Millions of websites still don't have a cookie consent banner. Some owners don't know they need one. Others are hoping no one notices. Neither is a safe position.

There's a particular kind of regulatory risk that feels abstract until it isn't. Cookie consent compliance sits in that category for a lot of website owners — they're vaguely aware that banners are a thing, they've clicked through enough of them on other sites to know they exist, but their own site has been running without one for years and nothing bad has happened yet.

That reasoning has a name in statistics: survivorship bias. The websites that haven't been caught aren't proof that the risk is overstated. They're just the ones that haven't been caught yet. And the enforcement environment in 2026 looks very different from 2019, when most regulators were still figuring out how to operationalise GDPR enforcement.

This article lays out what actually happens when a website operates without a compliant cookie consent banner — the regulatory consequences, the business consequences, and the reputational consequences. The goal isn't to generate anxiety. It's to give you an accurate picture of the risk so you can make an informed decision about whether fixing it belongs on this week's to-do list or next year's.

Spoiler: it belongs on this week's.

Section 1: Is a Cookie Consent Banner Actually Legally Required?

Before covering the consequences of not having one, it's worth being precise about when a cookie consent banner is actually required — because the answer isn't "always," but it's close.

Under GDPR and the ePrivacy Directive (implemented in the UK as PECR), you need a cookie consent mechanism if your website uses non-essential cookies. The critical word is "non-essential." Strictly necessary cookies — those required for basic site functionality like maintaining a shopping cart or a login session — don't require consent. Everything else does.

In practice, almost every website that uses analytics, advertising, retargeting, social media embeds, live chat tools, A/B testing software, or affiliate tracking is using non-essential cookies. If your site has Google Analytics, a Meta Pixel, a HotJar session recording, or a LinkedIn Insight Tag — you need cookie consent. If your site does nothing beyond serve static content with no third-party tools, you might not. But that second category describes a vanishingly small proportion of real websites in 2026.

The geographic scope is broader than many site owners assume. GDPR applies to any organisation that processes the personal data of EU residents — regardless of where the website owner is based. A business in Lagos, New York, or Sydney with a website accessible to EU users is within scope. The ICO's equivalent framework in the UK applies to UK users. Between the two, if your website is on the public internet and uses non-essential cookies, you almost certainly have cookie consent obligations.

The most common misconception among small site owners is that regulators only pursue large businesses. The reality is more nuanced: regulators do prioritise high-profile cases, but the most common trigger for enforcement against small and medium-sized businesses isn't a regulator proactively hunting for violations. It's an individual filing a complaint.

Section 2: Consequence #1 — Regulatory Fines

GDPR's fine structure is well known in headline form: up to €20 million or 4% of global annual turnover, whichever is higher. For cookie consent violations specifically — which fall under the ePrivacy Directive as well as GDPR — the ICO in the UK can issue fines of up to £500,000 under PECR, separate from and in addition to GDPR penalties.

The enforcement record makes clear that cookie consent violations are taken seriously across European regulators — and not just against large companies.

France's CNIL fined Google €150 million and Facebook €60M in January 2022 specifically for making cookie rejection more difficult than acceptance. These weren't fines for data breaches or unlawful processing — they were fines for banner design decisions that tilted consent toward acceptance. The reject button was harder to find than the accept button. That was enough for nine-figure penalties.

Italy's Garante fined a publisher for loading tracking cookies before consent had been obtained — the banner existed, but the cookies fired on page load regardless of whether the user had interacted with it. Germany's state-level data protection authorities have issued fines to businesses ranging from local retailers to professional services firms for cookie compliance failures. Spain's AEPD and the Netherlands' AP have pursued similar enforcement actions against businesses of varying sizes.

The important nuance for smaller businesses is that fines scale with the organisation's financial capacity — but they don't go to zero. A small business that receives a complaint, is investigated, and found to have operated without cookie consent for years can expect a fine in the thousands to tens of thousands of euros, depending on the authority, the jurisdiction, and the specifics of the case. That's before legal costs are factored in.

What regulators consider when sizing fines: whether the violation was deliberate or negligent, how many users were affected, how long the violation persisted, whether the business cooperated with the investigation, and what remediation steps were taken. A business that responds promptly, cooperates fully, and fixes the issue immediately consistently receives more favourable outcomes than one that disputes findings or is slow to remediate.

When regulatory fines result in a formal enforcement action, having proper insurance coverage from providers like Hiscox, Chubb, Coalition, Beazley, or AXA can protect your business from the financial consequences — including legal defense costs, breach response expenses, and regulatory investigation support.

