
Cookie consent examples are everywhere, but most of them get the basics wrong. This guide walks through real implementations — what works, what fails, and what regulators actually flagged.
Why cookie consent examples matter more than ever
If you run a website, you have seen a cookie banner. You have probably also clicked “Accept All” without reading it. That gap between what users do and what the law expects is exactly where enforcement is landing in 2026.
The UK ICO put it plainly in its updated guidance: “Consent must be freely given, specific, informed and unambiguous.” A pre-ticked box or continued browsing does not constitute consent. The European Data Protection Board has taken the same position repeatedly, and US regulators are catching up.
The California Privacy Protection Agency (CPPA) fined American Honda Motor Co. $632,500 in March 2025 partly because the company’s cookie consent flow made opting out far harder than opting in. The retailer Todd Snyder faced a similar action. These were not edge cases. They were standard implementations that most developers would consider normal.
So what does a defensible implementation actually look like? Let’s walk through concrete cookie consent examples across the most common setups.

Example 1: WordPress with a well-configured plugin
WordPress powers over 40% of the web, so it is where most teams start. The good news: the plugin ecosystem is mature. The bad news: most people install a consent plugin and never configure it properly.
A solid cookie consent example in WordPress looks like this:
- Install a reputable CMP plugin (Complianz, CookieYes, or Cookiebot).
- Set the plugin to block all non-essential scripts before consent fires. This means your Facebook pixel, Google Analytics tag, and any marketing scripts stay dormant until the user makes a choice.
- Configure the banner to show “Accept All” and “Reject All” with equal visual weight — same button size, same color contrast, same placement.
- Add a “Manage Preferences” link that opens a granular category view (necessary, functional, analytics, marketing).
- Place a persistent “Cookie Settings” link in the footer so users can change their mind later.
The most common mistake is leaving the plugin in “informational” mode — showing a notice but not actually blocking anything. That is not consent. That is a decoration.
If you want to go deeper on the platform, our WordPress cookie consent setup guide walks through the technical steps.
Example 2: Shopify with Consent Mode v2
Shopify stores have a specific challenge: the platform loads several first-party scripts by default, and app developers inject their own tracking pixels. Controlling what fires before consent requires a deliberate setup.
A working cookie consent example for Shopify:
- Use a CMP that supports Shopify’s data-sale opt-out flags (Pandectes GDPR Compliance and Consentmo are two that handle this well).
- Enable Google Consent Mode v2 through your CMP so that Google Ads and GA4 receive proper consent signals. Without this, you are either losing conversion data or guessing at it.
- Disable the Shopify analytics pixel until consent is given. This is not the default behavior — you need to configure it.
- Make sure any app-installed scripts respect the consent state. Test this manually after installing a new app.
The key difference between a Shopify setup and a generic site is the app ecosystem. Every new app is a potential compliance gap if it does not check the consent state before loading.
Example 3: Custom-built site with a self-hosted CMP
If you are running a React, Vue, or Angular frontend, you probably need a programmatic approach. Here is a minimal but defensible cookie consent example:
“`javascript // 1. Define your consent categories const categories = { necessary: true, // always on analytics: false, // default off marketing: false, // default off preferences: false // default off };
// 2. Check for existing consent before loading anything const stored = localStorage.getItem(‘consent_state’); if (stored) { Object.assign(categories, JSON.parse(stored)); }
// 3. Only fire scripts for consented categories if (categories.analytics) loadGoogleAnalytics(); if (categories.marketing) loadFacebookPixel();
// 4. Show banner only if no prior choice recorded if (!stored) showConsentBanner(); “`
This is the skeleton. A production implementation needs to handle cookie withdrawal, geolocation (show the banner only to EU/UK visitors if you prefer that route), and syncing with your backend so consent records are stored server-side for audit purposes.
The point is simple: if your analytics pixel fires before the user clicks “Accept,” you do not have consent. You have a tracking script with a banner in front of it.
What regulators flagged: three real patterns
Looking at recent enforcement, three cookie consent examples keep appearing in fines and compliance notices:
Asymmetric buttons. The “Accept All” button is bright blue and centered. The “Reject All” link is small, gray, and tucked behind a second click. The CPPA called this out explicitly in the Honda case. The fix is straightforward: make both options equally prominent.
No prior blocking. The banner appears, but the tracking scripts underneath are already running. The user’s data has already left their browser before they make a choice. The ICO and the French CNIL have both flagged this. The fix: block first, ask second.
Bundled consent. “By accepting all, you agree to our privacy policy, terms of service, and cookie use.” This bundles multiple legal bases into one action. Regulators want each purpose to be a separate choice. The fix: granular categories, not one master switch.
California Attorney General Rob Bonta made this point directly: effective opt-out is one of the “bare necessities” of complying with CCPA. That standard is now showing up in consent flow expectations.
A quick comparison of approaches
| Approach | Setup effort | Compliance level | Best for | |—|—|—|—| | WordPress plugin (configured) | Low | High | Content sites, blogs, small business | | Shopify CMP + Consent Mode | Medium | High | E-commerce on Shopify | | Self-hosted CMP (custom code) | High | High (if done right) | SaaS, SPAs, complex apps | | No banner at all | None | None | You, if you enjoy fines |
What to check this week
If you are not sure whether your current setup passes, run through this list:
- Does your banner block non-essential scripts before consent?
- Are “Accept All” and “Reject All” equally visible?
- Can a user change their mind without leaving the site?
- Do you store consent records server-side?
- Have you tested your site after installing a new plugin or app?
Most failures come from one of these five gaps. Fixing them puts you ahead of the majority of implementations out there.
The bottom line
The best cookie consent examples are not the ones with the prettiest design. They are the ones that actually work as consent — where the user’s choice is real, technically enforced, and easy to change. Regulators are not looking for perfection. They are looking for good faith and functional implementation.
Start with the basics. Block first, ask second. Give equal options. Store the record. That is enough to avoid the enforcement patterns we are seeing in 2026.
—
Sources
- UK ICO, Guidance on cookies and similar technologies (2025 update)
- European Data Protection Board, Guidelines 05/2020 on consent
- California Privacy Protection Agency, enforcement actions (March 2025)
- Commission Nationale de l’Informatique et des Libertés (CNIL), cookie enforcement decisions
- Federal Trade Commission, Policy Statement on Dark Patterns (2023)