Do I Need a Cookie Banner? A Simple Decision Guide

Your website launched last month. Or you have had one for years. Someone tells you that you need a cookie banner. Someone else says you don't. The cookie banner industry wants to sell you an expensive subscription. The reality is simpler than you think.

Cookie consent in the Netherlands is governed by Article 11.7a of the Telecommunications Act, which has three exceptions: cookies strictly necessary for communication transmission, cookies strictly necessary for a service the user requested, and privacy-friendly analytical cookies added by amendment 33.902 in 2015.

Not every website needs a cookie banner. But most do — often without the owner realising it. This guide helps you figure out where you stand in five minutes.

The Decision Tree: Do You Need a Cookie Banner?

Work through these questions in order. As soon as you answer "yes" to any of them, you need a cookie banner.

Question 1: Do you use Google Analytics?

Google Analytics places tracking cookies (_ga, _gid, _gat) and sends visitor data to Google's servers. This requires consent before the script loads — regardless of whether you use Universal Analytics or GA4. GA4 does not qualify for the analytics exception in Dutch law because it generates unique client IDs per visitor, making it an individual tracking technology.

Answer yes? You need a cookie banner.

Alternative: Switch to a privacy-friendly analytics package like Plausible, Fathom, or Simple Analytics. These work without cookies and require no consent. You don't lose useful data — you actually gain more accurate numbers because you're not dependent on cookie consent rates. Read more in our guide on Google Analytics and GDPR.

Question 2: Do you embed YouTube videos?

A standard YouTube embed (<iframe>) places tracking cookies and sends visitor data to Google, even if the visitor doesn't play the video. The cookies VISITOR_INFO1_LIVE, YSC, and GPS are set immediately on page load.

Answer yes? You need a cookie banner. Or use YouTube's privacy-enhanced mode (youtube-nocookie.com instead of youtube.com). This delays cookie placement until someone actually plays the video. Read our guide on YouTube embed and GDPR.

Question 3: Do you embed social media posts?

Instagram posts, Twitter/X tweets, Facebook posts, and LinkedIn posts embedded directly on your page load scripts from those platforms. Those scripts place tracking cookies.

Answer yes? You need a cookie banner. Alternative: use screenshots with a link to the original instead of live embeds.

Question 4: Do you load Google Fonts from external servers?

If your website loads Google Fonts from fonts.googleapis.com, every visitor's IP address is sent to Google. That is a personal data transfer without a legal basis. A German court (Landgericht München, 20 January 2022, Az. 3 O 17493/20) ruled this an unlawful GDPR violation. The AP follows the same logic.

Answer yes? You may need a cookie banner, but the better solution is to host Google Fonts locally. That takes five minutes and solves the problem completely. Read our guide on Google Fonts and GDPR.

Question 5: Do you use marketing pixels?

Facebook Pixel, Google Ads remarketing, LinkedIn Insight Tag, TikTok Pixel — all tracking scripts that place cookies and send visitor data to advertising platforms.

Answer yes? You need a cookie banner. These scripts may only load after explicit consent.

Question 6: Do you have a chat widget, heatmap tool, or A/B testing tool?

Tools like Hotjar, Crazy Egg, Intercom, Drift, Optimizely, and VWO place cookies to track visitors. Even if the tool claims to be "GDPR compliant," they almost always place cookies that require consent.

Answer yes? You need a cookie banner.

Answered "no" to everything?

If your website only uses functional cookies (session, shopping cart, language preference, login status) and loads no external scripts that share visitor data, you do not need a cookie banner. A simple cookie notice in your privacy policy is sufficient.

Functional vs. Non-Functional Cookies

The distinction is straightforward. Functional cookies are necessary for your website to work. Non-functional cookies collect information about your visitors.

Functional cookies (no consent required)

Non-functional cookies (consent required)

Hidden Cookies: What You Probably Haven't Noticed

Most website owners know Google Analytics places cookies. But there are dozens of less obvious cookie sources.

WordPress plugins

Many WordPress plugins load external scripts without you realising. A contact form plugin using Google reCAPTCHA, a slider loading Google Fonts, an SEO plugin injecting analytics scripts — they all place cookies or send visitor data to third parties.

Themes

Many WordPress and Shopify themes load Google Fonts, Font Awesome, or other external resources by default. Check your website's network traffic, not just your plugin list.

