Global Araç
Cookie Consent Generator
<div id="cookie-banner" style="display:none;position:fixed;bottom:0;left:0;right:0;padding:1rem;background:#0f172a;color:#ffffff;font-family:system-ui,sans-serif;z-index:9999;box-shadow:0 -4px 12px rgba(0,0,0,0.15)">
<p style="margin:0 0 0.75rem 0;font-size:0.875rem;line-height:1.5">
We use cookies to improve your experience. <a href="/privacy" style="color:#0f766e;text-decoration:underline">Privacy Policy</a>
</p>
<div style="display:flex;gap:0.5rem;flex-wrap:wrap">
<button onclick="cookieAccept()" style="background:#0f766e;color:#fff;border:0;padding:0.5rem 1rem;border-radius:0.375rem;font-weight:600;cursor:pointer">Accept</button>
<button onclick="cookieReject()" style="background:transparent;color:#ffffff;border:1px solid #ffffff;padding:0.5rem 1rem;border-radius:0.375rem;font-weight:600;cursor:pointer">Reject</button>
</div>
</div>
<script>
(function() {
var KEY = "cookie-consent";
var banner = document.getElementById("cookie-banner");
if (!localStorage.getItem(KEY)) banner.style.display = "block";
window.cookieAccept = function() {
localStorage.setItem(KEY, "accepted");
banner.style.display = "none";
// Add analytics/tracking initialization here
};
window.cookieReject = function() {
localStorage.setItem(KEY, "rejected");
banner.style.display = "none";
};
})();
</script>Generate a drop-in HTML+JavaScript cookie consent banner with proper Accept/Reject buttons (required for GDPR compliance — reject must be available without scrolling or clicking through dark patterns), localStorage persistence (so the banner doesn’t re-appear every page load after the user decides), configurable position (bottom bar most common, modal overlay for stricter compliance), and color customization to match your site’s branding. Output is a code snippet you paste before</body> in your site template — banner stub only; you wire the accept/reject handlers to your actual analytics and tracking script initialization.
Why proper consent matters: GDPR (EU) requires explicit opt-in for non-essential cookies, with reject as easy as accept (banners that bury reject behind “Manage Preferences” have been fined). Article 7 of GDPR also requires you to NOT load tracking scripts (Google Analytics, Facebook Pixel, remarketing) until consent is given — many sites incorrectly fire pixels before the banner appears, voiding consent. CCPA / CPRA (California) requires opt-out availability and a “Do Not Sell My Personal Information” link. ePrivacy Directive (EU) layered on top of GDPR addresses cookies specifically. Fines for non-compliance: GDPR up to 4% of global revenue or €20M (whichever higher); CCPA up to $7,500 per intentional violation. Most fines have been in the €1M-50M range for major sites; small sites face €5K-100K.
Practical compliance tiers: Tier 1 - Minimum (most small sites): banner with Accept/Reject, scripts gated until consent, privacy policy link. Sufficient if you only use Google Analytics + maybe one other essential service. Tier 2 - Full GDPR: granular consent (analytics vs marketing vs functional), consent withdrawal mechanism, consent record keeping (timestamp + IP for 6+ months). Requires a Consent Management Platform (CMP) like Cookiebot, OneTrust, or Iubenda — typically $10-50/month for small sites. Tier 3 - Heavy compliance (publishers, ad-tech): IAB TCF v2.2 framework integration, full vendor disclosure (showing every advertiser and their cookie purpose), regular compliance audits. Required only if running display ads from networks like Google Ad Manager or Pubmatic. For most non-ad-supported sites and SaaS apps, Tier 1 is sufficient.
Nasıl Kullanılır
- Customize banner colors to match your site (background, text, button colors). Don't make 'Reject' visually less prominent than 'Accept' — GDPR requires equal prominence.
- Pick position: bottom bar (least disruptive, most common), top bar, or modal overlay (most compliant but blocks page interaction until decision).
- Set the URL of your privacy policy and cookie policy pages.
- Customize button labels: 'Accept All' / 'Reject All' (clearest), or 'Allow Cookies' / 'Decline'. Avoid dark patterns like 'OK' / 'Customize Settings' (which makes Reject harder to find).
- Copy the generated HTML+JavaScript code and paste before </body> in your site template (or via Google Tag Manager if using).
- Wire the accept/reject handlers to your tracking scripts. On 'reject', do NOT initialize Google Analytics, Facebook Pixel, or other non-essential tracking. The default code is a stub; you must connect it to your actual scripts.
Ne Zaman Kullanılır
- Any site with users in EU (regardless of where the site is hosted) — GDPR is extraterritorial.
- Any site with users in California — CCPA applies if business has $25M+ revenue OR processes 100K+ consumers' data OR derives 50%+ revenue from selling personal info.
