Everything you need to know about GDPR cookie consent in 2026: a practical checklist, legal requirements explained, country-specific rules, and upcoming regulatory changes.
GDPR Cookie Consent Checklist (2026): Complete Guide with Latest EU Guidance
Cookie consent is one of the most actively enforced areas of GDPR in Europe right now. Getting it wrong can result in fines of up to €20 million or 4% of global annual turnover, and regulators across the EU are coordinating cross-border audits more frequently than ever.
With the EU GDPR reform proposal now in the legislative process and the long-awaited ePrivacy Regulation formally withdrawn in February 2025, the rules are not getting simpler. But the fundamentals of what makes consent valid have not changed, and this guide will walk you through them clearly.
Whether you run a small business website or manage compliance across multiple domains, this checklist covers everything you need: what valid GDPR cookie consent looks like, what the Planet49 ruling changed, how requirements differ across EU countries, and what is coming next in 2026 and beyond.
What is GDPR cookie consent?
GDPR cookie consent is the process by which websites obtain permission from visitors before setting non-essential cookies or similar tracking technologies. Under GDPR and the ePrivacy Directive, this permission must be freely given, specific, informed, and unambiguous. Silence, pre-ticked boxes, and continued browsing do not count as consent. Consent must also be recorded and revocable at any time.
The GDPR cookie consent checklist
Use this checklist to review your current cookie consent setup. Each item maps to a specific GDPR or ePrivacy Directive requirement, or to active enforcement priorities across EU regulators.
Legal basis and consent mechanics
☑ Non-essential cookies are blocked before consent is obtained
☑ Consent is collected via a clear affirmative action (no pre-ticked boxes, no implied consent through scrolling)
☑ The consent banner appears on the first visit, before any non-essential cookies are set
☑ "Accept all" and "Reject all" options are presented with equal visual prominence (same size, colour, and position)
☑ No cookie walls: access to content is not conditional on accepting non-essential cookies
☑ Users can withdraw consent as easily as they gave it, via a preference centre accessible from every page
If your website is not yet blocking cookies before consent is given, Clym's Consent Management Platform can help you configure this automatically, including blocking third-party scripts until a visitor has made their choice.
Transparency and information
☑ Visitors are informed about the categories of cookies used (analytics, advertising, personalisation, etc.)
☑ The purpose of each cookie category is explained in plain language
☑ Cookie lifespan and retention periods are disclosed for each category
☑ Third parties who receive personal data via cookies are identified
☑ A link to your full cookie policy is included in the consent banner
Granular consent
☑ Consent is collected separately for each distinct purpose, not bundled together
☑ Users can accept some categories and reject others ("all or nothing" is not acceptable)
☑ Consent preferences are stored and respected across sessions
☑ Users can update or change their preferences at any time via a preference centre
Consent records and accountability
☑ A timestamped record of each consent interaction is stored
☑ Records include: what the user consented to, when, which version of the banner was shown, and a session identifier
☑ Consent records can be produced on request to demonstrate compliance to a data protection authority
☑ Records are stored securely with appropriate retention periods
☑ Consent is refreshed after 12 months or when the consent notice materially changes
Technical implementation
☑ Third-party scripts are blocked by default until consent is given
☑ Your consent management platform integrates with Google Consent Mode v2 (required for GA4 and Google Ads)
☑ IAB TCF integration is in place if your site participates in programmatic advertising
☑ Global Privacy Control (GPC) signals are honoured as an opt-out where applicable
Jurisdiction and country-specific requirements
☑ Your consent approach adapts to the visitor's jurisdiction (opt-in for EU/UK, appropriate model for other regions)
☑ UK GDPR and PECR requirements are addressed for UK visitors post-Brexit
☑ German ePrivacy Act (TTDSG) requirements are met for German visitors
☑ French CNIL requirements for symmetrical button design are in place
☑ Your consent banner avoids all dark patterns as defined by EDPB guidelines
GDPR cookie consent requirements explained
The checklist above is only useful if you understand what sits behind each item. Here is a plain-language explanation of each core requirement.
1. Prior consent: block cookies before anyone opts in
Non-essential cookies must not be set until a visitor has actively given their consent. This sounds obvious, but many websites still load analytics or advertising cookies on page load while a banner is displayed. That is a violation, and it is one of the most commonly cited issues in DPA investigations.
Essential cookies, meaning those strictly necessary for your website to function (such as session cookies, login cookies, and shopping cart cookies), do not require consent. But they must be documented in your cookie policy.
Clym's RealtimeCompliance™ technology automatically detects over 1,200 third-party services and cookies on your website and blocks them until a visitor makes their choice, without you needing to manage each one manually.
