← HomeCompliance · GDPR

GDPR cookie banner — what's required in 2026

Plain-English checklist of what a GDPR-compliant cookie banner must do, what regulators are fining for in 2026, and the smallest implementation that keeps you out of trouble.

The General Data Protection Regulation has been in force since May 2018, but the bar for what counts as a compliant cookie banner has shifted in the last 18 months. CNIL in France, Garante in Italy, and the Belgian DPA have been issuing fines for the same handful of patterns over and over again. This page summarises what you actually need to do — without legalese.

Who this applies to

GDPR applies to any website that processes personal data of EU/EEA residents, regardless of where the company is based. A US Shopify store with a single Polish customer is in scope.

Cookies and similar tracking technologies almost always count as processing personal data, because at minimum they include a device identifier. The 2002 ePrivacy Directive (the so-called "cookie law") layers additional consent requirements on top of GDPR.

The 12 things your banner must do

Every regulator has its own emphasis, but the list below intersects guidance from CNIL, Garante, the German DSK, and the European Data Protection Board.

Default every non-essential category to denied. No pre-ticked boxes.
Make Reject as easy as Accept. Same number of clicks, same visual weight.
Group cookies into granular categories — at minimum: necessary, analytics, marketing.
List every cookie name, vendor, purpose, and duration on a linked declaration page.
Withdrawing consent must be as easy as giving it (Article 7(3)).
Block scripts BEFORE consent — not just delete cookies after.
Geo-target: opt-in for EEA, soft notice for the rest of the world.
Re-consent visitors when your vendor list materially changes.
Store a tamper-evident record of every decision (Article 7(1)).
Be accessible — keyboard navigation, ARIA roles, contrast ≥ 4.5:1.
Don't lock users out of the site ("cookie walls" are illegal in NL, FR, and increasingly elsewhere).
No dark patterns: same colour weight on Accept and Reject buttons.

What regulators are fining for in 2026

By volume, the dominant pattern in recent decisions is asymmetric Accept / Reject UI — typically a green Accept button on the first layer and a Reject buried two clicks deep. CNIL has fined this exact pattern at least nine times since 2023.

The second most common cause is scripts firing before consent — analytics or pixels loading on page-load and the CMP only blocking the cookies they set, not the network beacons.

Third: stale consent records. If you can't produce a per-visitor log of when consent was given, what categories were chosen, and what version of the policy was active, you don't have demonstrable consent.

The fastest path to compliance

Most teams underestimate how much of this is solved at the CMP layer. CookieGuard ships with all 12 items above on by default — no configuration required to be compliant in EEA. You change colours and copy; the legal defaults stay sane.

Frequently asked

Do I need a cookie banner for analytics-only?

Yes, if your analytics tool sets cookies or sends a device identifier. Even cookieless GA4 still triggers the ePrivacy consent requirement in most EU countries.

Is implied consent legal under GDPR?

No. The CJEU ruled in Planet49 (2019) that consent must be specific, informed, and given by a clear affirmative action. Continuing to scroll doesn't count.

How long can I store consent before re-asking?

There's no fixed legal limit, but common practice is 6–12 months. Most regulators consider 13 months reasonable.

Do I need a separate banner for the UK?

UK GDPR + PECR are functionally identical to EU GDPR + ePrivacy for cookie-banner purposes. One banner with EEA-style defaults covers both.

What's the maximum fine?

Up to 4% of global annual turnover under GDPR, or €10–20M, whichever is higher. CNIL's biggest cookie-banner-only fine to date is €150M (Google, 2022).