Reconvio
Back to blog
Compliance 2 min read

Cookie banners that actually comply (and the ones that get you fined)

A cookie banner that loads trackers before you click is worse than none — it documents the violation. What a compliant banner does differently, and the common patterns that don't hold up.

Marek Křivan · July 18, 2026
Cookie banners that actually comply (and the ones that get you fined)

Here's the uncomfortable truth about cookie banners: the banner is not the compliance. The behaviour behind it is. A banner that pops up politely and then loads Google Analytics and the Meta Pixel anyway — before you've clicked anything — isn't protecting you. It's documenting, in your own page's network traffic, exactly how you're breaking the rules.

Quick caveat: I'm a security specialist, not a lawyer, and this isn't legal advice — but the technical behaviour below is checkable, and it's where most sites actually fail.

The one rule that matters

Non-essential trackers — analytics, advertising, anything that isn't strictly required to run the site — must load only after the visitor has actively agreed. Before consent: nothing but the essentials.

That's it. Everything else is detail. And it's the rule the most common banner setups quietly break.

The patterns that get you fined

  • Trackers fire on page load. The banner is showing, but Analytics and the Pixel already ran before you touched it. Consent that arrives after the tracking is not consent.
  • "Accept" is easy, "reject" is buried. A big glowing Accept all and a reject option hidden behind "Manage preferences", three clicks deep — or missing entirely. Rejecting has to be as easy as accepting.
  • Pre-ticked boxes. Consent has to be an active choice. A box that's already ticked isn't one.
  • "By using this site you agree." Implied consent from simply being on the page doesn't count for non-essential cookies.
  • No way to change your mind. People must be able to withdraw consent as easily as they gave it.

What a compliant banner actually does

  • Blocks non-essential scripts until consent — genuinely blocks them, so nothing fires beforehand.
  • Offers reject as easily as accept, on the first screen.
  • Lets people choose granularly (analytics yes, advertising no) if you use different categories.
  • Records the choice and lets it be withdrawn later.

The catch AI-built sites always hit

Getting the banner to appear is the easy 20%. Any component library will render one. The hard 80% is making it actually gate the scripts — deferring every tracker until the click, and firing them only for the categories the visitor allowed. This is precisely the part AI builders skip: the banner shows up, looks compliant, and the trackers load regardless. From the outside — which is how a regulator, or Reconvio, sees it — the tracking-before-consent is plainly visible in the network requests.

You can see the shape of a plain, honest version in our own cookie notice, and the wider legal picture in the privacy policy.

Where this fits

Cookie consent is one pillar of the 2026 website compliance checklist, alongside GDPR basics, consumer-law disclosures and the European Accessibility Act. They tend to be missing together — a site that never wired up consent usually never wrote a real privacy policy either.


A cookie banner is a promise about what your site does before you click. Make sure your site keeps it. Check what fires before consent on yours — it's one of the first things a scan can see.

See what your site exposes

Run a free audit and get concrete issues in half a minute — no signup.

Check my website