Google Maps embeds

A Google Maps embed on your contact page places cookies and sends visitor data to Google. Use a static map image with a link to Google Maps as an alternative.

CDNs and external fonts

If your website loads fonts, icons, or scripts from external CDNs (cdnjs.cloudflare.com, unpkg.com, jsdelivr.net), your visitors' IP addresses are sent to those services. Host these files locally.

Platform-Specific Notes

Shopify

Shopify places functional cookies for the shopping cart and session by default. No consent needed. But as soon as you install an analytics app, activate a Facebook integration, or add a chat widget, you need a cookie banner. The Shopify App Store doesn't always disclose which cookies an app places. Check it yourself.

WordPress

A bare WordPress installation without plugins or custom themes places no cookies and needs no cookie banner. But almost no WordPress site is bare. As soon as you install plugins and a theme, they load external scripts. Jetpack, WooCommerce with Google Analytics, Yoast SEO with its Google Search Console integration — they all add non-functional cookies. Assume your WordPress site needs a cookie banner unless you have actively verified otherwise.

Wix

Wix places its own analytics cookies by default and loads external scripts for statistics. Even a basic Wix site without extra apps probably needs a cookie banner. Wix provides a built-in cookie banner — make sure it is properly configured.

Squarespace

Squarespace loads Google Analytics by default if you have enabled it in settings. Embedded blocks (YouTube, Instagram, SoundCloud) can also place cookies. Use the built-in cookie banner and enable it if you use external integrations.

How to Check Which Cookies Your Website Places

Method 1: Browser developer tools

1. Open your website in an incognito window (no old cookies)
2. Press F12 to open developer tools
3. Go to the Application tab (Chrome) or Storage tab (Firefox)
4. Click Cookies in the left menu
5. Review which cookies are set — everything except session and functional cookies requires consent

Note: some cookies appear after a few seconds, when external scripts finish loading. Wait and refresh the list.

Method 2: Free cookie checker

Use the TrustYourWebsite cookie checker. Enter your URL and within two minutes you will see which cookies your website places, where they come from, and whether they require consent.

Method 3: Network traffic inspection

1. Open developer tools (F12) and go to the Network tab
2. Reload your website
3. Filter for third-party requests (requests to domains other than your own)
4. Each request to google-analytics.com, facebook.com, doubleclick.net, hotjar.com or similar domains is sending visitor data elsewhere

Privacy-Friendly Alternatives

You can avoid most tracking cookies without losing functionality.

By making these changes, you can in many cases avoid a cookie banner entirely. That is better for your visitors (no annoying pop-up), better for your conversion rate (no bounce due to cookie notices), and better for compliance (less risk of violations).

If You Do Need a Cookie Banner

Your banner must meet strict requirements. The AP (Autoriteit Persoonsgegevens) has published nine rules for cookie banners and monitors around 10,000 Dutch websites continuously. More than half are in violation.

• Reject must be as easy as accept. A large green "Accept all" button with a small grey link "Manage preferences" below it does not comply.
• No cookies before consent. Scripts may only load after the visitor has clicked.
• No pre-ticked boxes. Non-functional categories must be off by default. Kruidvat received a €600,000 fine (reduced to €50,000 on appeal) for pre-ticked boxes. Coolblue was fined €40,000 for pre-ticked boxes and auto-accepting cookies on "continue."
• No cookie walls. You may not force visitors to accept cookies to use your website. Cookie walls are explicitly prohibited in the Netherlands by the AP.

The AP is actively enforcing. In April 2025, the first 50 warning letters were sent to webshops, media companies, and insurers. The target: 500 warnings per year. After a warning, enforcement follows if you don't comply promptly.

Read the full cookie banner requirements guide for details.

Summary

When in doubt, you probably need a cookie banner. Most websites load at least one external script that places cookies — especially if you use WordPress, Shopify, or Wix.

But it doesn't have to stay that way. By replacing tracking scripts with privacy-friendly alternatives and hosting external resources locally, you can make your website cookie-free. No banner needed, no compliance risk, no annoyance for your visitors.

Want to know where your website stands? Scan your website free and within two minutes you will see which cookies are being placed and what needs to change.

---

This article is technical analysis, not legal advice. Consult a lawyer for advice specific to your situation.