LaunchTrust
Log inStart trial

Detector registry

Cookie Consent Banner Requirement: What to Check Before You Launch

Does your site need a cookie consent banner? See what GDPR and ePrivacy expect, how detection works, and how to spot a missing banner signal.

Updated 2026-06-19cookie consent banner requirementSignals, not a verdict
Run free scanStart trial

If your website drops non-essential cookies — analytics, advertising pixels, A/B testing, session replay — most European rules expect you to ask for consent before those cookies load. The familiar "we use cookies" banner is how that ask usually shows up. For an indie developer shipping a marketing site, a SaaS landing page, or a storefront, a missing or broken consent flow is one of the most common reasons a launch draws a complaint, a takedown request, or an awkward email from a data-protection authority.

The tricky part: the cookie consent banner requirement is conditional. It is not a universal "every site needs a banner" rule. It hinges on what cookies and trackers you actually set. That makes it easy to get wrong in both directions — bolting on a banner you do not need, or skipping one you do. This page explains what LaunchTrust looks for, what the underlying law expects, and how to close the gap.

What LaunchTrust checks

The cookie_consent detector reads the public HTML of the page you point it at and looks for evidence that a consent banner or consent-management platform (CMP) is present. It is a positive signal — meaning a banner is something you generally want detected when you set non-essential cookies. There is no login, no crawling of private pages: it inspects the markup that any visitor receives.

It checks two things, in order:

  1. Known consent platforms. The detector matches the page source against signatures for widely used CMPs — OneTrust/Optanon, Cookiebot, Usercentrics, CookieYes (Cookie Law Info), Osano, Termly, Quantcast, Didomi, and the open-source Cookie Consent library. A match here returns detected with an informational note naming the platform.
  2. Generic banner wording. If no named platform is found, it looks for common banner phrasing — "we use cookies", "cookie policy / settings / preferences", "accept (all) cookies", plus equivalents in other languages (for example the Turkish "çerezleri kabul" or German cookie-notice patterns). A match returns detected with a note that generic cookie-banner wording is present.

What each result means here:

  • Detected — a recognizable consent banner or CMP signature appears in the page HTML. This signals the presence of a banner; it does not judge whether the banner is configured correctly, blocks scripts before consent, or honors a "reject" choice.
  • Not detected — no known CMP and no generic banner wording was found. The note is explicit: this is only a concern if you set non-essential cookies. A purely static brochure site with no trackers can legitimately have no banner.
  • Unable to determine — the page could not be fetched or parsed (network error, blocked request, empty response), so no conclusion is drawn.

Because the check reads rendered/served HTML for keywords and library signatures, it can miss a banner that is injected entirely by an obfuscated third-party script with no recognizable markers, and it cannot confirm whether scripts are actually gated behind consent. Treat detected as "a banner appears to be present," not "your consent setup is correct."

Why it matters

Two overlapping European regimes drive this:

  • The ePrivacy Directive (the "cookie law," implemented in each EU/EEA country's national law) generally requires prior, informed consent before storing or accessing information on a user's device — except for cookies that are strictly necessary to deliver a service the user explicitly requested. Analytics, advertising, and most third-party pixels are not strictly necessary, so they typically need consent first.
  • The GDPR sets the standard for what valid consent looks like: freely given, specific, informed, and unambiguous, with a genuine ability to refuse. In practice that means consent should be opt-in for non-essential cookies, "reject" should be as easy as "accept," and non-essential scripts should not fire before the user agrees.

This is why the detector pairs naturally with tracking detection: a banner with no trackers is low-stakes, but trackers with no banner is the classic gap regulators and app reviewers flag. If your page loads Google Analytics, a Meta Pixel, or similar before any consent is given, the banner requirement is squarely in play. See /detectors/third-party-tracking for the companion signal.

These rules are commonly expected for any site reachable by EU/EEA users — and you usually cannot opt out of that audience just by being based elsewhere. For the broader regional picture, see /jurisdictions/european-union.

A concrete example

Here is roughly what a detected result keys off in your HTML — a known CMP script reference:

<!-- A consent platform signature the detector recognizes -->
<script src="https://consent.cookiebot.com/uc.js"
        data-cbid="REDACTED-CBID"></script>

…or generic wording in the page body:

<div class="cookie-banner">
  We use cookies to improve your experience.
  <button>Accept all cookies</button>
  <button>Cookie settings</button>
</div>

A not detected page is simply one where neither a CMP signature nor any of that wording appears anywhere in the served markup — which is fine for a no-tracker page, and a gap for a page that quietly loads analytics.

How to address it

  1. Inventory your cookies and trackers first. List every script that sets a cookie or sends data off-device. Tag each as strictly necessary or non-essential. This decides whether you even need a banner — do not add one reflexively.
  2. Decide if you need consent. If you only use strictly necessary cookies (auth, cart, CSRF, load balancing), you likely do not need a consent banner, though a short cookie notice is still good practice. If you use any non-essential cookies, you generally do.
  3. Add a real consent mechanism, not just a notice. Use a CMP (such as the platforms listed above) or a well-built custom banner that offers a clear "accept" and an equally easy "reject," plus a way to change choices later.
  4. Gate non-essential scripts behind consent. The banner must actually block analytics, ads, and pixels until the user opts in. A banner that displays while trackers already fired does not meet the standard.
  5. Link a cookie/privacy policy from the banner. Disclose what you collect and why; make sure it is reachable. Pair this with your overall /detectors/privacy-policy signal.
  6. Re-scan and confirm. After deploying, re-run the check so the banner registers as detected, and verify in your browser's dev tools that trackers stay silent until consent.

Check this in 30 seconds

Run your URL through LaunchTrust's free scanner. It tells you whether a recognizable cookie consent banner is detected, and it flags third-party trackers on the same page — so you instantly see the high-risk combination of trackers present with no banner. No signup, no crawl of private pages: it reads the same public HTML your visitors get. Use it as a pre-submission gut check before you point real traffic at the site.

FAQ

Does every website need a cookie consent banner? No. The requirement is conditional. If your site only sets strictly necessary cookies, you generally do not need a consent banner (a brief cookie notice is still good practice). If you set any non-essential cookies — analytics, ads, pixels — consent is commonly expected before they load.

The scanner says "detected" — does that mean my consent setup is correct? Not necessarily. Detected means a banner or CMP signature appears in your HTML. It does not verify that scripts are blocked before consent, that "reject" works, or that the configuration is valid. Treat it as "a banner is present," then confirm the behavior yourself.

Does this mean my site meets GDPR? No. LaunchTrust surfaces signals — detected, not detected, or unable to determine — to help you find gaps before you launch. It does not certify your site, render a verdict, or provide legal advice. For a structured walkthrough, see /frameworks/gdpr-checklist-indie-apps and consult a qualified professional for your specifics.

I'm based outside the EU. Do these rules still apply? Often, yes. ePrivacy and GDPR expectations generally attach to EU/EEA users regardless of where you are located. If those users can reach your site and you set non-essential cookies, the banner requirement is typically in scope.

Compliance aid, not legal advice. LaunchTrust reports signals, not a verdict or certification.