Avoid losing your Google Ads features and performance: Google now enforces Consent Mode v2. Act now →

How to design a user-friendly and compliant cookie banner in 2025

Blog
Oliver Fich
Table of Contents
Let’s talk about cookie banner design, and – more specifically – how to make cookie banners clear, compliant, and user-friendly.

One crucial element we want to zone in on is buttons. 

Because their placement, color, or wording, can significantly impact users’ engagement, decisions, and ultimately, your cookie compliance. But many businesses still struggle with getting them right. 

Additionally, a lot has happened in the regulatory landscape within the last six months: Regulatory bodies across Europe have issued formal warnings, enforcement actions, and hefty fines targeting websites using non-compliant banners.

Particularly those based on deceptive design patterns – with buttons often being a subject of contention.

As data privacy regulations evolve, authorities are paying closer attention to the design elements of cookie banners and how they influence user choices. 

To keep you up to speed with the current legal landscape, we prepared an overview of:

  • The latest regulatory developments.
  • How they might affect you.
  • How to design a compliant, non-deceptive cookie banner (including a checklist).

Recent rulings on deceptive cookie banner designs

Regulatory bodies such as the UK’s Information Commissioner’s Office (ICO), France’s Commission Nationale de l’Informatique et des Libertés (CNIL), and the Belgian Data Protection Authority (DPA) have tightened their enforcement on misleading cookie banners, particularly those that use dark patterns to manipulate user choices.

On September 6th 2024, the Belgian DPA took action against Mediahuis for the unlawful use of cookie banners on four of its news websites: De Standaard, Het Belang van Limburg, Het Nieuwsblad, and Gazet van Antwerpen.

Cookie banner design violations found by the Belgian DPA:

  • No “Reject All” button at the first layer: The websites did not provide an equally accessible option to reject all cookies at the first level of the banner, violating the principle of freely given and informed consent.
  • Deceptive button colors: The “Accept All” button was highlighted in an eye-catching color, while the refusal options were less visible, nudging users toward acceptance in a manipulative way.
  • Difficulties in withdrawing consent: The process to withdraw consent required multiple steps, making it significantly harder than giving consent, which goes against the principles in the General Data Protection Regulation (GDPR).
  • Placing non-essential cookies without prior consent: Cookies that were not strictly necessary were placed on users’ devices before obtaining explicit consent, which is a direct violation of cookie consent rules.

CNIL is the French National DPA. It has historically been quite strict in its interpretation and enforcement of the ePrivacy Directive and GDPR – which has resulted in a lot of hefty fines over the years.

In December 2024, CNIL issued formal warnings to websites using what they considered misleading cookie banners.

Cookie banner design violations found by CNIL:

  • Unequal button presentation: “Accept” buttons are easily visible, while “Reject” options are obscured, often hidden in plain text or styled to be less prominent.
  • Ambiguous wording: Certain phrasings, such as “I decline non-essential purposes,” creates confusion about the choices being made.
  • Multiple “Accept” options: Banners present users with multiple “Accept” buttons, while the “Reject” option appears only once.
  • Layered rejection options: Users must click through multiple layers or sub-menus to reject cookies, making it more difficult than accepting.

The ICO is the UK national DPA. In late 2023, the ICO began a compliance review of the UK’s top 100 websites. The process resulted in the ICO issuing formal warnings to 53 of them. 

In January 2025, the ICO announced its plans to extend this review process to the UK’s top 1,000 websites, as part of its strategy for 2025, “Taking control: our online tracking strategy“.

The strategy aims to increase efforts to ensure that users are not pressured or tricked into sharing personal data, and to actively take enforcement action where harmful data collection practices persist.

As part of this strategy, ICO released updated guidance on how to manage consent in practice – including tightened cookie rules and specific guidelines for acceptable and non-acceptable design practices for cookie consent banners.

ICO’s updated cookie banner guidelines (2025):

  • Make it as easy to refuse consent as it is to accept. For example with equally prominent options to “Accept All” or “Reject All” non-essential cookies, or to customize choices via a “More Options” button.
  • Require a positive action from the user to indicate opt-in, before setting non-essential cookies.
  • Include “More Options” tabs of consent mechanisms with toggles for all non-essential cookies turned off by default.
  •  Include granular options for different purposes or categories of cookies.
  •  Include a function that allows users to withdraw or edit their consent, inform users where to find it and how to use it.

Get a GDPR-compliant cookie consent banner today

Start a free trial of Cookie Information CMP to get a compliant cookie banner UI design for your website in minutes.
Start your free trial

How national DPAs influence EU-wide rules

If your business is neither French, Belgian, nor British, you might naturally think that their positions on the matter are irrelevant to you.

