CJakCiasteczko
Get started
Guide

GDPR cookie banner — what you actually need on your site

GDPR + ePrivacy + the Polish e-services act (art. 173 of the telecommunications law) impose a few hard requirements on the consent banner. We walk through them — without legalese — and how each one is satisfied by default.

What GDPR + ePrivacy actually protect

Every cookie / localStorage / local identifier that is not strictly necessary to provide the service the user requested requires their informed, freely given, unambiguous consent.

“Strictly necessary” is a very narrow category — session token, CSRF, cart. Everything else (analytics, marketing, personalisation, social widgets) requires opt-in.

Practical checklist — 7 requirements

  1. Banner appears on first visit with four options: Accept all / Reject all / Manage preferences / Link to cookie policy
  2. Reject must be as easy as accept (DPA Guidelines 5/2020). I.e. don't hide “Reject all” in dim thumbnails
  3. Nothing fires by default — no analytics / marketing cookies are saved before the user clicks Accept
  4. Visitor can withdraw consent — as easily as they gave it (GDPR art. 7(3)). In practice: a floating button in the corner or a footer link reopening preferences
  5. Granular categories — necessary, preferences, analytics, marketing — the visitor picks specifically what to consent to
  6. Audit trail — log every consent with timestamp, source, categories. During a regulator inspection you can prove a specific visitor actually consented
  7. Compliance for EEA + soft notice outside EEA (CCPA / opt-out where applicable, no gates beyond those regimes)

What else (besides the banner) needs to be on the site

  • Cookie policy — separate document or section in the privacy policy. Lists every cookie / localStorage used with purpose, lifetime, and category
  • Privacy policy — who the controller is, how data is stored, visitor rights, contact for the DPO
  • Mapping to Google Consent Mode v2 if you use GA / Google Ads — without it, since March 2024 you lose access to remarketing in the EEA

What's at stake without a proper banner

The Polish DPA can impose GDPR fines up to EUR 20M or 4% of annual global turnover. In practice for small/medium Polish companies fines run from a few thousand to several hundred thousand zloty.

Most common reasons for DPA decisions over cookies:

  • No consent banner on a site running analytics (decision ZSO.421)
  • Banner with dark patterns — “Accept” highlighted, “Reject” hidden
  • No way to withdraw consent
  • Analytics cookies set before consent was given

Plus beyond fines — Google itself has started restricting features (since March 2024, no Consent Mode v2 = no personalised remarketing in the EEA).

How to solve this in 60 seconds

CJakCiasteczko meets all 7 checklist requirements by default:

  1. Paste two lines into your site's <head>
  2. Banner appears on first visit — Accept / Reject equivalent, policy link in the body
  3. By default all analytics and marketing cookies are blocked (Google Consent Mode v2 default = denied)
  4. After the decision — a floating button in the corner, click to reopen preferences
  5. Every consent saves with a hash-chained timestamp in our panel — CSV/NDJSON export with one click

Missing pieces — cookie policy + privacy policy — we generate from a template (GDPR + ePrivacy compliant) based on your domain and the list of tools you use.

FAQ

Do I need a banner if my site doesn't use Google Analytics?

If you use anything beyond strictly-necessary cookies (Hotjar, Facebook Pixel, YouTube embeds, custom analytics), yes. If you really only have session tokens — technically no. In practice there's always something that requires consent.

Does the banner have to be in Polish?

Yes, if you target Polish consumers. The Polish consumer-rights act requires communication in Polish. CJakCiasteczko has 40 languages with Polish as the default.

What about subdomains?

Each subdomain is a separate “site” from the browser's perspective — consents don't propagate automatically. If shop.example.com and www.example.com should share, set the cookie domain to .example.com. Configurable in the CJakCiasteczko panel.

Can I use the CMP alone without a privacy policy?

No. The banner collects consent, but the visitor needs somewhere to learn who, what, and why is being done with their data. The privacy policy is a separate GDPR art. 13 requirement.

Deploy a GDPR-compliant banner in 60 seconds

30 days free. No card. One-click cancel.

Audit your siteWhy CJakCiasteczkoSign up (30 days free)