Is a cookie notice mandatory in 2026? What the GDPR requires of your website

For many entrepreneurs a cookie notice feels like a box to tick. Something that "just has to be there" because everyone has one. But behind that notice sits a clear idea: your visitor should be able to decide for themselves whether a website collects data about them.

The rule of thumb is simple. Does your website collect more data than strictly needed to function? Then you need consent in advance. And you ask for that consent with a cookie notice. The details are set out in the GDPR and the guidance of the Dutch Data Protection Authority, the supervisory body in the Netherlands. This article gives you a practical overview, not legal advice.

What are cookies, exactly?

Cookies are small files that a website places on your visitor's device. They remember, for example, what is in a shopping basket, or which language someone is viewing the site in. So far there is nothing wrong.

It becomes different when cookies are used to track visitors. Think of analytics tools, advertising networks or embedded videos that watch along. Those cookies collect data about browsing behaviour, and stricter rules apply to them.

Broadly speaking there are two types:

• Functional and necessary cookies: needed to make the website work. You usually do not need consent for these.
• Tracking and marketing cookies: collect data or track behaviour. You need consent in advance for these.

The difference between these two determines whether you need a cookie notice and what it should look like.

When is a cookie notice mandatory?

In short: a cookie notice with a consent choice is needed as soon as your website places cookies that are not strictly necessary.

In practice that is the case more often than you might think. Many websites use:

• Google Analytics or another analytics package
• a Facebook or LinkedIn pixel
• embedded YouTube or Vimeo videos
• a chat function from an external party
• advertising or remarketing tools

All of these services can place tracking cookies. Do you use one of them? Then you need your visitor's consent in advance.

Do you have a very simple website without analytics, without embedded media and without external tools? Then the chance is greater that you only use necessary cookies and do not need to show a consent notice. Not sure? Then have it mapped out which cookies your site actually places. That is often the first thing we do for a new website.

What are the requirements for a good cookie notice?

Showing a cookie notice is not enough. The notice also has to meet a number of conditions. The supervisory authority looks mainly at whether the consent is genuinely given freely.

The most important principles:

• Ask in advance. Tracking cookies may only be placed after the visitor has given consent, not before.
• Refusing must be just as easy as accepting. A large green "Accept" button next to a hidden refuse option does not meet the rules.
• No pre-ticked boxes. Consent must be an active choice.
• Clear explanation. The visitor must understand what they are consenting to.
• Consent can be withdrawn. The visitor must be able to change their choice later.

This sounds logical, but in practice this is often where things go wrong. Many cookie banners are designed so that accepting is the easiest route. That is exactly what should not happen.

Dark patterns: why many cookie banners do not comply

A "dark pattern" is a design that subtly pushes the visitor in a certain direction. With cookie banners you see this very often.

Examples that risk not complying:

• a striking "Accept all" button, while refusing is tucked away in a menu
• refusing that costs extra clicks, while accepting can be done in one click
• a grey, barely visible refuse option next to a brightly coloured accept button
• texts that create a sense of guilt if you refuse

The line taken by supervisory authorities is becoming stricter: accepting and refusing should be equal. Two equally sized buttons, equally clear, at the same level. If your banner does not do that, it is wise to adjust it.

The good news is: an honest banner does not have to cost you many visitors. People who deliberately refuse would not count as a reliable statistic through a misleading button anyway.

What happens if you do not get it right?

Most entrepreneurs sort out their cookie notice not out of fear of a fine, but because they want to do it properly. Still, it is good to know what can happen.

The Dutch Data Protection Authority can take action against websites that break the rules. In practice that usually starts with a warning or a request to make changes. For larger or persistent breaches, heavier measures can follow.

Just as important is the trust of your visitor. A messy or misleading cookie banner immediately gives an unprofessional impression. A tidy, honest notice shows that you handle data carefully. For the current state of enforcement we refer to the Dutch Data Protection Authority, because rules and focus can change.

A cookie notice and your privacy statement belong together

A cookie notice does not stand on its own. Visitors who want to know more should be able to click through to an explanation of which data you collect and why.

That is why a good cookie approach also includes:

• a cookie statement that explains which cookies you place and for what purpose
• a privacy statement that describes how you handle personal data
• a clear link to both from the cookie banner

These documents do not have to be complicated, but they do have to match what your website actually does. A privacy statement that does not match the cookies you place is a common mistake. It pays to go through this properly once, for example as part of regular website maintenance.