Section 3: Consequence #2 — Individual Complaints

If regulatory fines feel abstract, individual complaints are considerably more concrete — and they're the mechanism most likely to actually affect a small or medium-sized business.

Any EU resident can file a complaint with their national data protection authority about any website they believe is handling their personal data unlawfully. The complaint is free to make, takes minutes to file, and the regulator is legally obligated to investigate. There is no minimum size threshold for a website that can be the subject of a valid complaint.

Individual complaints are the most common trigger for SME-level GDPR investigations. A regulator conducting proactive sweeps of small websites is resource-intensive and difficult to prioritise. A regulator receiving a formal complaint and opening an investigation is following its statutory obligations.

What a complaint process typically looks like: the regulator notifies you that a complaint has been received and requests information — your cookie policy, evidence of your consent mechanism, records of the cookies your site deploys, and documentation of your compliance approach. If your site has no consent banner and no cookie policy, this request is difficult to respond to in a way that avoids further action. The investigation may conclude with a formal reprimand, an enforcement notice requiring you to fix the issue within a specified timeframe, or a monetary penalty.

The operational and reputational cost of a complaint process is significant even when the ultimate outcome is a reprimand rather than a fine. Management time diverted to the investigation. Legal fees for advice on your response. The stress of regulatory correspondence. And the public record of an enforcement action, which in many jurisdictions is published by the data protection authority.

There's also a competitive dimension worth noting. Privacy activists and, in some cases, competitors have been known to file strategic complaints against businesses whose cookie practices are visibly non-compliant. The barrier to filing is low; the cost to you of responding is not.

Section 4: Consequence #3 — Loss of Ad Revenue and Analytics Data

The regulatory consequences of no cookie consent banner are the most visible risks. The business consequences are often more immediately felt — because they affect revenue and decision-making every day the problem persists.

Without valid consent, you cannot legally run behavioural advertising or retargeting. Google's advertising products require valid consent signals via Consent Mode v2 to serve personalised ads. Meta's advertising platform requires consent for the use of its Pixel data in ad targeting. Without those consent signals, your advertising operates in degraded mode — broader targeting, lower relevance, lower CPMs, and reduced return on ad spend. The revenue impact of this degradation compounds over time.

Your analytics data is also affected — in two ways. First, without a compliant consent mechanism, you're collecting analytics data unlawfully, which means the data has questionable legal standing and could be the subject of a complaint in its own right. Second, when you do implement proper consent, a proportion of users will decline analytics cookies — and your historical data collected without consent creates a misleading baseline for comparison. Decisions made on years of unconsented analytics data are decisions made on a flawed foundation.

For businesses that rely on conversion tracking, audience segmentation, or attribution modelling in their marketing, the practical impact of operating without proper consent infrastructure is a meaningful degradation in the quality of data available for those functions.

Section 5: Consequence #4 — Failed Enterprise Sales and Security Reviews

This is the consequence that most businesses don't anticipate until they're sitting in a sales process and it suddenly becomes very visible.

Enterprise procurement processes now routinely include privacy and compliance questionnaires. Vendor security reviews, information security assessments, and data protection due diligence are standard components of enterprise buying decisions — particularly for SaaS products, professional services firms, and any vendor that will access or process the buyer's data.

Cookie compliance is increasingly a standard checkpoint in these reviews. Does the vendor have a compliant cookie consent mechanism? Does the vendor have a current privacy policy that accurately reflects its data practices? Has the vendor documented its GDPR compliance posture? A missing or visibly non-compliant cookie banner is a red flag that signals broader compliance immaturity — and it can stall or kill an enterprise deal entirely.

The due diligence angle extends to M&A. Investors and acquirers conducting due diligence on acquisition targets are now routinely reviewing GDPR compliance as part of their assessment. Compliance gaps discovered during an acquisition process don't just reduce valuation — they create warranty and indemnity exposure for founders, can delay transaction timelines significantly, and occasionally kill deals. A cookie banner is a small component of GDPR compliance, but its absence is an easily visible signal that the broader compliance programme may not exist.

The cost here is often invisible in normal operations — it doesn't show up on a P&L until the moment it does, at which point it's suddenly one of the most visible costs in the business.

Section 6: Consequence #5 — Reputational Damage

The reputational consequences of cookie non-compliance are harder to quantify than fines or lost deals, but they're real — and they're growing as privacy awareness among consumers and journalists increases.

