Skip to content
TrustYourWebsite
GDPR & Privacy

Cookie Banner Requirements 2026: What Actually Counts

15 April 2026

Most cookie banners on European websites don't meet the legal requirements. They look compliant. They have buttons and checkboxes. But they fail on the details that regulators actually check.

The Dutch Autoriteit Persoonsgegevens warned 100+ companies about non-compliant cookie banners in late 2024. The Belgian DPA has fined multiple websites. The French CNIL fined Google 150 million euros and Facebook 60 million euros for making it harder to reject cookies than to accept them.

Your banner probably has at least one of these problems. Here's what the rules actually require.

What the EDPB guidelines say

The European Data Protection Board published Guidelines 05/2020 on consent under GDPR. These are the authoritative reference for cookie consent across Europe. National data protection authorities follow them when enforcing.

The key requirements:

Consent must be freely given. The visitor must have a genuine choice. If rejecting cookies is harder or more time-consuming than accepting them, consent isn't free. If the visitor has to click through multiple screens to reject but only one to accept, that's not genuine choice.

Consent must be specific. A single "accept all" button covering analytics, marketing, social media and preference cookies isn't specific consent. Visitors need to be able to choose which categories they accept.

Consent must be informed. The visitor needs to know what they're agreeing to before they agree. Which cookies? What purpose? Who receives the data? How long do the cookies last?

Consent must be unambiguous. This means a clear affirmative action. Scrolling the page is not consent. Continuing to browse is not consent. Pre-ticked checkboxes are not consent. The CJEU confirmed this in Planet49 case C-673/17 in October 2019.

The reject button requirement

This is where most cookie banners fail.

The visitor must be able to refuse non-essential cookies as easily as they can accept them. The EDPB has been explicit about this. The CNIL enforcement actions against Google and Facebook were specifically about this point.

What this means in practice:

A reject button must be visible on the first layer of the banner. Not hidden behind a "manage preferences" link. Not buried in settings. Right there next to the accept button.

The reject button must be equally prominent. Same size, same visual weight. A big green "Accept All" button next to a tiny grey "Manage" link fails this test. A bright "Accept" button next to a muted "Reject" button in a smaller font fails too.

Rejecting must take the same number of clicks as accepting. If accepting is one click, rejecting must be one click. If a visitor has to click "Manage preferences," then uncheck each category individually, then click "Save" to reject, that's three clicks versus one. That fails.

Run a free scan to see how your cookie banner measures up.

Pre-ticked boxes are illegal

The CJEU ruled on this clearly in Planet49 C-673/17. Pre-ticked checkboxes do not constitute valid consent. The visitor must actively check the box themselves.

This applies to:

  • Cookie category checkboxes in your consent banner
  • Newsletter signup checkboxes during checkout
  • Marketing communication preferences anywhere on your site

If your cookie management platform has categories pre-selected to "on" and asks visitors to toggle them off, that's not valid consent. The default state must be off.

What "strictly necessary" means

You don't need consent for cookies that are strictly necessary for the service the visitor explicitly requested. But this category is narrower than most website owners think.

Strictly necessary cookies include:

  • Session cookies that keep a visitor logged in
  • Shopping cart cookies in an online store
  • Load balancing cookies
  • Cookies that remember cookie consent preferences

Strictly necessary cookies do NOT include:

  • Google Analytics or any analytics platform
  • Facebook Pixel or any advertising tracker
  • Hotjar, Clarity or session recording tools
  • Social media sharing widgets
  • A/B testing tools
  • Chat widgets that track visitors across pages

A common mistake: labelling analytics cookies as "strictly necessary" or "functional." Google Analytics is not necessary for your website to work. It's useful to you. That's not the same thing.

The Dutch AP and the Belgian DPA have both specifically called out websites that miscategorise analytics cookies. If you're not sure whether a cookie is strictly necessary, it probably isn't.

Cookie walls: can you block content until consent?

Generally no. The EDPB considers cookie walls, where you block access to the website entirely unless the visitor accepts cookies, to be incompatible with genuine consent.

If the visitor has no choice but to accept or leave, consent isn't "freely given" under GDPR Article 7.