2. Freely given consent
Consent is only freely given when there is a genuine choice with no penalty for refusing. This rules out several common practices:
Cookie walls: blocking access to your website unless visitors accept non-essential cookies is not valid consent. The European Data Protection Board (EDPB) has confirmed this clearly.
Bundled consent: you cannot package cookie consent with acceptance of your terms and conditions or any other agreement.
Power imbalance: in contexts such as employer-employee relationships, consent may not be considered freely given at all, due to the inherent imbalance between the parties.
3. Specific consent
Consent must be collected separately for each distinct purpose. A single "accept all cookies" button without the ability to manage preferences by category does not meet this requirement. If your website uses cookies for analytics and for advertising, a visitor must be able to accept one and reject the other.
To understand what granular consent means in practice, see our guide on what is granular consent and its GDPR implications.
4. Informed consent
Before giving consent, visitors need to know: which cookies or tracking technologies your website uses; what each category is for; how long the cookies will remain active; which third parties receive personal data via those cookies; and how to change or withdraw consent later.
5. Unambiguous indication
Consent requires a clear affirmative act, such as clicking a button or ticking a checkbox. Pre-ticked boxes, implied consent through continued browsing, and silence are all explicitly prohibited. This was confirmed by the Court of Justice of the EU in the Planet49 ruling in 2019.
6. Equal prominence for accept and reject
One of the most actively enforced areas of cookie consent is banner design. Regulators across Europe have made clear that "Accept" and "Reject" buttons must carry equal visual weight. Designs that use a large, brightly coloured "Accept" button while hiding "Reject" behind a small grey text link are considered dark patterns and can attract significant fines.
France's CNIL fined Google €150 million and Facebook €60 million in 2022, specifically because their cookie banners made it harder to reject cookies than to accept them.
The EDPB's 2022 guidelines on dark patterns in social media platforms provide detailed guidance on what constitutes a non-compliant banner design.
Germany, Italy, Ireland, and Spain have all issued enforcement notices or guidance on button prominence.
Clym's consent banners are built with equal prominence by default, and can be customised to match your brand without compromising on design standards that regulators expect.
7. Right to withdraw consent
Under GDPR Article 7(3), users must be able to withdraw consent at any time, and doing so must be as easy as giving it. In practice, this means having a permanently accessible preference centre or cookie settings link, usually in the website footer, so visitors can update or revoke their choices whenever they want.
8. Consent records
GDPR's accountability principle (Article 5(2)) requires you to be able to demonstrate that you obtained valid consent. For cookie consent, that means keeping records that include:
A timestamp of when consent was given or withdrawn
Which version of the consent banner was shown at the time
What the user specifically agreed to, by category
A session identifier or pseudonymous reference
The full text of the consent notice shown at that time
Clym's Control Center builds a centralised consent database that stores every interaction automatically, giving you a full audit trail you can produce if a regulator asks.
The Planet49 ruling: what it changed for cookie consent
In October 2019, the Court of Justice of the European Union issued its landmark Planet49 ruling (Case C-673/17). It remains the most important legal precedent for cookie consent under GDPR and the ePrivacy Directive.
The case involved a German gaming company that pre-ticked a consent checkbox for analytics cookies in a sweepstake sign-up form. The court ruled on three key points:
Pre-checked boxes are not valid consent. Consent for cookies requires an active, unambiguous indication of agreement. A box that is already ticked does not qualify.
Cookie lifespan must be disclosed. Website operators must tell users how long cookies will remain active and whether third parties have access to them.
Consent applies to all tracking technologies. The ruling covers not just HTTP cookies but any technology that stores or accesses information on a user's device, including pixels, fingerprinting, localStorage, and session storage.
The Planet49 ruling set the framework for the wave of cookie enforcement that followed across Europe from 2020 onwards, and it remains the reference point for any question about what counts as valid consent.
A more recent example reinforces the same principle. In September 2025, France's CNIL fined Google a record €325 million, its largest cookie-related fine to date, following an investigation into two violations. First, Google displayed advertising messages inside Gmail inboxes without prior consent.
Second, during Google account creation, the process of refusing cookies linked to personalised advertising was made significantly harder than accepting them, meaning consent was not freely given. The CNIL found that 74 million accounts were affected by invalid cookie consent. Google was ordered to come into compliance within six months or face additional daily fines of €100,000.
Cookie consent requirements by EU country
GDPR sets the minimum standard, but each EU member state has its own data protection authority (DPA) that interprets and enforces the rules. Country-specific requirements, particularly around banner design and how quickly a user can reject cookies, vary across the EU.
