​​EU Cookie Compliance: Complete 2026 Guide

Since the EU cookie consent provisions went into effect in 2011, expectations for digital privacy have only grown. The ePrivacy Directive and the General Data Protection Regulation (GDPR) govern how websites use cookies across the European Union. If you run a website that gets any traffic from Europe, cookie compliance isn’t optional. 

This guide covers what EU cookie consent requirements actually demand, which cookies need consent and which don’t, what a valid consent looks like under the law, and what’s changed for 2026.

EU cookie compliance means meeting the legal requirements set by the ePrivacy Directive and the General Data Protection Regulation (GDPR) when using cookies on your website. Together, these laws require websites to tell users what cookies they’re using, get consent before placing non-essential cookies, and give users a way to change or withdraw consent at any time.

In practice, this means your cookie banner needs to do more than inform. It needs to offer a real choice.

ePrivacy Directive (2002/58/EC)

The ePrivacy Directive, sometimes called the Cookie Law, has been in force since 2002. The cookie consent provisions were added in 2009 and took effect in 2011.

Any cookie that isn’t strictly necessary for the service the user requested needs prior consent. That covers analytics, advertising, and personalisation.

GDPR (Regulation 2016/679)

The GDPR governs how personal data gets processed. Because cookies often identify or can be used to identify a person, any cookie that processes personal data falls under GDPR as well. That means your legal basis for processing must hold up, and in most cookie contexts, that means consent rather than legitimate interest.

The two laws interact like this: the ePrivacy Directive tells you when to ask for consent. The GDPR tells you what valid consent looks like. You need to satisfy both.

Member states implement the ePrivacy Directive through national law, which is why enforcement and interpretation vary. France’s CNIL, Germany’s DSK, and the Dutch AP have all published guidance that sometimes differs on the details. As a general rule, follow the strictest interpretation rather than the most lenient one.

Not all cookies require consent. The rule is that strictly necessary cookies are exempt, and everything else needs opt-in. Here’s how that breaks down in practice.

Cookie type	Examples	Consent required?
Strictly necessary	Session cookies, authentication, shopping cart, security	No, but must be disclosed
Preferences / functional	Saved language, region, accessibility settings	Yes
Analytics / performance	Google Analytics, Matomo, Hotjar	Yes
Advertising / marketing	Meta Pixel, Google Ads, retargeting	Yes
Social media embeds	YouTube, Twitter/X widgets that track users	Yes

A few things catch people out here:

• First, strictly necessary has a narrow definition. A cookie is strictly necessary only if the service cannot function without it.
• Second, first-party analytics don’t automatically get a pass. Even anonymised analytics data requires consent in most EU member states, including Germany and France.
• Third, watch out for cookies set by third-party scripts you’ve added. If your marketing or development team drops in a new tracking pixel, it may start setting cookies before you’ve updated your banner.
• Analytics cookies are not strictly necessary because the site works fine without them.

GDPR consent has to meet four requirements: it must be freely given, specific, informed, and given through a clear affirmative action.

• Freely given means the user has a real choice: If accepting cookies is the only way to access your content, that’s coercion, not consent. The European Data Protection Board (EDPB) has specifically called out “pay or consent” models, where users either pay a fee or accept tracking, as problematic unless the free version provides genuinely equivalent access.
  
• Specific means separate consent for each purpose: You can’t bundle analytics and advertising into one checkbox. Users need to be able to say yes to one and no to the other.
  
• Informed means the user knows what they’re consenting to: That includes what the cookies do, who sets them, and how long they last. 
  
• Clear affirmative action means the user actively ticked a box or clicked an accept button: Pre-ticked boxes don’t work. Scrolling doesn’t work, nor does continued browsing. The CJEU confirmed this in the Planet49 ruling (Case C-673/17, October 2019).

What your consent records (consent log) need to contain

You also need to be able to prove that cookie consent happened. Regulators have asked for this evidence during audits. Your logs should include:

• Timestamp of when consent was given
• Which categories the user accepted or rejected
• The version of the banner they saw
• The user’s IP or session identifier (where legally permissible)

What it must do

Your cookie banner must appear before any non-essential cookies load. That’s non-negotiable. If your analytics tag fires the moment a user lands on the page before they’ve seen the banner, that counts as non-compliance.

The banner must present accept and reject options with equal prominence. The accept button and the reject button should be the same size, the same colour, weight, and the same visual hierarchy. 

The CNIL in France has explicitly sanctioned sites where the reject option was harder to find or took more steps to complete than the accept option. You must also give users a way to revisit and change their choices later.

What it must not do

Cookie banners must not use dark patterns. Specifically:

• No pre-ticked boxes for non-essential cookies
• No “Accept all” button that’s large and brightly coloured, while “Reject” is tiny grey text
• No design that buries the reject option behind multiple clicks
• No misleading language like labelling the reject button “Accept necessary only” in a way that implies it’s a substandard choice

Preference centre

Best practice is a two-layer approach:

• The first layer (the banner) offers quick accept/reject. 
• The second layer (a preference centre) lets users read descriptions of each cookie category and toggle categories individually. 

The preference centre is especially important for demonstrating that your consent is specific enough under GDPR.

1. Audit your cookies: Use a cookie scanner tool to find every cookie and tracker on your site, including anything loaded by third-party scripts. Classify each one by purpose.
   
2. Choose a consent management platform (CMP): A CMP handles banner display, blocks scripts until consent is given, and stores consent records.
   
3. Write plain-language descriptions for each cookie category: “Analytics cookies help us understand how visitors use our site, so we can fix broken pages and improve navigation” is better than any technical jargon.
   
4. Design the banner: Equal-prominence accept and reject options. Do not use pre-ticked boxes or dark patterns. Consider having a designer or legal team review the final version before launch.
   