However, the regulatory decisions taken by CNIL, ICO, and the Belgian DPA are not just relevant to businesses operating in those specific countries. 

Because these rulings often set the stage for broader interpretations by the European Data Protection Board (EDPB), influencing future EU-wide guidance.

What is the EDPB?

The European Data Protection Board (EDPB) is an independent European body that ensures consistent application of relevant data privacy laws across the European Economic Area (EEA).
The EDPB helps businesses understand what constitutes compliance and reduces the risk of country-by-country discrepancies. For example, it does so by:
  • Ensuring that all DPAs interpret and enforce GDPR consistently, preventing discrepancies across different countries.
  • Providing input on new privacy laws, policies, and international data transfer agreements to ensure they align with privacy principles.
  • Settling cases of disputes between national DPAs, by issuing legally binding decisions that all European Union countries must follow.
Understanding the role of the EDPB is crucial because while the ePrivacy Directive and GDPR set the overall framework for data protection, they leave room for interpretation in certain areas – such as cookie banner layout.

What does the ePrivacy Directive and GDPR say about cookie banner design practices?

When it comes to privacy laws like the ePrivacy Directive and GDPR, the details of how you should design your cookie banner can be confusing.
This is, in part, because the ePrivacy Directive and GDPR don’t explicitly address cookie banners or prescribe exact design requirements. Rather, the legal texts set broad principles for how you can use cookies, when to require explicit consent, and how you should obtain user consent.
This flexibility is intentional – it allows the privacy laws to apply across different technologies, industries, and user interfaces. Still, certain phrasings in both the ePrivacy Directive and the GDPR hint at how you should design your cookie banner.

Design cues for a GDPR compliant cookie banner design:

  • You must provide users with “the opportunity to refuse to have a cookie or similar device stored on their terminal equipment” (ePrivacy Directive, Article 5(3)).
  • Your methods for “giving information, offering a right to refuse or requesting consent should be made as user-friendly as possible” (ePrivacy Directive, Recital 25).
  • Your users “have the right to withdraw his or her consent at any time” (GDPR, Article 7(3)).
  • For users it should “be as easy to withdraw as to give consent” (GDPR, Article 7(3)).
Because these principles are broad and open to interpretation, regulatory bodies across Europe have different approaches to enforcement. This is where the EDPB comes in – to create a more unified standard for data privacy compliance.

EDPBs Cookie Banner Taskforce

In September 2021, the EDPB established the Cookie Banner Taskforce. The main purpose of the Taskforce is to coordinate responses to complaints concerning cookie banners and to promote cooperation, information sharing and best practices between the DPAs.
This is an instrumental task in ensuring a consistent approach to cookie banners across the EEA.

In January 2023, the Taskforce published a report on their work. In it, data protection authorities (DPAs) agreed on a shared understanding of key rules from the ePrivacy Directive and GDPR. 

They covered things like reject buttons, pre-ticked boxes, cookie banner design, and how users can withdraw consent.

Problematic design practices identified in the Cookie Banner Taskforce's 2023 report

The EDPB’s Cookie Banner Taskforce Report, reinforces that design choices in cookie banners must not manipulate users into consenting. It outlines several problematic design practices in cookie banners that can mislead users and violate ePrivacy and GDPR requirements.
These were the key design and functionality-related takeaways:
Some cookie banners only provide an “Accept” button on the first layer while hiding the reject option in a secondary menu.
Most authorities agreed this practice is non-compliant because it does not offer users an equally easy way to reject cookies​.
Instead of a clear “Reject” button, some banners use small text links buried in paragraphs or placed outside the main banner.
This design is misleading and does not provide a clear, informed choice​.
Some banners make the “Accept” button visually prominent (e.g., bright colors, high contrast) while using low-contrast colors for the “Reject” button, making it hard to notice or read.
While there is no universal color standard, regulators agreed that buttons should not be designed in a way that unfairly nudges users into consenting​.
Some websites do not offer an easily accessible way to withdraw consent after it has been given.
A simple, visible solution (such as a persistent hovering icon) should be available to allow users to revisit their choices​.

How do the recent regulatory developments in data privacy affect you?

Let’s say you own a small online business that drives traffic from a list of different European countries.
As a website administrator, you must ensure that your cookie banner complies with the rules and guidelines of each visitor’s location.
And while the EDPB sets a common baseline for cookie banner compliance across the EU, national DPAs are free to enforce stricter or more specific interpretations – as seen with CNIL, the ICO, and the Belgian DPA.

So even if a ruling originates in one country, businesses across the EU should anticipate similar enforcement trends. 

Thus, the safest (and easiest) approach is to align your cookie banner with the strictest interpretations of the law to ensure full compliance.