Country | DPA | Key requirements | Notable enforcement |
|---|---|---|---|
Germany | BfDI + State DPAs | Strict opt-in; high transparency standards; ePrivacy Act (TTDSG); one-click reject required | Multiple fines for cookie walls and dark patterns |
France | CNIL | Equal prominence for accept/reject; reject must be accessible in one click on the first layer | €150M (Google), €60M (Facebook) for banner design |
Netherlands | AP | Opt-in required; consent cannot be bundled with terms acceptance; active enforcement on analytics cookies | Enforcement actions against cookie walls |
Ireland | DPC | Leads cross-border enforcement for large tech companies; strict alignment with EDPB guidelines | Multiple major cross-border investigations |
Italy | Garante | No cookie walls; scroll consent prohibited; specific rules on banner UX | Updated cookie guidelines; enforcement actions |
Spain | AEPD | Opt-in required; specific guidance on cookie banner design and dark patterns | Active enforcement on dark pattern banners |
UK (post-Brexit) | ICO | UK GDPR and PECR apply; updated ICO cookie guidance (2023); broadly mirrors EU GDPR standard | Enforcement notices for non-compliant banners |
Belgium | APD | Strict interpretation; IAB TCF challenged in a landmark 2022 decision | IAB TCF ruling with EU-wide implications |
Clym's location-based consent logic detects where each visitor is browsing from and applies the appropriate consent model automatically, covering over 150 global regulations from a single platform.
The ePrivacy Directive and cookies: the current legal framework
The ePrivacy Directive (2002/58/EC, amended by Directive 2009/136/EC) is the specific EU law that governs the use of cookies and similar technologies. It requires prior informed consent before a website can access or store information on a user's device. This Directive works alongside GDPR: the ePrivacy Directive creates the obligation to seek consent; GDPR defines what valid consent looks like.
The long-awaited ePrivacy Regulation, which was intended to replace the Directive, was formally withdrawn by the European Commission in February 2025 after years of legislative stalemate. The existing ePrivacy Directive therefore remains in force, with each EU member state having implemented it slightly differently through national law.
The practical result is that organisations need to satisfy both GDPR's consent requirements and the ePrivacy Directive's prior consent rule simultaneously. Depending on where your visitors are based, national interpretations of the Directive may add further requirements on top of the GDPR baseline.
GDPR reform 2026: what is changing for cookie consent?
On 19 November 2025, the European Commission published its formal GDPR reform proposal. For cookie consent, the most significant proposed change is the introduction of automated privacy signals.
Key proposed change: automated privacy signals
Under the proposed reform, users would be able to send their data protection preferences automatically through their browser or operating system, in machine-readable form, rather than clicking through consent banners on every website they visit. Standardised signals, similar to Global Privacy Control (GPC), would tell websites whether a user accepts or rejects cookies for specific purposes.
The reform proposal is now going through the standard EU legislative process, with the European Parliament and Council of Member States both needing to agree on a final text. This means implementation is not imminent, but the direction of travel is clear.
For your website today, it is worth evaluating whether your consent management platform already supports Global Privacy Control and automated signal processing. Clym already supports GPC as part of its consent management software, which means customers using the platform will be better positioned as this regulatory evolution continues.
Common GDPR cookie consent mistakes
Even well-intentioned implementations frequently fall short of GDPR requirements. These are the issues that DPAs most commonly find during investigations:
Mistake | Why it matters | How to fix it |
|---|---|---|
**Cookies fire before consent ** | Prior consent is required under the ePrivacy Directive | Configure your CMP to block all scripts until consent is given |
**No reject option on the first layer ** | Making rejection harder than acceptance is a dark pattern | Add an equal-prominence reject button on the initial banner layer |
**Pre-ticked consent boxes ** | Explicitly prohibited by the Planet49 ruling (2019) | Replace with unticked opt-in checkboxes or category toggles |
**Cookie walls ** | Consent must be freely given; access cannot be conditional | Remove gating; give access regardless of consent choice |
**No consent records ** | The accountability principle requires you to demonstrate valid consent | Implement consent logging with timestamps and banner version |
**Outdated cookie policy ** | Undeclared cookies violate the transparency requirement | Scan cookies automatically; keep your policy in sync with actual use |
**No withdrawal mechanism ** | Withdrawal must be as easy as giving consent | Add a persistent cookie settings link in your website footer |
**Consent not refreshed ** | The EDPB recommends renewal after 12 months or material changes | Configure your CMP to re-prompt users after 12-month intervals |
Clym's platform handles several of these automatically, including cookie scanning, script blocking, consent record-keeping, and periodic re-prompting, which reduces the amount of manual work your team needs to do to stay on top of these requirements.