5. Block scripts by default: Configure your tag manager (Google Tag Manager, Tealium, etc.) to fire analytics and advertising tags only after the user consents.
   
6. Set up consent logging: Make sure your CMP is recording consent events with timestamps and banner version numbers, and that you can export these records if a regulator asks.
   
7. Re-scan after changes: Every time you add a new plugin, theme, or third-party integration, scan for new cookies. Schedule quarterly audits at a minimum.

Enforcement is getting sharper

DPAs across the EU have moved past the warning-letter stage. In January 2022, France’s CNIL fined Google €150 million specifically because the site made it harder to reject cookies than to accept them. Meta got a similar order the same month. In 2023, the CNIL fined TikTok €5 million for cookie violations. 

Enforcement in 2026 is still applying the same pressure on the same issues: unequal prominence, missing reject options, and consent logs that don’t hold up under scrutiny.

The EU’s Digital Omnibus package proposes to simplify consent rules for low-risk cookies. However, the ePrivacy Regulation, intended to replace the Directive and unify rules throughout the EU, had been under negotiation since 2017 but was ultimately withdrawn in 2025.

Ongoing public and regulatory focus suggests that we can anticipate further online privacy debates and subsequent regulations. Until new unified regulations are established, businesses must navigate the existing variety of national implementations. This is why “follow the strictest interpretation” is genuinely useful advice, not just conservative posturing.

Pay-or-consent under pressure

Several publishers have introduced models where users either pay for an ad-free subscription or accept tracking cookies. The EDPB published an opinion in April 2024 concluding that, for large platforms, this model generally does not constitute freely given consent. 

Google Consent Mode v2

Google rolled out Consent Mode v2 in 2024, which allows limited conversion modelling and analytics even when a user hasn’t consented to tracking. This does not replace your consent obligations. You still need a compliant banner and consent mechanism. 

Browser-based consent signals

There’s ongoing discussion about whether browser-level privacy signals (like the Global Privacy Control) could count as valid consent under EU law. Some DPAs have expressed interest in recognising these. However, currently, they don’t replace a banner.

Germany

Germany’s cookie consent requirements is governed by the Telecommunications Telemedia Data Protection Act (TTDSG), specifically Section 25, which implements the EU ePrivacy Directive. When personal data is also involved, GDPR applies alongside it.

Consent must be freely given, informed, specific, and unambiguous. In practice, this means:

• Show the cookie banner before any non-essential cookies load.
• Give equal prominence to accept and reject options — combining “Accept all” with a low-visibility “Settings” link is not valid.
• Scrolling, clicking, or continued browsing does not count as consent.
• Cookie walls are generally not permitted unless users can close the banner in a single step and continue using the site.
• Users must be able to withdraw consent just as easily as they gave it.

Norway

Norway is not an EU member, but as part of the European Economic Area (EEA), it applies GDPR through its Personal Data Act. Norway cookie consent rules are set by the Electronic Communications Act and supervised by Nkom (for electronic communications) and Datatilsynet (the Norwegian DPA).

Nkom’s guidelines recommend GDPR-standard consent even where the law technically permits browser presets as consent. In practice, that means:

• Provide easy consent withdrawal.
• Obtain explicit, specific consent before placing non-essential cookies.
• Inform users what cookies are used, what data they collect, why, and who processes it.
• Make this information readily visible via a cookie pop-up, a footer link, or a front-page text box.
• No pre-checked boxes.

Belgium

Belgium implements GDPR through the Data Privacy Act (2018) and the EU ePrivacy Directive through the Electronic Communications Act (2015). The Belgian Data Protection Authority (BDPA) issued a cookie checklist in October 2023 that sets out concrete expectations.

Belgian cookie consent rules are notably strict on categorization and cookie design. Key requirements:

• Obtain free, specific, informed, and unambiguous consent before placing any non-essential cookies.
• Include both an “Accept all” and a “Reject all non-essential cookies” button in the same banner layer(not buried in a second step).
• No cookie walls, deceptive design, or pre-checked boxes.
• Users must be able to consent by purpose separately; a single cookie cannot serve multiple purposes.
• Browser presets do not count as valid consent.
• Limit essential cookies (like consent preference storage) to no more than 6 months.
• Consent cannot be bundled with acceptance of a privacy policy or terms of service.

Italy

Italy’s cookie consent rules are set by the Garante (Italy’s Data Protection Authority) and draw on GDPR Articles 4(11), 7, 12, 13, and 25, as well as Section 122 of the Italian data protection code.

The Garante places particular emphasis on banner design, analytics cookie handling, and ongoing consent management:

• Display a prominent cookie banner when any user first arrives and before any optional cookies load.
• Consent must be freely given, informed, specific, and unambiguous. Scrolling and inactivity are not valid.
• Cookie walls are non-compliant unless the site offers genuinely equivalent content without cookies.
• Users must be able to update their choices at any time, ideally via a persistent icon or footer link on every page.
• When users close the banner with the “X” button, the default must stay as no consent for optional cookies.
• Re-prompting consent is acceptable after approximately 6 months, or if there are significant changes to how data is used.
• Provide granular consent. Users should be able to accept individual cookie categories, not just “accept all.”

• Complete your cookie audit and classify all cookies by purpose
• Document strictly necessary cookies in the privacy/cookie policy
• Place a CMP with a third-party script blocking configured
• The banner shows accept and reject with equal visual prominence
• Toggle off non-essential cookies by default in the banner
• The preference centre allows granular consent
• Log consent records with timestamps
• Link the cookie policy from the banner
• Schedule a quarterly re-audit
• Review compliance after adding any new third-party scripts