How do you get it technically right?

A cookie notice is more than a text bubble. Under the hood something really has to happen too.

What a good technical solution does:

• only load tracking cookies after consent has been given
• remember the visitor's choice, so the banner does not return on every visit
• link the choice to the tools you use, such as analytics and advertising
• offer a way to change the choice later

This is exactly where many off-the-shelf banners fall short: they show a notice, but the tracking simply keeps running in the background. In practice you then still do not comply.

Good findability and a tidy cookie approach go together perfectly, by the way. In our article on SEO for existing websites you can read how to make your website stronger step by step without turning everything upside down at once.

Who is responsible for the cookies on your website?

A frequently heard question: if I use tools from Google or Facebook, are they not responsible for the cookies? The short answer is that you, as the owner of the website, are responsible for what happens on your site.

In practice that means:

• you decide which tools you use and which cookies come in with them
• you make sure consent is asked before tracking cookies load
• you keep your cookie and privacy statements up to date

The external parties supply the technology, but the choice to use them and the way you do so is up to you. The good news: you do not have to keep track of this yourself. Many entrepreneurs let this run along as part of their website maintenance, so it is always correct without them having to worry about it.

Cookies and SEO: does a banner affect your findability?

Many entrepreneurs wonder whether a cookie notice harms their position in Google. The short answer: not if you do it properly.

There are points to watch:

• a cookie banner must not completely block the content of your page for visitors
• the banner must not slow down the loading time unnecessarily
• the notice must work well on mobile too and not fall halfway over the buttons

A heavy, slow cookie script can make your website slower, and speed does count for both visitors and search engines. A light, well-built solution has hardly any impact. So it is not about whether or not you have a banner, but how tidily it is built.

Common mistakes at a glance

The same slip-ups keep coming back in practice. Do you recognise a few? Then it is time to take a critical look at your cookie notice.

• The banner appears, but the tracking already runs before you click anything.
• There is an accept button, but no clear refuse option.
• The refuse option is three menus deep.
• The cookie statement is missing or outdated.
• The banner returns on every visit, because the choice is not remembered.
• On mobile the banner sits halfway over the navigation.

Each of these is something you can fix. Often it is a matter of choosing the right solution and setting it up correctly, not of rebuilding your entire website.

Better right the first time than repaired afterwards

Most cookie trouble arises because a notice has been stuck on top loosely, without thinking about what happens underneath. We prefer to do it the other way around: first look at which data your website collects, then link the right notice and technology.

That way you can be sure that:

• only necessary cookies load straight away
• tracking cookies wait for consent
• the choice is remembered neatly and can be changed
• your cookie and privacy statements match reality

That gives peace of mind. Your website does what it should do, your visitor stays in control, and you do not have to worry about a notice that actually blocks nothing.

Want to be sure your website handles cookies and privacy properly? With a new website we sort out the cookie notice right from the start. Already have a website? Then through website maintenance we check whether your cookie approach still holds up and adjust it where needed. Get in touch and we will look together at what your site needs. For the rules themselves we always refer to the official guidance of the Dutch Data Protection Authority.

Frequently asked questions

Is a cookie notice always mandatory?

Not always. A cookie notice with a consent choice is needed as soon as your website places cookies that are not strictly necessary, such as analytics, advertising or tracking cookies. If you only use functional cookies to make your site work, a consent notice is usually not needed.

May the refuse button stand out less than the accept button?

No, that is in fact a common mistake. Refusing should be just as easy as accepting. The supervisory authority expects two equal options, equally clear and at the same level. A hidden or grey refuse option does not comply.

What are dark patterns with cookie banners?

Dark patterns are design tricks that push the visitor towards accepting, for example a bright accept button next to a barely visible refuse option, or refusing that costs extra clicks. This approach risks not meeting the rules.

Do I need a privacy statement as well as a cookie notice?

In most cases yes. A cookie notice and a privacy statement belong together. The visitor must be able to click through to an explanation of which data you collect and why. Make sure those documents match what your website actually does.

Does a cookie banner slow down my website?

It can, if the banner is heavy or poorly built. A light and well-configured cookie script has hardly any impact on speed. Because speed counts for visitors and search engines, it is wise to choose a tidy, light solution.

Where do I find the official rules about cookies?

The Dutch Data Protection Authority is the supervisory body in the Netherlands and explains on its website what is expected of cookies and consent. Rules and enforcement can change, so for the current state always consult that official source.