Consent Resolve
Compliance & Privacy Blog

What Makes a Consent Banner Legally Compliant: A Checklist

Slapping a banner on your site doesn't make you compliant. What counts is the details — plain disclosure, a genuine choice, nothing pre-ticked, and a record of the yes. Here's the checklist that separates a valid banner from decoration.

By Tyler Spurlock, Account Manager at Consent Resolve 7 min read

Most contractors assume that once there is a banner sitting at the bottom of their website, the compliance box is checked. It looks official. It has a button. Surely that is the point of it.

It isn’t. A banner is only doing its job if it produces valid consent, and plenty of banners don’t. The gray strip that just says “we use cookies — OK” is a notice, not a choice. The pop-up with a glowing “Accept All” and a decline link hidden three menus deep is a nudge, not agreement. Both technically exist. Neither is the thing that actually protects you when someone asks how you got their information.

I work on the compliance side of this, and the distinction I want every shop owner to hold onto is this: a compliant banner is defined by its details, not its presence. Here is the checklist those details come down to.

The four things a valid banner has to do

Across the strictest privacy standards, valid consent keeps coming back to the same four requirements. A banner that nails all four holds up. A banner missing any one is exposed.

1. It discloses plainly what accepting means

Consent only counts if the person understood what they agreed to. That means the banner has to say, in language a homeowner reads once and gets, what happens when they accept — that they can be identified and followed up with. “We process data for legitimate interests” fails this test, because nobody outside a law office parses that. “Say yes and we can follow up by email about your project” passes.

Vague disclosure is one of the most common ways a banner quietly stops being consent and becomes decoration. If a visitor could not tell you what they just agreed to, a regulator won’t credit it either.

2. It offers a genuine choice

Accept and decline both have to be real, and roughly equal. A banner where “yes” is a big colored button and “no” is a faint link buried in a submenu isn’t offering a choice — it is steering. Under the strictest standards, that kind of dark pattern weakens the consent behind every click, because it is hard to argue someone freely agreed when saying no was made deliberately hard.

The test is simple: could a visitor decline as easily as they could accept? If not, the banner needs fixing.

3. It defaults to nothing

This is the one that trips shops up most. Consent has to be an affirmative act — something the visitor does — not a default they have to notice and undo. Pre-ticked boxes, assumed opt-ins, and “by continuing to use this site you agree” banners all fail, because the visitor never actually chose anything. The system chose for them and hoped they wouldn’t object.

A compliant banner starts from off. Nothing is selected until the visitor selects it. If your banner counts silence or inaction as a yes, it is not collecting consent — it is manufacturing it, and that does not hold up.

4. It logs the response

The final piece is proof. A visitor accepting is worth very little if you cannot show it later. A compliant setup captures a timestamped record at the moment of the click — who consented, to what, and when — so “did this person agree?” has a documented answer instead of a shrug. That record is the receipt that backs up every lead. Without it, you have a claim you can’t support.

Why build to the strictest standard

You could try to build a banner that just barely satisfies each individual U.S. state law — and then rebuild it every time a new state passes one. That is a treadmill. The state privacy patchwork keeps growing, and chasing each statute is a permanent part-time job.

The shortcut is to build to the highest bar once. In privacy, that bar is GDPR, the European regime that demands clear, affirmative, informed, logged consent. Its requirements sit at or above what the CCPA and other state laws ask. A banner engineered to clear GDPR’s four demands generally clears the ones underneath it too. That is the logic behind built-in compliance: meet the strictest standard in the code, and the patchwork below is covered without you tracking every legislature.

The three banners that look compliant but aren’t

It helps to name the common near-misses, because they’re everywhere and they all look fine at a glance.

The notice-only banner is the gray strip that says “This site uses cookies” with a single OK. It informs; it doesn’t ask. There’s no choice to make, so there’s no consent — just an announcement the visitor acknowledges. It fails the genuine-choice test outright.

The cookie wall blocks the site until you accept, giving the visitor no real way to say no and still use the page. Consent extracted under “agree or leave” pressure is hard to call freely given, which is exactly what the strictest standards require. A banner that punishes declining isn’t offering a choice; it’s demanding one.

The implied-consent banner — “by continuing to browse, you agree” — tries to turn ordinary use into agreement. But scrolling isn’t an affirmative act of consent, and treating it as one fails the nothing-pre-selected test. The visitor never actually chose; the banner decided for them.

All three are common because they’re easy, and all three leave you holding consent that may not hold up. If your banner is one of these, it’s not a small tweak away from compliant — it’s the wrong pattern.

Run your own banner through the checklist

Picture an electrician who added a banner two years ago and never looked at it again. Walk it through the four points. Does it say, in plain words, what accepting means — or just mention cookies? Is decline as easy as accept, or is “no” hidden? Is anything pre-ticked? Is the response actually logged somewhere you could retrieve? It is common for a banner to pass the first point and fail the other three. That is not a compliant banner; it is a compliant-looking one.

The fix is not more banner. It is a banner that satisfies all four by design, with the record handled automatically so it is never the part you forgot. When that is in place, each accept becomes a consent-first lead you can lawfully follow up with — by email, into the funnel you already run, never a cold call.

The compliant-banner checklist

  • Plain disclosure. A homeowner can tell you what they agreed to after reading it once.
  • Genuine choice. Decline is as easy and visible as accept — no hidden “no,” no dark patterns.
  • Nothing pre-selected. Consent is an action the visitor takes, never a default they have to undo.
  • A logged record. Every response is captured with a timestamp you can produce on demand.
  • Built to the strictest bar. Engineer to GDPR and the state rules beneath it are covered as they change.

A banner is not compliant because it is there. It is compliant because it discloses honestly, offers a real choice, assumes nothing, and keeps the receipt. Get those right and the banner protects your shop instead of just decorating the page. See how it is engineered in, and read why consent-first protects your shop. This article is general information, not legal advice — for how these rules apply to your specific business, talk to an attorney in your state.

FAQ

Frequently asked questions

No. A banner that only announces 'we use cookies' with a single OK button is a notice, not consent — it gives the visitor nothing to decide. Valid consent requires a real choice, plain disclosure of what accepting means, no pre-selected options, and a logged record. A banner missing those is closer to decoration than protection. This is general information, not legal advice.