- Sites with Google Analytics, Facebook Pixel, or any tracking scripts — even basic GA needs consent in GDPR jurisdictions.
- Sites running display ads — ad networks usually require consent management as part of their ToS.
Ne Zaman Kullanılmaz
- Personal sites with no analytics, no third-party scripts, no contact forms, hosted on first-party infrastructure — those don't process personal data and don't need consent.
- Internal company tools (intranets) where users are employees, not 'data subjects' in the GDPR sense — those have different consent considerations under employment law.
- Static brochure sites with no interactivity and no user data collection — typically exempt though many add banners as defensive practice.
- When you need full Tier-2 GDPR compliance with audit trail — use a managed CMP (Cookiebot, OneTrust, Iubenda) instead of a basic banner; managed services handle vendor lists, consent records, and ongoing compliance updates.
Yaygın Kullanım Senaryoları
- Quick generation during a typical workday
- Pre-decision sanity-check on inputs and outputs
- Educational use — demonstrating the underlying concept
- Onboarding a colleague who needs the same calculation/conversion
Sık Sorulan Sorular
Is this GDPR-compliant?
It handles the UI and consent persistence — the visible compliance layer. For full GDPR compliance you also need: (1) NOT load tracking scripts until consent is given (most violations come from this — sites fire Google Analytics on page load before consent), (2) provide a way for users to withdraw consent at any time (typically a 'Manage Cookies' link in your footer), (3) document consent records for at least 6 months (timestamp, IP, what was consented to), (4) recognize Global Privacy Control (GPC) signals automatically as a withdraw, (5) update consent annually if your tracking purposes change. The generator gives you steps 1 and basic 2; steps 3-5 require a managed CMP.
Do I need a banner if I only use Google Analytics?
Yes for EU users. Google Analytics (especially GA4) drops cookies (_ga, _gid) and processes IP addresses, which qualify as personal data under GDPR. The European Data Protection Board (EDPB) and several national DPAs (France's CNIL, Austria's DSB) have ruled GA4 in default configuration is non-GDPR-compliant. To use GA4 with EU users you need: (a) consent banner, (b) IP anonymization enabled, (c) data residency settings configured, (d) signed Data Processing Agreement with Google. Or replace GA with a privacy-friendly analytics tool: Plausible, Fathom, Pirsch, Simple Analytics — all designed cookieless and GDPR-compliant by default.
What's the difference between cookies and 'tracking'?
Cookies are a STORAGE mechanism (small text file in user's browser). Tracking is the BEHAVIOR (collecting user data over time). They're related but distinct — you can have cookies without tracking (a session cookie remembering you're logged in) and you can have tracking without cookies (server-side fingerprinting, IP-based tracking). GDPR regulates both. The cookie banner naming is a misnomer; the actual regulation is about consent for tracking, regardless of mechanism. New tracking-without-cookies methods (server-side analytics, Conversions API) still require consent.
Can I just block EU traffic to avoid GDPR?
Yes, technically — but it's almost always the wrong choice. (1) GDPR applies to anyone marketing 'in' the EU, which includes accepting orders or even visitors browsing from EU. (2) Geo-blocking by IP is unreliable; users with VPNs would still trigger GDPR if they purchased. (3) The compliance work for GDPR also positions you for CCPA, Quebec Law 25, Brazil LGPD, and similar laws expanding globally. (4) Geo-blocking lots of EU users hurts SEO (Google sees the block) and revenue. Better path: implement consent properly once, comply globally. The compliance infrastructure (proper consent, data minimization, deletion processes) becomes the operating standard.
Should I use a paid CMP or build my own?
Build for tier-1 minimum compliance (this generator + your own backend logic). Paid CMP for tier-2+ when you need: granular consent categories, vendor disclosure (IAB TCF for ad tech), consent records and audits, automatic privacy-policy updates as vendors change, multi-language support, GPC signal handling, dark-pattern compliance scoring. Costs: Cookiebot $11-119/month based on traffic; OneTrust enterprise ($500+/month); Iubenda $30-100/month; Termly $10-49/month. Worth the cost if you're running ads, processing health/financial data, or have 100K+ visitors/month. Smaller sites with simple stack can DIY.
What about American sites — do I need this?
Depends on your audience. If you have ANY EU users, yes (GDPR is extraterritorial). If California users + you meet CCPA thresholds ($25M revenue OR 100K consumers OR 50% revenue from selling personal info), yes (CCPA). If users in Quebec, yes (Quebec Law 25, similar to GDPR). Texas, Oregon, Connecticut, Colorado, Utah, Virginia all have privacy laws now. As of 2025, ~16 US states have or are passing comprehensive privacy laws, all with similar disclosure and consent requirements. Practical reality: if you have any meaningful traffic, build the infrastructure now. The patchwork of state laws makes piecemeal compliance harder than universal compliance.