There's a narrow exception for paid content sites that offer a cookie-free alternative at a reasonable price. But for a normal business website, blocking access until consent is not allowed.

Common CMP misconfiguration: informational mode

Many consent management platforms have an "informational mode" or "notice-only mode." In this configuration, the banner displays a message about cookies and has an "OK" or "Got it" button. But it doesn't actually block any cookies. All tracking fires immediately on page load, regardless of whether the visitor clicks anything.

This is not compliant. It's window dressing.

A compliant setup must:

  1. Block all non-essential cookies by default
  2. Only fire non-essential cookies after the visitor gives affirmative consent
  3. Respect the visitor's choice if they reject or close the banner

Check your CMP configuration. Look at the Network tab in browser developer tools with a fresh browser profile. If you see Google Analytics, Facebook Pixel or advertising cookies firing before you interact with the banner, your CMP is in informational mode or misconfigured.

Our cookie checker tool tests for exactly this. It loads your site with no prior cookies and checks what fires before any consent is given.

What your cookie banner needs: a checklist

  1. A clear "Reject All" or "Refuse" button on the first screen
  2. The reject button must be as easy to find and click as the accept button
  3. All non-essential cookie categories default to off
  4. No pre-ticked boxes
  5. Clear description of each cookie category and its purpose
  6. Cookies don't fire until the visitor makes a choice
  7. The banner appears on first visit and doesn't reappear until consent expires
  8. Visitors can change their preferences later
  9. Consent records are stored for accountability
  10. The banner itself doesn't block the entire page from view

If you need a cookie banner in the first place, that is. If your site doesn't use any non-essential cookies, you might not need one at all. Check our guide on whether you need a cookie banner to find out.

What happens if your banner isn't compliant

Enforcement varies by country but it's increasing across Europe.

The Dutch AP has moved from warnings to fines. They've specifically targeted cookie banners that lack a reject button or that use dark patterns to steer visitors toward accepting.

The CNIL in France has issued the largest cookie-related fines: 150 million euros for Google, 60 million euros for Facebook, 40 million euros for Criteo. These are big companies, but the CNIL has also fined smaller organizations.

The Belgian DPA fined a newspaper website 50,000 euros for non-compliant cookie consent. They've issued multiple decisions against websites of all sizes.

For small businesses, the risk isn't a massive fine. It's a warning or a complaint that forces you to fix things under pressure, plus potential compensation claims from individuals. Getting it right from the start costs nothing extra.

Common Questions

Can I use "Continue browsing" as a way to get consent?

No. Scrolling or continuing to use the website is not valid consent under GDPR. The CJEU Planet49 ruling requires a clear affirmative action. The visitor must click a button that specifically indicates they agree.

How long does cookie consent last before I need to ask again?

The EDPB hasn't set a fixed duration, but most data protection authorities consider 6 to 12 months reasonable. After that, you should ask again. Some CMPs default to 365 days, which is generally accepted.

Is a cookie banner required if I only use Google Analytics?

Yes. Google Analytics sets non-essential cookies and transfers visitor data to Google. You need consent before loading it. If you don't want to deal with a cookie banner, consider switching to a privacy-friendly analytics tool that doesn't require consent, like Plausible or Fathom.

My CMP vendor says their tool is GDPR compliant. Is that enough?

No. A CMP is a tool. Whether it's compliant depends on how you configure it. Most cookie banner violations come from misconfiguration, not from the software itself. You need to verify that your setup actually blocks cookies before consent.

Check your website now Scan your website for cookie consent issues and other compliance problems, free in 2 minutes. Scan your website

Check your website now

Scan your website for GDPR & Privacy issues and 30+ other compliance checks.

Scan your website free

Compliance Guides

Best Cookiebot Alternatives in 2026 (Cheaper + More Checks)

Cookiebot doubled its prices. Looking for an alternative? Compare cookie consent tools and multi-category compliance scanners. Free scan available.

Do I Need a Cookie Banner? A Simple Decision Guide

Not sure if your website needs a cookie banner? This simple guide helps you decide based on what your website actually does.

Dutch AP Cookie Warnings: What They Mean for Your Website

The Dutch Autoriteit Persoonsgegevens is warning websites about cookie violations. Here is what they check and how to fix your cookie setup.