Cookie consent has been a compliance requirement since the ePrivacy Directive came into force in 2011. Fifteen years later, most websites still get it wrong — and European data protection authorities have run out of patience.
In 2025 and into 2026, regulators across the EU have issued a wave of enforcement actions targeting cookie banners, consent management platforms, and tracking practices. The fines are no longer symbolic. They are reaching into the millions of euros, affecting companies of all sizes, and — critically — targeting practices that many organizations still consider acceptable.
If your organization's cookie banner was set up in 2021 and has not been reviewed since, you are likely non-compliant.
The Legal Framework: GDPR Plus ePrivacy
Cookie consent operates at the intersection of two legal frameworks:
The ePrivacy Directive (implemented as national law in each member state) requires prior, informed consent before placing non-essential cookies or tracking technologies. This is a separate legal basis from GDPR — even if your other processing is based on legitimate interests, cookies typically require consent.
GDPR applies to the personal data collected through cookies and tracking. Consent under GDPR must be freely given, specific, informed, and unambiguous. It requires a clear affirmative action — pre-ticked boxes are illegal.
The combination means that a single cookie banner that fails to meet the consent standard can violate two frameworks simultaneously: the ePrivacy Directive (for placing the cookie without valid consent) and GDPR (for processing personal data without a valid legal basis).
What Regulators Are Targeting in 2026
The enforcement picture has become clearer as DPA decisions accumulate. Regulators are consistently targeting five categories of violation:
1. Dark Patterns in Consent Interfaces
The EDPB's 2022 guidelines on dark patterns in social media platforms established a framework that regulators are now applying broadly to cookie banners. Dark patterns manipulate users into accepting cookies they would otherwise decline.
Specific patterns regulators have found unlawful:
- Asymmetric friction: Making "Reject All" require multiple clicks while "Accept All" is a single button
- Visual manipulation: Using grey or low-contrast styling for the reject option and prominent styling for the accept button
- Forced interaction: Requiring users to engage with a cookie banner before accessing any content (beyond what is necessary for the notice itself)
- Misleading labeling: Calling a consent option "Continue" or "OK" without making clear this constitutes acceptance of tracking
The French CNIL fined Google €150 million and Facebook €60 million in 2022 specifically for making it harder to refuse cookies than to accept them. That enforcement model has since been replicated across multiple jurisdictions.
2. Consent Without a Genuine "No" Option
Valid consent under GDPR requires that refusing consent be as easy as giving it. Many consent management platforms technically offer a reject option but bury it in a secondary menu, require multiple confirmations, or present it only after the user has seen a screen emphasizing the "benefits" of accepting cookies.
This is not a grey area. Regulators have been explicit: if your "Reject All" option is not as prominent and accessible as your "Accept All" option, your consent is not valid.
3. Pre-Ticked Boxes and Default-On Toggles
This was prohibited from day one, but it persists. Cookie preference centers that default analytics, advertising, or social media categories to "on" — requiring users to actively untick them — do not constitute consent. They constitute the absence of an objection, which GDPR explicitly rejects as a consent mechanism.
The same applies to consent management platforms that pre-select vendor lists. Consent must be specific to each purpose and each vendor. A user who accepts "analytics cookies" has not necessarily consented to any specific analytics vendor.
4. Invalid Legitimate Interests Claims for Advertising
Some organizations have attempted to use "legitimate interests" as a legal basis for advertising cookies, bypassing the consent requirement. Regulators have rejected this approach consistently.
The IAB Europe's Transparency and Consent Framework (TCF) was ruled illegal by the Belgian DPA in 2022, with the decision upheld through appeals in 2024. The fundamental problem: the TCF relied on legitimate interests for purposes that require consent, and it did not give individuals meaningful control.
If your advertising stack relies on the IAB TCF, you should seek legal advice about your current compliance position. The framework continues to operate while the IAB develops a revised version, but the legal basis for TCF-based processing remains contested.
5. Cookie Walls
A cookie wall conditions access to a website on the user's consent to tracking cookies. The EDPB's position is that cookie walls make consent a precondition of access to a service, which means consent is not freely given.
Some member state regulators have taken a more permissive position, allowing cookie walls where users are offered a paid alternative. This "pay or consent" model is itself under challenge, and the CJEU's ruling in the Meta case (July 2023) has added complexity. The legal situation remains unsettled, but implementing a cookie wall without legal counsel is high risk.
How to Audit Your Cookie Practices
Step 1: Run a Technical Scan
Before reviewing your consent interface, understand what cookies and tracking technologies your site actually deploys. Many organizations discover that third-party scripts load additional trackers beyond what their consent management platform is configured to manage.
Our Website Privacy Scanner identifies tracking technologies deployed on your site, including those loaded by third-party scripts. It provides a baseline for understanding the gap between what your consent interface covers and what is actually running.
Step 2: Map Your Consent Interface Against the Requirements
For each purpose category and vendor in your consent management platform:
- Is there a clear description of the purpose in plain language?
- Is the reject option as easy to access as the accept option?
- Is the default state for each category "off" (not pre-selected)?
- Is consent requested separately for each vendor, or is consent bundled across a vendor list?
- Do you have a record of when each user consented, to what, and in which version of the consent interface?
Step 3: Review Your Legal Basis Claims
For each cookie or tracking technology on your site, document the legal basis. If you are claiming legitimate interests for any tracking cookies, this claim should be reviewed by legal counsel given the enforcement environment.
For analytics tools: some analytics providers offer configurations that do not require consent (server-side, no persistent identifiers, aggregated data). Evaluate whether your analytics setup qualifies for the "strictly necessary" exemption or requires consent.
Step 4: Test the Reject Path
Walk through your consent interface as a user who wants to reject all non-essential cookies. Count the steps. Compare them to the accept path. If rejecting cookies takes more effort than accepting them, your consent is likely invalid.
Step 5: Check Your Consent Records
If you cannot demonstrate that a specific user gave valid, informed consent on a specific date through a specific version of your consent interface, you cannot demonstrate compliance. Your consent management platform should be recording this data.
The Enforcement Risk Is No Longer Theoretical
The following enforcement actions illustrate the scale of exposure:
- Google: €150 million (France, 2022) for making cookies harder to reject than accept
- Facebook: €60 million (France, 2022) for the same
- Criteo: €40 million (France, 2023) for processing data without valid consent across its advertising network
- TikTok: €345 million (Ireland, 2023) for GDPR violations that included using dark patterns with minor users
- LinkedIn: €310 million (Ireland, 2024) for invalid legal basis across multiple processing activities
These are not exclusively large-platform problems. CNIL, the German DSKs, and the Dutch AP have all issued fines against mid-market companies for cookie consent violations. The enforcement environment has shifted from regulating the most egregious offenders to systematic audit programs targeting specific practices.
What to Do Now
Cookie consent compliance is not a one-time configuration task. It is an ongoing obligation that requires:
Quarterly reviews of which cookies your site deploys and whether your consent configuration covers them.
Annual legal review of your consent management setup against current DPA guidance and enforcement decisions.
Documented evidence that your consent interface meets the requirements, including screenshots of the interface, records of configuration changes, and consent logs. This evidence is what you need if a regulator audits you.
A clear escalation path: If your website uses advertising technology or participates in programmatic advertising, you need legal counsel familiar with adtech compliance — this area is technically complex and the legal position on specific practices changes frequently.
The enforcement actions we track show a consistent pattern: organizations that have not reviewed their cookie practices since 2021-2022 are facing the highest risk. A structured audit now is significantly less expensive than a DPA investigation later.