Cookie consent banner: what a compliant design requires
A compliant GDPR cookie consent banner needs to include specific elements, and critically, its design must not discourage users from exercising their right to reject. Here is what regulators expect:
Banner element | What regulators require | Common non-compliant practice |
|---|---|---|
**Accept button ** | Clearly visible; accessible in one click on the first layer | Oversized, brightly coloured to psychologically encourage acceptance |
**Reject button ** | Equal visual prominence to accept; one click on the first layer | Hidden as a grey text link, buried behind 'Manage preferences' |
**Cookie categories ** | Listed with plain-language purpose descriptions | Generic 'We use cookies for a better experience' |
**Third-party names ** | Identify key partners and data processors | Omitted entirely, or only accessible in the full cookie policy |
**Cookie lifespan ** | Disclose retention period per category | Not disclosed, or only mentioned in the full policy |
**Preference centre ** | Allow granular consent by category | Only 'Accept all' available; no category-level control |
**Withdrawal link ** | Permanently accessible, e.g., in the website footer | Only visible on first visit; removed after consent is given |
**Cookie policy link ** | Link to the full cookie policy within the banner | Missing, or linking to an outdated or incomplete policy |
For a deeper look at banner design and how to communicate privacy choices effectively to your visitors, see our cookie consent banner guide.
How Clym supports GDPR cookie consent
Managing GDPR cookie consent across different jurisdictions, with different DPA expectations and potentially millions of daily consent interactions, takes significant time and technical resources. Clym's Consent Management Platform is designed to reduce that burden.
Automatic cookie scanning and categorisation
Clym's RealtimeCompliance™ technology automatically detects and categorises over 1,200 third-party services and cookies on your website. As your technology stack changes, your consent notice stays current without you needing to run manual audits.
Location-based consent logic
Clym detects where each visitor is browsing from and presents the appropriate consent model for that jurisdiction. GDPR opt-in for EU visitors, appropriate mechanisms for other regions. One platform, over 150 global regulations.
Consent records and audit trail
Every consent interaction is logged automatically with a full audit trail: timestamps, banner version, user preferences, and session identifiers. If a regulator asks you to demonstrate that you obtained valid consent, the records are there.
Google Consent Mode v2, IAB TCF, and GPC
For advertisers and publishers, Clym supports Google Consent Mode v2, IAB TCF, and Global Privacy Control, so your consent data integrates correctly with your advertising and analytics tools.
Deployment in around 30 minutes
Clym's ReadyCompliance® approach provides pre-configured settings for your jurisdiction. Add the Clym script to your website, and you are up and running in around 30 minutes. When regulations change, the platform updates automatically.
Frequently asked questions about GDPR cookie consent
All non-essential cookies require prior informed consent under GDPR and the ePrivacy Directive. Essential cookies, meaning those strictly necessary for your website to function (session cookies, login cookies, shopping cart cookies), do not require consent but must be documented in your cookie policy. Non-essential categories that require consent include analytics cookies, advertising and targeting cookies, personalisation cookies, and social media tracking pixels.
GDPR does not mandate a specific banner format, but it requires organisations to obtain valid consent before setting non-essential cookies. In practice, a consent management platform displaying a consent banner is the standard and legally accepted way to collect, record, and manage this consent.
Cookie consent is invalid if it is obtained through pre-ticked boxes, silence or inactivity, bundled consent with other agreements, cookie walls where access depends on accepting cookies, disproportionate accept/reject button design (dark patterns), or if any cookies are set before consent is given. The Planet49 ruling (2019) and the EDPB's 2022 guidelines on dark patterns are the key references here.
GDPR does not set a specific validity period, but the EDPB recommends seeking fresh consent after 12 months or when the consent notice materially changes. Consent is also immediately invalidated if the user withdraws it at any point.
Under GDPR, fines for cookie consent violations can reach €20 million or 4% of global annual turnover, whichever is higher. Notable enforcement examples include €150 million fined against Google by France's CNIL in 2022, €60 million against Facebook also by CNIL in 2022, and €390 million against Meta by Ireland's DPC in 2023, all related to consent practices.
Yes. GDPR applies to any organisation that processes the personal data of people located in the EU, regardless of where the organisation itself is based. A US, UK, or Australian company with EU website visitors needs to apply GDPR cookie consent requirements to those visitors.
The ePrivacy Directive creates the specific prior consent obligation for accessing or storing information on user devices, including cookies. GDPR then defines what valid consent must look like (freely given, specific, informed, unambiguous). Both apply at the same time. The ePrivacy Directive says you need consent; GDPR defines the standard that consent must meet.
Adam is the Head of Digital Marketing at Clym, where he leverages his diverse expertise in marketing to support businesses with their compliance needs and drive awareness about data privacy and web accessibility. As one of the company’s original team members, Adam has been instrumental in shaping its journey from the very beginning. When he’s not diving into marketing strategies, Adam can be found cheering on his favorite sports teams or enjoying fishing.
Find out more about Adam