The 2026 GDPR cookie banner checklist (the one regulators actually read)
Twelve concrete things your cookie banner must do — including the four that French CNIL and the German DSK keep fining sites for in 2025.
Most cookie banners on the European internet are non-compliant. That isn't a hot take — it's the conclusion of CNIL's 2024 sweep of 100 popular sites. The fines have started landing on small companies, not just Google and Meta. Below is the working checklist we use when reviewing customers' banners before they go live.
1. Default to denied
No pre-ticked consent boxes. No “by continuing to browse you accept”. The CJEU settled this in Planet49 (2019) — and CNIL keeps citing it.
2. Reject is as easy as Accept
If your “Accept all” button is one click and “Reject all” takes two, you're non-compliant. Either show both at the same level on the first layer, or hide both behind the same number of clicks. CNIL has fined this exact pattern at least seven times publicly.
3. Granular categories
At minimum: necessary, analytics, marketing. Most sites also benefit from a preferences / functional category. The user must be able to consent to each independently.
4. List the actual cookies
Either inside the preference center or on a linked declaration page, you must list every cookie name, who sets it, what it does, and how long it lives. “We use cookies for analytics” is not enough.
5. Withdrawal as easy as giving consent
Article 7(3) GDPR is explicit: it must be “as easy to withdraw consent as to give it”. In practice that means a persistent “Privacy choices” link in your footer that re-opens the banner.
6. No dark patterns
Don't bury the reject button in three submenus. Don't color the accept button green and the reject button gray to nudge people. The German DSK published explicit guidance on this in 2023 and it has teeth.
7. Block scripts BEFORE consent
This is the one most engineering teams get wrong. The cookie itself is not the problem — the third-party script that calls home is. Your CMP must block scripts from loading until consent is granted, not just delete cookies after the fact.
8. Geo-target intelligently
EEA visitors see opt-in. California visitors see opt-out with a “Do Not Sell or Share” link. US-other visitors can see a soft notice. Showing strict opt-in to everyone in the world isn't illegal but tanks your acceptance rate by 20–40%.
9. Re-consent on policy change
When you add a new vendor, bump the consent version. Old decisions don't apply to new processing. CookieGuard does this automatically when you change your config.
10. Keep proof
Article 7(1) GDPR requires you to demonstrate that consent was given. That means storing, per visitor: timestamp, choice, the version of categories/policy they consented to, the language they saw, and ideally a hash chain that proves the record wasn't edited later.
11. Stay accessible
Banner must be navigable by keyboard, announced to screen readers (role="dialog", focus management), and respect prefers-reduced-motion. Inaccessible banners violate both EU disability rights legislation and US ADA — and some Italian regulators are now treating them as GDPR violations on top.
12. Don't block the whole page
“Cookie walls” — banners that prevent any browsing until consent — are illegal in France, the Netherlands, and increasingly elsewhere. The exception is paid news with a “pay or consent” option, and even that is on regulatory thin ice in 2026.
The shortcut
Building all twelve correctly takes weeks. CookieGuard ships them on by default. If you want to verify your current banner, run our free 30-day audit scan — it'll flag every one of the items above.