Cookie Banners: Do You Need One and How Do You Get It Legally Right?

Here is the short answer first, because it surprises a lot of people: not every website needs a cookie banner. Whether you need one doesn't depend on the fact that you have a website, but on what that website loads in the background. We build websites and tools for a fixed price and run seven of our own brands in production. That's why this question comes up constantly, and most of the time we're answering it for ourselves. Here's the honest, real-world version without the scaremongering.

When you don't need a banner

If your website only does what it technically has to do to function, you don't need consent and therefore no banner with buttons. This applies to:

• Strictly necessary cookies such as session cookies, login status, a shopping cart, or a stored language preference.
• Security features like a CSRF token or a cookie that controls a load balancer.
• Pure content pages that don't embed any external services: no Google Analytics, no advertising pixels, no embedded YouTube, no external fonts loaded at runtime.

A lean one-page business card that serves its fonts locally and forgoes tracking often gets by entirely without a consent banner. You still need a proper privacy policy and a legal notice, but no annoying pop-up.

When you do need a banner

The moment you include something that isn't strictly required to run the site and that stores or reads information on your visitors' devices, you need consent before it loads. In Germany this is governed by Section 25 of the TTDSG, and in parallel the GDPR applies to the processing of the data. Typical triggers:

• Statistics and analytics such as Google Analytics or Matomo (except in anonymised, cookieless mode).
• Marketing and advertising pixels like the Meta Pixel, Google Ads, or LinkedIn Insight.
• Embedded third-party content: YouTube, Google Maps, Vimeo, some chat widgets.
• External fonts loaded at runtime from a third-party server.

The rule of thumb is simple: when in doubt, anything that isn't needed for the site to simply work requires active consent.

What a legally sound banner has to do

If you're going to use a banner, do it properly. A banner that only shows one big Accept button is legally vulnerable and regularly fails to hold up. These points should be covered:

• Declining must be just as easy as accepting. Both options equal, on the same level, in the same style. No hidden Decline buried behind several clicks.
• No pre-ticked boxes. Optional cookies must be off by default. Silence is not consent.
• Nothing loads before consent. This is the most common mistake: the banner is there, but Analytics fires anyway on the very first page load. In that case the banner is worthless.
• Granular choice. Visitors should be able to consent to categories like statistics and marketing separately, not just all or nothing.
• Withdrawal possible at any time. A small link in the footer that reopens the settings is enough.
• Documentation of consent. You should be able to prove who consented to what, and when.

The point that's often overlooked: order of loading

Many banners look clean and are still technically implemented wrong. What matters is the loading order. Third-party scripts may only start once consent is actually in place. That means your tracking snippets can't sit hard-coded in the source; they must be loaded only after the click. Skip this, and you formally have a banner but materially still have a data protection problem. This is exactly where a clean implementation parts ways with window dressing.

Off-the-shelf tools or build it yourself?

For most SME sites, an established consent tool is the pragmatic choice. It takes the maintenance of the service list, the versioning of consents, and the integration with a tag manager off your hands. For very lean sites without tracking, however, the most honest solution is to simply do without the triggering services and not need a banner at all. That's faster, friendlier for your visitors, and takes the legal pressure off you.

With our own projects we take exactly this route: local fonts instead of remotely loaded ones, data-minimising or anonymised statistics where possible, and a full consent mechanism only where genuine marketing tracking is actually running. We make this decision deliberately for every website, rather than reflexively bolting a pop-up onto everything.

In a nutshell

• No tracking, no external embeds? Then you don't need a consent banner, only a privacy policy and a legal notice.
• Analytics, advertising, or third-party content? Then you need genuine consent before anything loads.
• If you use a banner, make it fair: declining as easy as accepting, nothing loads beforehand, withdrawal possible.

A cookie banner is not an end in itself, and certainly not a mark of quality. The best outcome is often a site that doesn't need one at all.