--- title: "EU Cookie Banner Requirements" canonical_url: "https://www.sorena.io/artifacts/eu/eprivacy-directive/eu-cookie-banner-requirements" source_url: "https://www.sorena.io/artifacts/eu/eprivacy-directive/eu-cookie-banner-requirements" author: "Sorena AI" description: "A practical cookie banner and CMP requirements guide: acceptance/reject parity, granularity, clear purposes, vendor transparency, no pre-ticked boxes." published_at: "2026-02-21" updated_at: "2026-02-21" keywords: - "EU cookie banner requirements" - "cookie banner compliant EU" - "reject cookies button required" - "cookie wall consent EU" - "CMP best practices EU" - "cookie banner testing checklist" - "EDPB cookie banner taskforce" - "cookie banner requirements" - "CMP" - "consent UX" - "cookie walls" - "EDPB" - "enforcement" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # EU Cookie Banner Requirements A practical cookie banner and CMP requirements guide: acceptance/reject parity, granularity, clear purposes, vendor transparency, no pre-ticked boxes. *UX + QA Guide* *EU* ## EU ePrivacy Directive Cookie Banner Requirements Design banner UX that produces valid choice and audit-ready proof. Focus: consent UX patterns, cookie walls, and testing against common enforcement findings. Cookie banners fail when they look compliant but don't enforce outcomes. Enforcement is increasingly evidence-driven: regulators and complainants assess whether non-exempt trackers fire before consent and whether the user had a real choice. This page translates common denominator guidance into UI/UX patterns and test cases you can ship safely. ## Minimum banner outcomes (what your banner must be able to prove) Your banner must produce a clear decision and enforce it across trackers. The best way to reduce risk is to define outcomes as acceptance criteria and test them automatically. - Pre-consent: only exempt trackers run (transmission / strictly necessary). - Accept all: mapped trackers run per declared purposes/vendors. - Reject all: non-exempt trackers do not run; no shadow firing via tag managers. - Granular choices: partial consent mapped correctly; withdrawal updates firing behavior. ## UI/UX requirements: choice must be real (not nudged into one outcome) A banner is a choice interface. When "reject" is hidden or made difficult, enforcement risk rises. Design for clarity and symmetry. - Parity: reject must be as easy as accept (no multi-click reject vs one-click accept). - Granularity: provide purpose-level (and where relevant vendor-level) controls without burying them. - Plain language: purposes and consequences explained; avoid vague "improve your experience" phrasing. - No pre-ticked boxes; defaults must not enable non-exempt trackers. *Recommended next step* *Placement: after the requirement breakdown* ## Turn EU ePrivacy Directive Cookie Banner Requirements into an operational assessment Assessment Autopilot can take EU ePrivacy Directive Cookie Banner Requirements from turning the requirements into assigned actions to a reusable workflow inside Sorena. Teams working on EU ePrivacy Directive can keep owners, evidence, and next steps aligned without copying this guide into separate documents. - [Open Assessment Autopilot for EU ePrivacy Directive Cookie Banner Requirements](/solutions/assessment.md): Start from EU ePrivacy Directive Cookie Banner Requirements and turn the guidance into owned tasks, evidence requests, and review checkpoints. - [Talk through EU ePrivacy Directive](/contact.md): Review your current process, evidence gaps, and next steps for EU ePrivacy Directive Cookie Banner Requirements. ## Cookie walls and conditionality When access to a service is conditioned on consent to non-essential tracking, consent validity can be challenged. Treat cookie walls as high-risk and require explicit legal review before deploying. - Document whether the service can be reasonably accessed without consenting to non-essential tracking. - Provide an alternative if you rely on consent for non-essential purposes in a way that could be considered conditional. - Store rationale and approval in your evidence index. ## Implementation checklist (engineering + evidence) Design for proof: you should be able to export CMP config and reproduce behavior. Build a release gate so new tags can't ship without mapping. - CMP config snapshots versioned (purposes, vendors, mapping rules). - Consent/withdrawal logs include banner version, locale, purposes/vendors, timestamp. - Automated tests: UI tests + network-level tests verifying no pre-consent firing. - Tag manager governance: approvals, change logs, and environment separation. ## Primary sources - [EDPB Report - Cookie Banner Taskforce (Jan 2023)](https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_20230118_report_cookie_banner_taskforce_en.pdf?ref=sorena.io) - Common denominator positions and recurring