Configuring a cookie banner correctly is not just a matter of legal compliance: it is a strategic choice that affects user trust, site reputation and - increasingly - the commercial sustainability of a business operating in the European market.
Yet, despite the GDPR having been in force for over seven years, most websites continue to make the same configuration errors, often without their owners being aware of it. The widespread belief is that "having a banner" is enough. It is not.
A poorly configured banner is worse than no banner at all, because it creates an illusion of compliance that does not hold up under thorough scrutiny. The Privacy Authority issued 835 measures in 2024 alone, 468 of which were corrective and sanctioning. Fines start in the tens of thousands of euros and can reach up to 4% of annual global turnover. There is no longer room for cutting corners.
This guide analyses the five most common errors, their concrete implications, and how to avoid them with effective technical and organisational solutions.
Error #1: the use of dark patterns
Dark patterns are deliberately deceptive design techniques that push users towards choices they would not have made consciously. In the context of cookie banners, they represent one of the most sanctioned violations by European Privacy authorities and, at the same time, one of the most widespread practices.
According to data collected by European DPAs in 2025, over 35% of online platforms still use interfaces that make it difficult or impossible to refuse cookies. These are not accidental errors: they are deliberate design choices, built to maximise consent at the expense of users' freedom of choice.
Consent obtained by deceiving the user is not consent: it is a violation dressed up as acceptance.
The three most common forms of dark patterns in banners
Asymmetric design between accept and reject. The "Accept all" button is large, colourful and prominently placed. The "Reject" button - when it exists - is small, grey, hidden in a corner or only accessible through a multi-click journey. This visual disparity is not neutral: it systematically steers the user's choice towards acceptance, invalidating consent on the grounds of voluntariness as required by the GDPR.
Misleading text and manipulative language. Phrases like "Help us improve your experience" or "Accept to continue" do not inform: they persuade. The GDPR requires that consent be based on clear and comprehensible information. A text that conceals the nature of tracking operations does not meet this requirement.
Incorrect default settings. Pre-ticked boxes, non-essential cookies activated automatically, preferences that require an active action to deactivate: all of this constitutes a violation of the principle that consent must be a positive and unambiguous act. The user's silence or inaction never counts as valid consent.
How to avoid it
Design the banner with a graphically neutral approach: buttons of equal size, equal visual weight, equal accessibility. Use descriptive and non-persuasive language. Make sure that rejecting is just as easy as accepting - with a single click, not three steps through secondary menus.
Will the result be a lower consent rate? Probably yes. But they will be valid consents, ones that hold up under scrutiny and build long-term trust.
Error #2: no preventive cookie blocking
This is the technically most serious error - and also the most common. Most banners found online are, in fact, decorative graphical interfaces: they show the user a choice window, but implement no technical mechanism to prevent scripts from loading before the user has expressed their preference.
The result is paradoxical: the user sees the banner, clicks nothing, and meanwhile Meta Pixel, Hotjar and other third-party scripts load and collect data. The tracking has already occurred before the user had any opportunity to accept or refuse it.
A banner without preventive blocking is like a padlock on the door with the windows wide open: the appearance of security, with none of its substance.
The 30-second test
Checking whether your banner truly blocks cookies is straightforward. Open your browser in incognito mode, open the developer tools (DevTools) on the Network tab, load the site and - without clicking anything on the banner - observe how many network requests are made to external domains. If you see requests to facebook.com, hotjar.com or other tracking domains before any interaction with the banner, preventive blocking is not active.
Your banner is decorative. It is not blocking anything.
What the regulation requires
The GDPR is clear on this point: the processing of personal data requires a valid legal basis before it begins. For non-technical cookies, that basis is consent. This means that scripts must be physically prevented from loading until the user has expressed a positive choice. Not "loaded but not activated". Not "loaded in anonymous mode". Not loaded, full stop.
Implementing real preventive blocking requires a technical solution like My Agile Privacy®, which intercepts the loading of scripts and activates them only after the user's explicit consent for the corresponding categories.
Error #3: consent limited to "accept all" or "reject all"
Many banners offer only two options: accept all or reject all. This is an understandable simplification from a design perspective, but insufficient from a regulatory standpoint and, above all, relative to users' expectations.
The GDPR and the guidelines of European Privacy authorities require that consent be specific, meaning it must refer to determined and distinct purposes. Generic consent "to all cookies" does not automatically equate to valid consent for each individual processing operation. Users must be able to choose, in a granular way, which cookies to consent to and which to refuse.
Choosing between "everything" and "nothing" is not a choice: it is an imposition with two different labels.
What granular consent means in practice
The banner must allow users to distinguish between at least the functional categories: technical cookies (always active and not subject to consent), analytical cookies, profiling and marketing cookies, third-party cookies. Ideally, it should allow users to activate or deactivate individual services - for example, accepting Google Analytics but not Meta Pixel.
Limiting the choice to generic categories ("cookies to improve navigation", "marketing cookies") without specifying which services fall under each category is also insufficient. Users must know exactly what they are consenting to.
