The Velo journal

Do you actually need a cookie banner on your website

Getting started·15 July 2026·The Velo team

Almost certainly yes. If your site sets any non essential cookie, Google Analytics, an advertising pixel, a YouTube embed, for visitors in a region with a consent law, you need a banner. That covers most sites. But the harder question is the one nobody asks: will the banner you add quietly cost you your analytics data?

The short answer, and the question hiding under it

Whether you need a cookie banner comes down to two inputs, and neither of them is your industry or your traffic size. The first is what your site stores on a visitor's device. The second is where that visitor is. Put plainly: if you set a cookie that is not strictly necessary, and your visitor sits in a jurisdiction with a consent law, you need to ask for permission before that cookie is set. Almost every commercial site meets both conditions the moment it adds analytics.

That is the answer the compliance checklists give, and it is correct as far as it goes. The trouble is that it stops exactly where the interesting part begins. A banner satisfies the law, but a banner on its own also quietly hands a large slice of your measurement to the void. So there are really two questions here, and the checklists only answer the first.

QUESTION 1 · COMPLIANCE Do you set non essential cookies? analytics · ad pixels · embeds Where are your visitors? EU and UK opt in · US states opt out Then yes, you need a banner Most sites land here. and then QUESTION 2 · MEASUREMENT Is it wired for Consent Mode v2? No about 34% of sessions go dark Yes the signal is recovered The question checklists skip.
banner requiredsignal keptsignal lost
Two questions, not one. The checklists answer the compliance question and stop. The measurement question decides whether the banner you just added costs you a third of your data. The 34% and recovery figures are measured ranges across Amplio Data client implementations, not a guarantee.

What actually triggers the requirement

The trigger is non essential cookies, and the phrase does a lot of quiet work. A strictly necessary cookie, the one that keeps you logged in or holds your basket together, is exempt from consent in every major framework. You never need permission for those, and you never need a banner if those are all you set.

Everything else is non essential, and that category is wider than most site owners expect. Google Analytics is non essential. An advertising pixel from Meta, LinkedIn or Google Ads is non essential. A YouTube or Vimeo embed drops non essential cookies the moment the player loads, and session replay, heatmaps and live chat widgets do the same. If you use any of these, and almost every commercial site uses at least analytics, the honest answer is yes.

Where your visitors are decides the shape of the banner

Needing a banner and needing the same banner as everyone else are different things. The law that applies is the law where your visitor sits, not where your company is registered, so a single site often has to satisfy two opposite models at once.

In the EU and the UK, consent is opt in: non essential cookies must stay off until the visitor actively agrees, which is why a correctly built European banner blocks tags by default and only releases them on accept. In the United States the model is usually opt out, where state laws in California, Colorado and Virginia let tracking run by default but require a clear, honoured way to say no. Other regions have no cookie specific law at all. If your traffic spans regions, and most does, you need a banner that behaves differently depending on where the visitor is, not one blunt bar for everyone.

How to work out if you actually need one

  1. List the cookies your site really sets

    Open your site in a fresh incognito window, then open the browser Application tab and read the Cookies list. This is the ground truth. It is common to find analytics and embed cookies nobody remembers adding, dropped by a tag or a plugin.

  2. Separate strictly necessary from everything else

    Anything that keeps the site functioning, login, basket, security, is exempt. Analytics, advertising, embeds and testing tools are not. If the second group is empty, you may genuinely not need a banner. If it is not, keep going.

  3. Check where your visitors come from

    Look at the geography of your traffic in analytics. Visitors from the EU or UK put you under an opt in regime. Visitors from the US states with privacy laws put you under an opt out one. Both together mean your banner has to do both jobs.

  4. Match the region to the consent model

    Decide whether the banner blocks tags by default and waits for consent, offers an opt out, or both depending on location. A banner that always allows everything, or always blocks everything, will be wrong for at least one part of your audience.

  5. Then ask the second question

    Once you know you need a banner, check whether it is wired for Consent Mode v2. This is the step the compliance guides never mention, and it is the one that decides whether the banner keeps your measurement or quietly guts it.

The half of the answer the checklists skip

Every incumbent guide, and there are a lot of them, answers the compliance question cleanly and then stops. None of them tell you what the banner does to your data, which is strange, because that is the part that actually affects the business paying for the site.

Here is the part they leave out. A banner that blocks tags until consent, and does nothing else, means every visitor who declines simply vanishes from your analytics. Across Amplio Data client implementations we typically find around 34% of sessions sitting behind the banner, invisible to analytics that were never wired for consent. That is not a privacy law taking your data. That is a banner installed without the plumbing that lets a declined visit still send an anonymous, cookieless signal.

The plumbing is Google Consent Mode v2. Wired correctly, a declined visit still sends a stripped signal Google can model part of the missing behaviour from, and wiring it the way Google expects typically recovers 20 to 40% of the conversions consent was costing. Both are measured ranges across Amplio Data client implementations, not a guarantee: recovery depends on your traffic mix, your regions and how your tags are configured. We walk through the signals themselves in the plain English guide to Consent Mode v2, and where that missing third of traffic actually goes in a separate post.

So the full answer is this. Yes, almost certainly, if you set non essential cookies and have visitors under a consent law. But do not stop at yes. A banner is the compliance half; wiring it so a declined visit still counts is the measurement half, and skipping it is how a site ends up perfectly legal and quietly blind. That second half is what Velo is built to close: the banner, the regional behaviour and the Consent Mode v2 signal ship as one configured layer, so the reject path is deliberate rather than a hole in your reporting.

Common questions

Do I need a cookie banner on my website?

Almost certainly, yes. If your site sets any non essential cookie, which includes Google Analytics, advertising pixels and most embedded video, for visitors in a region with a consent law such as the EU, the UK or a growing list of US states, you need a banner. Only a site that sets nothing beyond strictly necessary cookies can skip it. The harder question is whether that banner is also wired so it does not blind your analytics.

When do you not need a cookie banner?

Only when your site sets no non essential cookies at all. A brochure site with no analytics, no advertising pixels, no embedded video and no session replay uses strictly necessary cookies alone, and those are exempt from consent in every major framework. The moment you add Google Analytics or an advertising tag, that exemption ends and a banner is required.

Do I need a cookie banner if I only use Google Analytics?

Yes. Google Analytics sets non essential cookies and, in its default configuration, collects personal data such as an approximate location and a client identifier. Under GDPR that needs prior consent, so a banner is required for your EU and UK visitors. Analytics alone is the single most common reason a small site needs one.

Does a cookie banner reduce my analytics data?

It can, heavily, if you stop at the banner. Across Amplio Data client implementations we typically see around 34% of sessions sitting behind the banner, invisible to analytics that were never wired for consent. Wiring Consent Mode v2 the way Google expects typically recovers 20 to 40% of the conversions consent was costing. Both are measured ranges across Amplio Data client implementations, not a guarantee.

Do I need a cookie banner in the United States?

Sometimes, and the model is different from Europe. State laws such as those in California, Colorado and Virginia generally allow tracking to run by default but require a clear way to opt out, rather than the opt in banner the EU expects. If you have visitors in those states you need a way to honour that choice, which in practice means a banner or a preference link.

Back to the journal

Stay compliant.
Recover the signal.

Add Velo once and get the banner, the regions, the audit log
and Consent Mode v2 working together, live in minutes.