Privacy-aware users notice the absence of a cookie consent banner — particularly in European markets where cookie consent has become a baseline expectation of any professional website. A site without a banner doesn't just risk a complaint; it signals to privacy-conscious visitors that the organisation doesn't take data protection seriously. For businesses where customer trust is a commercial differentiator — financial services, healthcare, professional services, any business handling sensitive personal information — that signal has commercial consequences.

The journalist and researcher angle is worth taking seriously. Privacy researchers and journalists regularly scan websites for compliance failures and report on them publicly. A published article identifying your business as non-compliant with basic cookie consent requirements is reputationally damaging well beyond any regulatory consequence. You have no control over when this happens, and it tends to happen to businesses that have assumed their size makes them invisible.

The long-term brand cost of being known as a business that doesn't take privacy seriously is difficult to quantify in advance — but it's increasingly significant in markets where data protection is a customer concern, an investor consideration, and a regulatory priority simultaneously.

Section 7: "But I've Had No Banner for Years and Nothing Has Happened"

This is the most common response when the cookie consent conversation comes up with business owners who've been operating without one — and it deserves a direct answer rather than a dismissal.

The fact that nothing has happened yet is not evidence that the risk is acceptable. It's evidence that you haven't been the subject of a complaint or a proactive regulatory investigation yet. Those are not the same thing.

The enforcement trend is unambiguously in one direction: regulators across the EU and UK are more active, better resourced, and more willing to pursue smaller businesses than they were in 2018 or 2020. The ICO has been explicit about cookie compliance as a priority area. National supervisory authorities across Europe have issued enforcement actions against businesses of all sizes. The complaint volume reaching data protection authorities has grown year on year as privacy awareness among consumers increases.

The survivorship bias in "nothing has happened yet" is real and measurable. Of the millions of non-compliant websites operating today, most haven't been caught. That's a function of enforcement capacity, not enforcement intent. As capacity grows — and it is growing — the probability that any individual non-compliant site eventually attracts attention increases. And when it does, the fact that the violation has been running for years is an aggravating factor, not a mitigating one.

The question isn't whether your non-compliant site will eventually attract attention. It's whether you'll have fixed the problem before it does.

Section 8: What to Do Right Now

The good news is that fixing cookie consent is genuinely straightforward, affordable, and faster than most business owners expect. Here's a practical five-step process:

Step 1: Scan your site for cookies. Before you can configure compliant consent, you need to know what cookies your site actually deploys. Most consent management platforms offer a free cookie scan that identifies every cookie set on your site, categorised by purpose. Run a scan before you do anything else — the results will shape every subsequent decision.

Step 2: Install a consent management platform. For WordPress sites, Cookiebot, Enzuzo, and Termly are the leading options — each offers a free tier or trial and can be configured without developer involvement. For SaaS products and custom-built sites, Osano and Usercentrics provide enterprise-grade consent management with broader integration options.

Step 3: Configure your banner correctly. The most common configuration failure is a banner that has an accept option but no clearly accessible reject option. Your reject path must be as prominent and as accessible as your accept path — same visual weight, same number of clicks. Anything less is a dark pattern that regulators explicitly target.

Step 4: Update your cookie policy. Your cookie policy must accurately list every cookie your site deploys — name, purpose, provider, duration. It must be linked from your consent banner. And it must be updated whenever your cookie inventory changes — when you add a new analytics tool, install a new plugin, or integrate a new advertising platform. iubenda provides automated policy generation that stays current as your technology stack evolves.

Step 5: Connect your consent banner to your tag manager. This is the step most commonly skipped and most commonly responsible for compliance failures that look compliant from the outside. Your analytics and advertising tags must be configured to fire only after consent is obtained. Verify this in your browser's developer tools — if GA cookies appear before you've interacted with any banner, your implementation is non-compliant regardless of how the banner looks.

The Bottom Line

The consequences of not having a compliant cookie consent banner range from regulatory fines and individual complaints to degraded advertising performance, failed enterprise deals, and reputational damage. None of these consequences are hypothetical — all of them have affected real businesses of real sizes in the past three years.

The enforcement environment is getting stricter, not more lenient. The complaint volume reaching regulators is growing, not declining. Privacy awareness among consumers, enterprise procurement teams, and investors is increasing steadily. The window in which operating without cookie consent was a low-probability risk is closing.

The fix is not complicated. A free scan, a properly configured consent management platform from providers like Cookiebot, Enzuzo, or Termly, a correct banner setup, and an accurate cookie policy from iubenda — achievable in an afternoon for most websites, and a fraction of the cost of the consequences it prevents.

Start with the scan. Know what you're dealing with. Then fix it.