If that's not an option, the next best thing is to have an overlay that is as honest as possible and most importantly provides not only an "Accept all", but also a "Reject all" button.
Don't use dark patterns, basically. That is, use the same color, style and size for each of those buttons.
My experience is that most users are so used to these overlays by now, they just look for the button which gets rid of them most quickly. Marketing will typically push to tinker with the appearance of the buttons to increase the conversion rate in favor of the "Accept all" option.
Also consider visitors are used to these prompts, without one they may wonder: does this site follow the law?
But to elaborate a bit: At least in Germany (and I believe this applies more or less everywhere) if you install a 1st-party tracking method based on 1st-party cookies, that doesn't fall under the 3rd-party consent requirement and you don't need consent. That means you can track your valuable retention numbers and won't need a consent banner. It's a common misunderstanding that you need that consent for all cookies. You only need it for cookies that aren't required to do your business. And 3rd-party cookies aren't.
It's just that marketing typically don't want to spend any money on this, because these retention numbers turn out to not be enough value to justify the investment. I wonder if they are as valuable as you described at all.
Edit: I should have said 1st-party tracking that doesn't collect personally identifiable information (PII).
Why is it so hard to for people to understand that I just want you to serve me the page and bugger off? It's like justifying embedding GPS tracking in pamphlets that people hand out on the street.
I don't want to be tracked period.
Is it that hard?
Yeah you don't need to do that though. You want to.
Then the user can centrally review what permissions they gave, revoke them etc.
So no sites should have these kind of approval banners.
And that leads through to another tip to make your consent request less obnoxious - make sure that plugins like Consent-o-matic do actually work correctly and invisibly with your site.
I you have to have one I'd suggest it have a Reject All button which makes the banner go away without any further clicks.
Nothing is more soul destroying than having to click several times to make the nonsense go away.
The last time I checked (a few years ago) most websites were doing a serious overkill with the banners, where the law didn't require it. Also, for certain companies the possible penalty for not having a banner was so low that it didn't make sense to have such banners at all.
GitHub used to not have cookies for tracking purposes either but it looks like some people couldn’t live without tracking users so it’s back after 2 years on some subdomains: https://github.blog/2020-12-17-no-cookie-for-you/
Make sure that it does work with extensions like I don't care about cookies. That one is usually easy but make sure it works with the uBlock script too.
Do not have that the banner force any site reloads. Analytics for example can be loaded into a page wihtout reloading.
If that is done the ad blocker users will never notice the banner.
Pointing out this stuff forces you into the path of requiring that people click on it before being able to navigate the website, which is extremely intrusive, and makes all the marketing people insist that you apply dark patterns.
SO, as others have already said, definitely a "reject all" and be done with it right in the beginning, without the need for any forther clicks. Better yet if the banner is just a sliver on the side that doesn't interrupt my reading experience (clearly, as long as I didn't click "yes" on cookies, it can't set any; so it would be default-no, allows me to read, and if I want to click in the corner for something else, I can. Even better if it has an "X" to close that unintrusive side window, and of course the X gets treated as "reject all".
See, the problem is solved even before it appeared - if your company will comply with the law then the banner would not be obnoxious by design.
What do you plan on using cookies for? There might be some ways of doing similar things without cookies or trackers (server-side analytics for example) that are more respective of users and also eliminiate the need for any banners at all.
I know my company's website has a pointless cookie modal - the necessary cookies are just for session affinity on a gateway (which I don't believe you'd need a modal for anyway), and the unecessary cookies are from one analytics integration that's been used just once since it was set up, and another that is used for the most basic reports that you could get from just the access logs.
For EU things you must make sure what you're doing with this aligns with consent from the user / other justifications. Whether it's server side or cookies doesn't matter for GDPR, it's the collection & use of the data.
To OP, try not to collect data at all, and if you need to then make the consent banner not block the use of the website. Also don't animate it in, just have it there.
The ICO guidance in the UK is pretty good https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-re...
Note that consent is not always the best justification for lawful processing.
This still gets you plenty of actionable analytics information: where geographically people are located (via GeoIP), what pages are most popular, what platforms (including desktop vs mobile) people are using.
I've been using https://plausible.io for analytics on a bunch of my sites for a couple of years now and I honestly don't miss the extra level of detail I got from cookie-based analytics I've used in the past.
Do not give people options about cookies - either they accept (and dismiss the notice), or they leave
When I am presented with cookie options, I start to wonder why there are "unnecessary" cookies present: why are you letting me accept "necessary" cookies or "all" cookies? Why would you have ones that are not needed? Seems hyper sketch ... and I'll go elsewhere (or reject all)
That's outright and explicitly illegal.
(I just thought I'd make that point in a quicker and simpler way than the otherwise great sister post.)
You're allowed to say, "we have cookies - you do not have to stay"
Because some are required for the functioning of the site. They can justify dealing with those without you approving it.
Some are there for advertising, that's not required for you to use the site but they'd definitely like to. So they need you to actively consent.
You're obligated to give them a way to opt out while continuing to use your service, and it should be as easy to decline as it is to accept[0]. The funny part, of course, is that countless services have put up banners that don't make it easy at all to reject, which means they're still not compliant, they just make the legal team feel warm and fuzzy.
That's why you see necessary vs all, because it's "can we track you or not". If you're just doing absolutely required cookies (e.g. session cookie), you don't even need a banner.
