Cookie Consent Banners: What Actually Works (and What Doesn't)

Having a cookie consent banner on your website is not the same as being compliant. This is a distinction that trips up a lot of businesses — they see the banner, assume they're covered, and move on. But the banner itself is just the visible part. What matters is what happens underneath.

The Problem with Most Consent Banners

We've scanned thousands of business websites, and the most common finding is this: the cookie consent banner is present, but tracking scripts fire before the user interacts with it. In other words, the banner is purely cosmetic. Google Analytics, Meta Pixel, and other tracking technologies load immediately on page visit, regardless of whether the user accepts, rejects, or ignores the banner entirely.

This is not compliant. Under CIPA and similar privacy laws, the standard is affirmative consent before data collection begins. A banner that shows up while data is already being collected doesn't meet that standard.

What a Compliant Implementation Looks Like

A properly implemented consent system requires several specific behaviors. All non-essential scripts must be blocked by default — meaning tracking pixels, analytics, advertising tags, and session recording tools must not load until consent is given. The banner must appear immediately on first visit, before any tracking occurs. The user must be given a genuine choice to accept or reject non-essential cookies. The reject option must be equally accessible — not hidden behind multiple clicks or presented in a smaller, less visible button. The user's choice must be stored and respected on subsequent visits. If the user rejects, non-essential scripts must never load during that session.

Common Consent Platforms

Several consent management platforms can handle this correctly when configured properly, including Cookiebot, OneTrust, Osano, Termly, and Complianz (for WordPress). The key word is "configured properly." Most of these platforms offer a default setup that may not block scripts correctly out of the box. You need to configure your specific tracking scripts to be blocked until consent is obtained.

Dark Patterns to Avoid

Some consent implementations technically show a choice but are designed to make rejecting consent difficult. These "dark patterns" create additional legal exposure. Common ones include making the "Accept" button bright and prominent while the "Reject" option is a small text link, pre-checking consent boxes so the user has to actively un-check them, requiring multiple clicks to reject but only one click to accept, and using confusing language like "Reject non-essential cookies" as a double-negative. Courts and regulators are increasingly scrutinizing these patterns. A consent mechanism that uses dark patterns may not be considered valid consent at all.

Testing Your Implementation

After implementing a consent banner, verify that it actually works. Open your website in an incognito/private browser window. Before interacting with the banner, open your browser's developer tools and check the Network tab. If you see requests going to google-analytics.com, facebook.com/tr, or similar tracking domains before you've clicked "Accept," your implementation isn't working.

You can also request a free compliance assessment from APFC, where we check for the presence of tracking pixels and whether a proper consent mechanism is in place.