Do I need a cookie banner if I only use Google Analytics?

If visitors from the EU/UK can reach your site, generally yes — standard Google Analytics sets non-essential cookies, so EU/UK rules expect consent before it loads. For US-only audiences, a Cookie Notice plus an opt-out link is the more common baseline, though running a consent banner for everyone is simpler to maintain.

Are strictly necessary cookies exempt from consent?

Generally yes — cookies required for core functionality (like a login session or shopping cart) are usually exempt from the consent requirement under EU/UK rules. They should still be disclosed in your Cookie Notice.

Is a cookie banner the same as a Cookie Notice / Cookie Policy?

No. A Cookie Notice (or Cookie Policy) is a page that explains what cookies your site uses and why. A cookie banner is the on-page popup that asks for consent before non-essential cookies are set. Most sites that need consent need both: the banner for consent, and the notice page it links to for details.

← Back to blog

Cookie Consent Laws Explained (EU, US, UK)

"Do I need a cookie banner?" is one of the most common questions from small site owners. The honest answer is: it depends on where your visitors are and what cookies you use. Here's a plain-language breakdown of the main rules in the EU, US, and UK.

Published 2026-06-18

Not legal advice. This article is for general informational purposes only and does not constitute legal advice. Consult a qualified lawyer for advice specific to your business and jurisdiction.

What "cookie consent" actually means

Cookies and similar technologies (like browser local storage or tracking pixels) let a website remember things about a visitor — from keeping you logged in to measuring traffic to targeting ads.

"Cookie consent" laws don't ban cookies. They generally require two things: telling visitors what cookies you use and why (disclosure), and in many cases, getting permission before setting non-essential cookies (consent). Strictly necessary cookies — the ones that make the site function, like a shopping cart or login session — are usually exempt from the consent requirement, but not from disclosure.

EU and UK: GDPR, ePrivacy, and PECR

In the EU, cookie rules come mainly from the ePrivacy Directive (sometimes called the "cookie law"), working alongside GDPR. The UK has its own equivalent, the Privacy and Electronic Communications Regulations (PECR), which works similarly post-Brexit.

The practical effect for most sites: if you use non-essential cookies — analytics (like Google Analytics), advertising or retargeting pixels, or third-party embeds that set cookies — you generally need to:

Show a cookie banner before those cookies are set, with clear Accept/Reject options
Let visitors reject non-essential cookies as easily as accepting them
Avoid pre-ticked consent boxes or banners with no real reject option
Explain what cookies you use, by category, in a Cookie Notice
Let visitors change their choice later (e.g. a "Cookie settings" link in the footer)

US: CCPA/CPRA and the "sale or sharing" angle

US federal law doesn't have a general cookie banner requirement. Instead, the closest equivalent comes from state privacy laws — most notably California's CCPA/CPRA, with similar laws now active in several other states.

Rather than requiring consent before setting any cookie, CCPA/CPRA focuses on disclosure and opt-out: telling users what categories of personal information you collect (including via cookies), whether you "sell" or "share" that information (a broad definition that can include some advertising and analytics setups), and giving users a way to opt out — often via a "Do Not Sell or Share My Personal Information" link.

If your site has visitors from both the EU/UK and the US, the practical approach most small sites take is to run an EU/UK-style consent banner for everyone, since a working reject option also satisfies the US opt-out expectation.

Quick reference: do I need a cookie banner?

A simplified view, assuming your site uses non-essential cookies (analytics, ads, or similar):

EU visitors (GDPR/ePrivacy): consent banner with a real reject option, before non-essential cookies load
UK visitors (PECR): same practical approach as the EU
California / other US privacy-law states (CCPA/CPRA and similar): disclosure plus an opt-out mechanism for "sale/sharing" of data
Visitors outside these regions: no specific cookie-banner law in most cases, but a Cookie Notice is still good practice and often required by ad networks and analytics providers' terms
Strictly essential cookies only, no EU/UK/US-state audience: a Cookie Notice describing them is usually enough, no consent banner needed

What this means in practice

For most small sites, two pieces cover the bulk of this: a Cookie Notice page that lists the categories of cookies you use and why, and — if you use analytics or ads — a consent banner that lets visitors accept or reject non-essential cookies before they're set.

TrustPack AI's Cookie Notice generator produces the disclosure document tailored to whether your site uses analytics and/or third-party ads. For the banner itself, our free Cookie Consent Banner Snippet generates ready-to-use HTML/CSS/JS with Accept/Reject buttons and a consent-change event you can hook into your analytics or ad scripts.

Neither tool is a full consent management platform (CMP) — for complex setups with many third-party trackers, a dedicated CMP may be worth it. For most small sites, a clear Cookie Notice plus a basic accept/reject banner covers the core requirements.

Frequently asked questions

Do I need a cookie banner if I only use Google Analytics?: If visitors from the EU/UK can reach your site, generally yes — standard Google Analytics sets non-essential cookies, so EU/UK rules expect consent before it loads. For US-only audiences, a Cookie Notice plus an opt-out link is the more common baseline, though running a consent banner for everyone is simpler to maintain.
Are strictly necessary cookies exempt from consent?: Generally yes — cookies required for core functionality (like a login session or shopping cart) are usually exempt from the consent requirement under EU/UK rules. They should still be disclosed in your Cookie Notice.
Is a cookie banner the same as a Cookie Notice / Cookie Policy?: No. A Cookie Notice (or Cookie Policy) is a page that explains what cookies your site uses and why. A cookie banner is the on-page popup that asks for consent before non-essential cookies are set. Most sites that need consent need both: the banner for consent, and the notice page it links to for details.

Ready to put your legal pages in place?

Free preview · $9 for the full watermark-free pack (HTML, Markdown & PDF)

Generate my Trust Pack

Explore generators

Cookie Policy GeneratorExplain your use of cookies and tracking technology. Website Trust PackGet all legal pages for your website in one go. Cookie Consent Banner Snippet GeneratorGenerate a free, ready-to-paste HTML/CSS/JS cookie consent banner for your website.

More from the blog

Do I Need a Privacy Policy for My Website?Forms, cookies, analytics, payments — most sites collect more personal data than their owners realize. Here's how to tell if you need a privacy policy and what it should say. GDPR vs CCPA: What Small Website Owners Need to KnowTwo of the most-mentioned privacy laws, in plain language: who they apply to, what they expect from a small site, and a short practical checklist.

See it in action

Curious what the generated documents look like? View a sample Trust Pack for an example business.