Skip to content
SOSEI
Log InGet Started
7 min readGDPRComplianceCookies

GDPR Cookie Banner Requirements in 2026: What's Compliant, What Isn't

GDPR cookie banners are not optional, the rules tightened again in 2025, and most banners shipped before 2024 are now non-compliant. Concrete requirements, common violations, and the 2026 fines pipeline.

GDPR cookie banners are the most-litigated piece of web UI in Europe. The regulation has been in force since 2018, and the rules have gotten stricter, not looser, every year since. Most banners shipped before 2024 are now non-compliant under at least one EU member state’s interpretation. Here is the 2026 baseline.

The legal basis: GDPR + ePrivacy

Two regulations apply simultaneously:

  • GDPR(Regulation 2016/679) governs personal data. Maximum fine: 4% of global annual revenue or €20M, whichever is higher.
  • ePrivacy Directive(2002/58/EC, the “cookie law”) governs storing or reading anything on a user’s device — cookies, localStorage, fingerprints, pixels.

ePrivacy is the one that actually requires the banner. GDPR defines what “valid consent” means. You need both.

What “valid consent” means in 2026

Article 4(11) of GDPR defines consent as “freely given, specific, informed, and unambiguous indication…by a clear affirmative action.” Each adjective is load-bearing.

  • Freely given:not bundled with terms of service, not a precondition of using the site, no “reject all” buried under a five-click menu.
  • Specific:per-purpose. One global toggle for “all cookies” is non-compliant. You need separate consent for analytics, marketing, personalization, and any other purpose.
  • Informed: a plain-language explanation of what is set, by whom, for how long, and with whom it is shared. Not just the cookie name and a half-link to a 4,000-word policy.
  • Unambiguous, by clear affirmative action:no pre-ticked boxes, no “by continuing to use the site you accept,” no scroll-equals-consent.

What is non-compliant in 2026 (with citations)

  • “Accept all” with no equally prominent “Reject all.”CNIL (France) fined Google €150M and Facebook €60M in 2022 specifically for rejecting being harder than accepting.
  • Pre-ticked boxes. CJEU Planet49 ruling (C-673/17) was clear: silence and pre-checked boxes are not consent.
  • Loading scripts before consent.Setting Google Analytics, Meta Pixel, Hotjar, etc. on page load and asking afterward is a fine waiting to happen. Italian Garante fined multiple sites €25K-€100K each through 2024-2025 for this exact pattern.
  • Dark patterns. Confirm shaming, color manipulation (green Accept, grey Reject), and hidden withdraw paths are explicitly named in the EDPB Guidelines 03/2022.
  • Google Fonts loaded from fonts.googleapis.com. The 2022 Munich court ruling (Az. 3 O 17493/20) classified the IP-address transfer as a GDPR violation. Self-host woff2 instead — we cover the fix in Self-hosted fonts and GDPR.

What a compliant 2026 banner looks like

  1. Three buttons of equal visual weight:“Accept all,” “Reject all,” “Manage preferences.”
  2. No scripts fire before the user picks one. Analytics, marketing, and any non-strictly-necessary cookies are gated.
  3. Per-category toggles in the preferences pane: strictly necessary (always on), analytics, marketing, personalization, and any others you actually use.
  4. A persistent way to withdraw consent.A small “Cookie settings” link in the footer that re-opens the preferences pane is the standard.
  5. Cookie policy linked from the banner. Specific, per-cookie disclosure: name, purpose, duration, third parties.
  6. Consent log retention. You must be able to prove when each user consented. Most modern banners store a hashed record server-side.

Country-specific extras

  • UK (PECR):ICO’s January 2025 enforcement notice put 1,000+ UK sites on notice for the “asymmetric Reject” pattern.
  • France (CNIL):“Accept all” cannot require more than one click; the “Reject all” path must match.
  • Germany (TTDSG): additional national requirements including an explicit imprint (Impressum). Enforced via private competition lawsuits, which are aggressive and cheap to file.
  • Switzerland (revFADP, in force since Sep 2023): analogous requirements, separate enforcement.

The 2026 enforcement pipeline

EDPB’s 2025-2027 strategic plan named “cookie banners and dark patterns” as a top-three enforcement priority. CNIL, Garante, and the Spanish AEPD have all expanded their automated scanning. The expected outcome: more bulk enforcement waves like CNIL’s 2024 sweep of 200 banners in a single month.

The cheap path to compliance

Every site SOSEI rebuilds ships a compliant banner by default: three-button, gated-by-default, per-category toggles, persistent withdraw, generated cookie policy in the source-site language. As the regulation evolves, our shipped sites get the updated banner without any work on the owner’s side.

Want to know if your current site passes? Run our free GDPR audit — the compliance score covers banner presence, button parity, script-gating behavior, and policy linkage.

Stop losing customers to a 2018 website.

Every day on outdated tech is leads walking past your front door. Get the free 40-point audit — see exactly what's broken and what it's costing you. No signup. Two minutes.

See your site's score