issues observed in cookie banner complaints. - [EDPB Guidelines 05/2020 on consent under GDPR](https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_202005_consent_en.pdf?ref=sorena.io) - Consent validity guidance, including conditionality/cookie-wall discussion. - [WP29 Opinion 04/2012 on Cookie Consent Exemption (WP194)](https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp194_en.pdf?ref=sorena.io) - Exemptions test for transmission and strictly necessary cookies (helps define what can run pre-consent). ## Related Topic Guides - [Confidentiality of Communications (ePrivacy Directive) | Traffic Data, Location Data, Content, and the OTT Gap](/artifacts/eu/eprivacy-directive/confidentiality-of-communications.md): A practical guide to communications confidentiality under the current ePrivacy Directive, Directive 2002/58/EC: how to classify content, traffic data. - [Cookies & Consent (ePrivacy Directive Article 5(3)) | Exemptions Test, Analytics, CMP Implementation](/artifacts/eu/eprivacy-directive/cookies-and-consent.md): An advanced guide to cookie consent under the ePrivacy Directive (Directive 2002/58/EC): how Article 5(3) applies to cookies/SDKs/local storage. - [Direct Marketing Consent Checklist (ePrivacy Article 13) | Proof, Opt-Out, Suppression Lists](/artifacts/eu/eprivacy-directive/direct-marketing-consent-checklist.md): A practical direct marketing consent checklist for ePrivacy (Directive 2002/58/EC, Article 13): consent capture fields, wording/version control. - [Direct Marketing Rules (ePrivacy Directive Article 13) | Consent, Soft Opt-In, Opt-Out, Suppression Lists](/artifacts/eu/eprivacy-directive/direct-marketing-rules.md): A practical guide to ePrivacy direct marketing rules (Directive 2002/58/EC, Article 13): when prior consent is needed. - [ePrivacy Applicability Test (Directive 2002/58/EC) | Cookies Article 5(3), Marketing Article 13, Metadata](/artifacts/eu/eprivacy-directive/applicability-test.md): A practical EU ePrivacy applicability test: decide whether your product triggers terminal equipment access rules (cookies/SDKs/local storage/fingerprinting. - [ePrivacy Checklist (Directive 2002/58/EC) | Cookie Banner, Consent Logs, Exemptions, Marketing Evidence](/artifacts/eu/eprivacy-directive/checklist.md): An audit-ready ePrivacy checklist: build a tracker inventory and Article 5(3) decision table (consent vs exemptions). - [ePrivacy Compliance Program | Cookies, Consent UX, Evidence, Marketing Controls (Directive 2002/58/EC)](/artifacts/eu/eprivacy-directive/compliance.md): A practical ePrivacy implementation playbook: governance, tracker inventory and Article 5(3) decision table, cookie banner and CMP design. - [ePrivacy Deadlines and Compliance Calendar | Directive Baseline, Banner Audits, Marketing Audits](/artifacts/eu/eprivacy-directive/deadlines-and-compliance-calendar.md): A practical ePrivacy calendar built around the current directive baseline and recurring controls: the 2002 directive, the 2009 cookie amendment. - [ePrivacy Directive Enforcement (Cookies + Marketing) | How Regulators Assess Cookie Banners, Consent, and Evidence](/artifacts/eu/eprivacy-directive/enforcement-and-fines.md): An advanced guide to ePrivacy Directive enforcement: who enforces national ePrivacy laws, what regulators look for in cookie banners and consent UX. - [ePrivacy Directive Penalties and Fines | What "Effective, Proportionate, Dissuassive" Means + Risk Reduction Controls](/artifacts/eu/eprivacy-directive/penalties-and-fines.md): Understand penalties and fine exposure under national laws implementing the ePrivacy Directive (Directive 2002/58/EC). - [ePrivacy Directive Requirements (2002/58/EC) | Article 5(3) Cookies, Article 13 Marketing, Metadata + Evidence Map](/artifacts/eu/eprivacy-directive/requirements.md): A practical ePrivacy Directive requirements breakdown: terminal equipment access and cookie consent/exemptions (Article 5(3)). - [ePrivacy Directive vs GDPR | Which Law Applies to Cookies, Tracking, Communications Metadata, and Marketing?](/artifacts/eu/eprivacy-directive/eprivacy-directive-vs-gdpr.md): A practical, source-grounded split between the ePrivacy Directive and GDPR: ePrivacy for placement/reading on devices and communications confidentiality. - [ePrivacy FAQ (Directive 2002/58/EC) | Cookies, Consent Exemptions, Cookie Walls, Marketing, Enforcement](/artifacts/eu/eprivacy-directive/faq.md): High-signal ePrivacy answers: when cookies/SDKs need consent (Article 5(3)), what counts as strictly necessary (WP29 WP194). - [ePrivacy vs GDPR (Cookie Stack Blueprint) | Align Consent UX, Tag Firing, Processing Purposes, and Evidence](/artifacts/eu/eprivacy-directive/eprivacy-vs-gdpr.md): A combined ePrivacy + GDPR implementation blueprint for cookies, tracking, and marketing. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/eprivacy-directive/eu-cookie-banner-requirements