What’s the best cookie banner design for 2025?

So what should you change in your cookie banner design?

Taking into account the GDPR, ePrivacy Directive, EDPB, and recent rulings from national DPAs, the key question is:

How can you design a user-friendly cookie banner that ensures compliance?

Understanding these regulations and best practices is essential for creating a legally sound and user-friendly experience.

Compliant cookie banner checklist for marketers and designers in 2025

1. Equal prominence for consent choices

  • If an “Accept All” button is present, make sure a “Reject All” button is equally visible, styled similarly, and placed on the same level.
  • Buttons should have consistent size, font, and contrast to avoid nudging users toward one option.
Cookie banner with unequal button sizes
GDPR-compliant cookie banner example

2. Clear and concise language – no unambiguous wording

✔️ Use explicit labels for buttons such as “Accept All” and “Reject All”.

❌ Avoid vague terms like “More Options” or “Customize” that obscure rejection options.

3. Granular consent options

  • Users must be able to opt in or out of specific cookie categories (e.g., analytics, marketing, functional cookies) rather than facing an all-or-nothing choice.
  • These options should be immediately accessible, not buried in multiple layers of settings.

4. Positive action for consent

  • No implied consent: Simply continuing to browse the website must not be interpreted as consent.
  • Give users the option to actively select their preferences before setting non-essential cookies. 
Non-compliant cookie notice example

5. Easy way to change or withdraw consent

  • Users must be able to change or revoke consent as easily as they gave it.
  • Provide users with a persistent, easily accessible method for revisiting preferences (like a preference management widget).

6. No deceptive design practices

Avoid dark patterns that manipulate user choice, such as:
  • Pre-ticked consent checkboxes (users must actively opt in).
  • Hiding the reject button behind multiple clicks or in small, low-contrast text.
  • Making the “Accept” button visually dominant (e.g., bright colors, larger size) while downplaying rejection options.
  • Using misleading wording that pressures users into accepting cookies.

Looking for the best cookie banner design?

Try Cookie Information cookie compliance platform for free to design GDPR-compliant cookie banners that ensure compliance while enhancing user experience.

Start your free trial

Frequently asked questions about compliant cookie consent banner design

Is it a legal requirement to have a cookie banner?

In many regions, yes. Laws like the GDPR (EU), ePrivacy Directive, and CCPA (California) require websites to obtain user consent before setting non-essential cookies. However, the exact requirements depend on your location and the types of cookies you use.
GDPR requires websites to obtain clear, informed, and explicit consent for non-essential cookies. A cookie banner is the most common way to request this consent, but it must offer users a real choice, including the ability to reject cookies easily.
A compliant cookie banner should be clear, user-friendly, and provide a balanced choice between accepting, rejecting, or customizing cookie settings. It should avoid misleading wording, pre-ticked boxes, or design elements that pressure users into accepting cookies.

The easiest way to create a cookie banner is to implement a Consent Management Platform (CMP) to ensure compliance with privacy laws. A good CMP, like Cookie Information, allows you to customize the banner’s appearance and settings while keeping a record of user consents.

It should inform users about what cookies are used, their purpose, and provide clear options to accept, reject, or adjust preferences. It should also link to a detailed cookie policy for further information.

A cookie banner shouldn’t affect your SEO, as long as you use a responsive design, lightweight scripts, and maintain fast layout loading. 

Yes, under laws like GDPR, businesses must keep records of user consent as proof of compliance. This includes details like when consent was given, what options were selected, and how it was obtained.
If you use Google Analytics with tracking cookies (e.g., for remarketing or behavioral tracking), privacy laws like GDPR and ePrivacy Directive require user consent. Using Google Consent Mode can help adjust tracking based on user preferences.
No. If your website only uses essential cookies (e.g., those necessary for site functionality), a banner may not be required. However, if you use tracking or marketing cookies, most privacy laws mandate user consent.
  • Explicit opt-in banners (common in the EU) require users to actively accept cookies.
  • Opt-out banners (used in some regions) assume consent unless users decline.
  • Notice-only banners simply inform users about cookies but don’t seek consent. In most cases, these banners are not compliant.

Yes, Consent Mode v2 requires websites to collect explicit user consent for ad personalization and data processing. This means that your cookie banners should offer granular consent options for different categories or purposes. You should also include a link to Google’s Business Data Responsibility site in your cookie banner and privacy policy

Købmagergade 19
1150 Copenhagen K, Denmark
VAT: DK-38758292 

Contact
Facebook Cookie Information Linkedin Cookie Information Youtube Cookie Information

PRODUCTS

RESOURCES

COMPANY

COMPARE

LEGAL