Consent Management

Cookie Consent Message Examples: Wording That Works in 2026

DataShyre Staff
DataShyre Staff Jun 18, 2026
6 min read
Cookie consent banner with Accept All, Reject All, and Customize Settings buttons

Plenty of cookie consent banners trip over their own wording. Some over-promise, some under-inform, and some nudge so hard a regulator would notice. Getting the cookie consent message right — the actual text a visitor reads — is harder than picking a CMP and a lot faster to get wrong.

This guide walks through cookie consent message examples that hold up in 2026 and gives you wording you can adapt for your own site.

What a cookie consent message actually needs to do

A consent message has three jobs: tell the user what you’re asking for, give them a genuine choice, and do it without making them feel trapped. Under GDPR Article 4(11), consent must be freely given, specific, informed, and unambiguous. The ePrivacy Directive adds that users must agree before non-essential cookies are stored.

That means your message needs to do more than say “We use cookies.” It needs to name the purpose, offer real options, and avoid anything that looks like pressure.

Johnny Ryan, Chief Policy Officer at the Irish Council of Civil Liberties and a former member of the EDPB, has stressed that informed consent requires users to understand what they’re agreeing to — not just see a banner.

The three layers of a consent message

Every compliant cookie consent message has three layers. Getting all three right is what separates a defensible banner from a risky one.

Layer 1: The notice text

This is the first thing visitors see. It should answer three questions in under 30 words: what you’re asking for, why, and what the user can do about it.

Example 1 — Direct and short:

“We use cookies to improve your experience and analyse traffic. You can accept, reject, or customise your preferences.”

Example 2 — Slightly warmer:

“This site uses cookies for analytics and personalisation. Choose which categories you’re comfortable with below.”

Example 3 — With a policy link:

“We store cookies to improve site functionality and measure performance. See our [Cookie Policy] for full details. Manage your choices below.”

The key: name at least one purpose (analytics, personalisation, advertising) and include a clear action verb — accept, reject, or manage.

Layer 2: The button row

Buttons are where most enforcement happens. The EDPB Cookie Banner Taskforce report confirmed that “Accept” and “Reject” options must have equal prominence. Hiding reject behind a smaller link, lower contrast, or an extra click is exactly what regulators flag.

Compliant button patterns:

| Button | Label | Style | |——–|——-|——-| | Accept | “Accept All” or “Accept cookies” | Primary colour, full visibility | | Reject | “Reject All” or “Decline” | Same size, same row, equal contrast | | Settings | “Manage Preferences” or “Customise” | Secondary style, same row |

Non-compliant patterns to avoid:

  • “Accept All” as the only visible button, with reject buried in a second-layer menu
  • “By using this site you agree to cookies” with no active choice
  • Pre-ticked boxes in the settings panel
  • A close button that silently implies consent

Anu Talus, a privacy expert who has worked with European regulators, puts it simply: if the user doesn’t have a real choice, the banner isn’t compliant.

Side-by-side comparison of poor and good cookie consent banner designs

Layer 3: The preference centre

The second layer is where users fine-tune their choices. It should list cookie categories — typically Strictly Necessary, Analytics, Marketing, and Functional — with a toggle for each and a plain-language description of what each category does.

Good category descriptions:

  • Strictly Necessary: “Required for the site to function. Cannot be disabled.”
  • Analytics: “Help us understand how visitors use the site by collecting anonymous data.”
  • Marketing: “Used to deliver relevant advertising and track campaign performance.”
  • Functional: “Enable enhanced features like language preference and personalisation.”

Avoid jargon. “Cloudflare bot management” or “Hotjar heatmaps” means nothing to most visitors. Describe the purpose, not the vendor.

What regulators are looking at right now

Enforcement in 2025 and 2026 has focused heavily on banner design and wording. The CNIL fined Google €325 million and Shein €150 million in September 2025, partly over consent mechanisms. The EDPB expanded the scope of Article 5(3) to cover pixels and fingerprinting — not just cookies.

Regulators focus on three things: whether the user could actually refuse, whether the language was clear, and whether tracking scripts fired before consent was given.

If your banner says “Accept or Learn More” but the “Learn More” link opens a page with no reject option, that’s a problem. If your analytics script loads on page render regardless of consent, that’s a problem too.

Practical wording tips for your cookie consent message

Keep it under two sentences on the first layer. Visitors don’t read paragraphs. Lead with the purpose, follow with the action.

Use “we” language. “We use cookies” reads better than “This website utilises cookie technology.” You’re talking to a person, not filing a report.

Name at least one specific purpose. “We use cookies” alone is vague. “We use cookies to measure site traffic and personalise content” gives the user something concrete to agree to.

Make the reject option a real button, not a link. Equal prominence means equal visual weight. A text link next to a coloured button is not equal.

Link to your cookie policy. The banner should reference a policy that lists every cookie, its purpose, its expiry, and the third parties that receive data.

Add a revisit widget. Users must be able to withdraw consent as easily as they gave it. A small cookie icon in the footer that reopens the preference centre is the standard approach.

Common wording mistakes

  • “By continuing to browse, you accept cookies.” This implies consent from inactivity. It’s not valid under GDPR.
  • “We use cookies to enhance your experience.” Too vague. What cookies? What data? Enhance how?
  • “Click Accept to continue.” Pressure language. The user should feel free to reject.
  • “Necessary cookies only” as the only alternative to Accept All. If there’s no reject button, there’s no real choice.

How this fits with your CMP

Most consent management platforms — Cookiebot, Usercentrics, CookieYes, OneTrust — let you configure each layer independently. The wording examples above work with any of them. What matters is that you configure the tool to match your actual cookie setup. If you say you only use analytics cookies but your site fires a Meta Pixel, the banner is inaccurate and the consent is invalid.

For a deeper look at choosing the right platform, see our guide on cookie consent managers. If you’re writing the banner text itself, our cookie consent message breakdown covers the first-layer wording in more detail.

A quick compliance checklist for your message

  • [ ] First-layer text names at least one purpose
  • [ ] “Accept All” and “Reject All” are equally visible
  • [ ] No pre-ticked boxes in the preference centre
  • [ ] Cookie policy is linked from the banner
  • [ ] Tracking scripts are blocked until consent is given
  • [ ] A revisit widget lets users change their choice later
  • [ ] Consent records are logged with timestamps
  • [ ] Banner wording matches your actual cookie usage

Sources

  • EDPB Guidelines 05/2020 on consent under Regulation 2016/679
  • EDPB Report on the work undertaken by the Cookie Banner Taskforce
  • GDPR Article 4(11) — definition of consent
  • CNIL enforcement decisions (September 2025)
  • UK ICO guidance on cookies and similar technologies
DataShyre Platform

Ready to fix your privacy program?

Join 3,500+ businesses using DataShyre to automate consent management, DSR fulfillment, and compliance — without the complexity.