Cookie Consent in 2026: What's Changed and What to Do About It
Regulators have tightened the screws on cookie walls, pre-ticked boxes, and dark patterns. We break down the latest enforcement actions and what a compliant consent UX actually looks like.
The Cookie Consent Enforcement Wave
After years of largely tolerated non-compliance, European data protection authorities have made cookie consent enforcement a top priority. The French CNIL has issued landmark fines against major technology companies for consent mechanisms that failed to make refusing cookies as easy as accepting them. The Belgian DPA, Italian Garante, and German data protection authorities have followed with their own enforcement actions.
The pattern is consistent: organisations face scrutiny not because they are collecting cookies without any consent mechanism, but because their consent mechanisms employ dark patterns — design choices that nudge users toward consent, make refusal difficult or buried, or fail to honour stated preferences. Superficial compliance is no longer adequate.
What Dark Patterns Look Like in Practice
Dark patterns in cookie consent come in many forms. The classic example is the cookie banner that presents a large, prominent 'Accept All' button alongside a small, grey 'Manage preferences' link that leads through multiple screens before a user can refuse. Research consistently shows that this design significantly inflates apparent consent rates — but regulators have determined these are not valid consent.
Other dark patterns include: pre-ticked checkboxes for non-essential cookie categories; 'pay or consent' models that make service access contingent on accepting advertising cookies; banners that disappear when clicked outside rather than when a preference is actively expressed; and deceptive language that makes 'accept' seem like a default action rather than a choice.
The Legal Standard for Valid Cookie Consent
Under the GDPR and the ePrivacy Directive, valid consent for cookies must meet the same standard as consent for any other processing: it must be freely given, specific, informed, and unambiguous. The EDPB's guidance on cookies is clear that a user scrolling past a banner or continuing to use a website does not constitute valid consent.
The 'freely given' requirement has particularly significant implications for cookie walls — requiring cookie consent as a condition of accessing a service. The EDPB and multiple national DPAs have found that cookie walls do not constitute freely given consent unless a genuine equivalent alternative is offered. For many ad-supported businesses, this means a fundamental rethink of their revenue and consent models.
What a Compliant Consent UX Looks Like
A compliant consent mechanism presents users with a genuine choice between accepting and refusing non-essential cookies in a single step. The 'accept' and 'refuse' options must be presented with equal visual prominence — same button size, same colour treatment, same position hierarchy. Users who choose to manage preferences granularly should be able to do so, but this should not be the only path to refusal.
The consent mechanism must clearly explain what each category of cookies does and who the third-party cookies serve. Consent must be renewed periodically — the CNIL recommends consent is renewed at least every 13 months. Users must be able to withdraw consent as easily as they gave it, which typically means a persistent 'cookie preferences' link in the site footer.
Technical Implementation: Performance and Compliance
Many consent management platforms impose meaningful performance penalties — loading time, Core Web Vitals scores, and user experience all suffer when a poorly implemented consent banner blocks page rendering. This creates a false tension between compliance and performance that drives some teams to implement non-compliant mechanisms to avoid the performance cost.
Well-implemented consent management does not require this tradeoff. A compliant cookie banner can be served non-blocking, with cookies that require consent simply not loaded until consent is obtained. Technical implementation choices — edge caching, async loading, lightweight JavaScript — matter significantly for both compliance and performance.
Beyond EU: DPDP, CCPA, and Global Consent
Cookie consent obligations are not limited to Europe. India's DPDP Act requires consent for the processing of personal data, which encompasses analytics and advertising cookies that collect behavioural data. The California Consumer Privacy Act (CCPA) and its successor CPRA require a 'Do Not Sell or Share My Personal Information' opt-out mechanism for California residents.
For global websites, this means a consent management strategy that handles multiple regulatory regimes simultaneously — presenting GDPR-style opt-in consent to EU visitors, CCPA opt-out mechanisms to California visitors, and DPDP-compliant consent to Indian visitors. This requires a sophisticated consent management platform that can detect user location, apply the correct consent model, and orchestrate third-party cookie loading accordingly.
Auditing Your Current Cookie Implementation
Before implementing changes, audit your current cookie implementation. A cookie scanner will reveal every cookie being set on your domain — including third-party cookies loaded via marketing and analytics tags that you may not have full visibility of. Map each cookie to its category and whether your consent mechanism currently captures consent before setting it.
Pay particular attention to cookies loaded via tag managers, where a marketing team adding a new analytics tool may inadvertently create a compliance gap without involving the privacy team. Implement a governance process requiring privacy review before any new cookie-setting technology is activated.
Automate your privacy compliance
See how TruePrivacy can handle DSRs, consent, and breach response — all in one platform.