk', so the heavy rules will not hit you. But one rule almost certainly does: if users talk to an AI, you have to tell them. Here is the plain version.

June 16, 2026·5 min readread →

We put every SaaS through the same honest scorecard, then publish the result.

Browse independent reviewsHow we score →
Published on saasreview.ai · last updated June 16, 2026