KukiBot
Get started
DocsGDPR & complianceDo I need a cookie banner?

Do I need a cookie banner?

Not every website does. Here's how to find out in 60 seconds.

💡Skip the reading — use our free checker: kukibot.com/check. Enter your URL and we scan for tracking scripts automatically and tell you yes or no.

The simple rule

You need a consent banner if your site loads any non-essential scripts that track visitors — before getting their permission. It doesn't matter where your company is based. If EU visitors can reach your site, GDPR applies to you.

You need a banner if you use any of these

  • Google Analytics 4 (GA4) or Universal Analytics
  • Google Ads remarketing, conversion tracking, or DoubleClick
  • Google Tag Manager — if it fires any advertising or analytics tags
  • Facebook / Meta Pixel — even if you're not running Facebook ads yet
  • LinkedIn Insight Tag
  • TikTok Pixel
  • Microsoft Clarity or Bing Ads
  • Hotjar, FullStory, Mouseflow or any heatmap / session recording tool
  • HubSpot tracking, Intercom, Drift, Zendesk chat widgets
  • Mixpanel, Segment, Heap, Amplitude or similar product analytics
  • ✗ Any retargeting pixel or advertising network script
  • Affiliate tracking scripts
⚠️GTM is a common trap. Even if you didn't add GA4 yourself — if your developer or agency added it via Google Tag Manager, you still need a banner. The tag fires on your domain, so you're responsible.

You probably don't need one if you only use

  • ✓ A basic contact form with no third-party tracking
  • ✓ Your own server-side access logs (not covered by ePrivacy)
  • Cloudflare Web Analytics, Plausible, or Fathom (privacy-first, no cookies)
  • ✓ A simple login or shopping cart — necessary cookies are exempt
  • ✓ Stripe or PayPal payment forms — necessary for completing the transaction
  • ✓ CSRF protection or session cookies — strictly necessary, no consent needed

Which laws apply — and where

  • GDPR (EU) — applies to any website with EU visitors, regardless of where your business is located. Fines up to €20 million or 4% of global turnover.
  • ePrivacy Directive — the "cookie law". Requires consent before setting non-essential cookies. Applies across the EU.
  • UK PECR — same rules as ePrivacy for UK visitors post-Brexit.
  • LGPD (Brazil) — similar requirements for Brazilian visitors.
  • CCPA / CPRA (California) — requires a "Do Not Sell My Data" option. Less strict than GDPR, no consent required for analytics.

What happens if you don't comply

  • 💸 Fines up to €20 million or 4% of global annual turnover under GDPR
  • 📉 Google Ads stops working properly in EU — without Consent Mode v2, personalised ads and conversion tracking are restricted
  • 📋 EU visitors can file complaints with their national Data Protection Authority (DPA) — and many do
  • ⚖️ NOYB, Schrems II activists, and automated complaint tools actively target non-compliant websites
  • 🇫🇷 France (CNIL), Germany (DSK), and Italy (Garante) have issued fines to companies of all sizes

The Google Ads problem specifically

Since March 2024, Google requires all advertisers targeting EU users to implement Google Consent Mode v2. Without it:

  • Google limits personalised ad delivery to EU visitors
  • Conversion tracking stops working correctly
  • Smart Bidding loses data and performs worse
  • Your ROAS reporting becomes unreliable

KukiBot handles Consent Mode v2 automatically. See the setup guide →

Check your site automatically — free

We scan your homepage for 20+ tracking scripts and give you a clear yes/no answer in seconds.

Check my site →Get a free banner →
← Back to all docsWas this helpful? Email us →