The value of granularity for users and businesses
Offering a real choice is not just an obligation: it is an opportunity. Users who perceive transparent and respectful treatment of their rights develop greater trust in a brand. According to European market research from 2025, over 65% of consumers consider data handling a determining factor when choosing a service. The granularity of consent is one of the clearest signals of respect towards the user.
Error #4: insufficient information and lack of transparency
A banner that reads "We use cookies to improve your experience" is not informing the user: it is evading the transparency obligation that the GDPR places on those who collect personal data.
Users have the right to know which cookies are being installed, for what specific purpose, for how long, and with which third parties their data is shared. This information is not optional to provide on request: it is an essential requirement for the validity of consent.
Transparency does not mean writing everything in small print at the bottom of the page. It means the user genuinely understands what they are accepting, before they accept it.
The most frequent information gaps
No link to the full Cookie Policy. The banner must include a clearly visible and immediately accessible link to the complete Cookie Policy. Not a reference hidden in the footer, not a link in small grey text: a clearly identifiable element that users can consult before expressing their choice.
Outdated Cookie Policy. The Cookie Policy must accurately reflect the cookies actually installed on the site, including those from third parties. Generic or template-copied policies do not correspond to the site's actual operational reality and will not withstand scrutiny.
Missing information on third parties. When the data collected is shared with partners, advertisers or external platforms, this information must be explicit. Users must be able to make an informed assessment of who their data is going to before consenting.
Vague or aggregated purposes. "Improving navigation", "traffic analysis", "personalisation": these formulas are often too generic to satisfy the GDPR's specificity requirement for consent. Each distinct processing purpose requires a separate legal basis and a separate disclosure.
How to build a truly transparent policy
Transparency is not just a regulatory obligation: it is a positioning choice. Companies that communicate clearly what they do with users' data - and why - differentiate themselves measurably from the average. Building a policy that is genuinely readable, organised by purpose and updated to reflect services actually in use is not a bureaucratic exercise: it is an investment in the trust of your audience.
Error #5: no updates or periodic review
Privacy compliance is not a state that is achieved once and maintained indefinitely. It is a continuous process, because both regulation and technology are constantly evolving.
A perfectly configured banner today can become non-compliant tomorrow, for a series of concrete reasons: Privacy authority guidelines are updated, third-party services modify their scripts, new plugins or marketing tools are integrated, tracking purposes change in connection with new campaigns. Every change to the site is potentially a change to one's compliance posture.
Privacy compliance is not a destination: it is a course that must be recalibrated every time the regulatory or technological wind changes.
What can make a banner non-compliant over time
Regulatory updates. European Privacy authorities periodically publish new guidelines that can modify operational requirements - consider updates on consent collection methods, cookie walls, or fingerprinting techniques. Failing to monitor these updates means risking non-compliance without knowing it.
Changes to third-party services. Google, Meta and other major providers frequently update their tracking systems. A script that behaved in a certain way yesterday might today collect different information or transmit it to new recipients.
New plugins and integrations. Every new element added to the site - a chat plugin, a booking system, a social widget - is a potential new tracker. If it is not verified before integration and added to the consent management system, it automatically becomes a source of non-compliance.
Changes to the site and campaigns. A graphic redesign, a new lead generation form, the activation of a remarketing campaign: these are all events that can change cookie behaviour and require an update to the Cookie Policy and the banner.
A structured review plan
Periodic review of the Privacy configuration must not be left to chance or to whenever time allows. It is an activity that must be planned on a regular basis - at least twice a year - and must include specific checks: that preventive blocking still works correctly after every technical update to the site, that the Cookie Policy reflects the cookies actually installed, that the banner renders correctly across different browsers and devices, and that any new guidelines from the relevant authorities have been incorporated.
My Agile Privacy® offers with ComplianceCheck365 a professional monitoring service that includes two full technical checks per year, detailed reports after each review and automatic updates to new regulations - eliminating the risk of becoming non-compliant due to changes that no one was tracking.
Conclusion: from apparent compliance to real compliance
The five errors described in this guide are not theoretical edge cases. They are the norm. The vast majority of websites present them in various combinations, often unknowingly, often convinced they are "covered" because they have installed a banner.
The difference between apparent and real compliance is not visible to the naked eye. The Privacy Authority sees it, during an investigation. The enterprise partner sees it, during a pre-contractual audit. The user sees it, after having rejected cookies and realising they are still being tracked.
Having a banner does not mean being compliant. It means having a banner.
Building a consent management system that truly works requires three elements: a technical solution that genuinely blocks scripts before consent, an interface designed for neutrality and clarity, and a continuous review process that maintains compliance over time.
My Agile Privacy® integrates these three elements into a single platform: real preventive blocking, four compliant buttons, documentation via technical cookie, zero dark patterns, continuous updates to new regulations. Without unnecessary complexity, without added bureaucracy.
Do not let a poorly configured banner put your users' trust at risk. Try My Agile Privacy®.
