Legal Guides·18 min read
Cookie policy and consent banner: the GDPR & ePrivacy guide for 2026
On September 1, 2025, France's data protection authority CNIL fined Shein 150 million euros: advertising cookies were dropped on user devices before they touched the banner, the "Reject all" button didn't actually reject anything, and a second pop-up only allowed acceptance. The same month, CNIL fined Google 325 million euros for similar reasons. Cookies are the most heavily sanctioned legal vector in Europe in 2025-2026, surpassing even classic security breaches.
This guide covers everything your cookie policy and consent banner need to comply with the ePrivacy Directive 2002/58/EC, Spain's LSSI-CE Article 22.2, and the AEPD Cookie Guide of July 2023. You'll see cookie types, banner rules, the errors that trigger fines, a copyable template, and a preview of the automated privacy signals the European Commission proposed in November 2025.
Plot twist: on February 11, 2025, the European Commission formally withdrew the ePrivacy Regulation after 8 years stuck in negotiation. If you read an article saying "ePrivacy is coming soon," it's outdated: cookies in 2026 are still governed by the 2002 ePrivacy Directive, transposed by each member state. In Spain that means LSSI + AEPD Guide.
What a cookie policy is (and isn't)
A cookie policy is the document detailing, cookie by cookie, what files your site drops on a visitor's device, what each one does, who manages it, and how long it stays. It is different from a privacy policy: that one covers any personal data processing; the cookie policy focuses exclusively on storing and accessing information on the user's terminal, regulated by ePrivacy.
You can legally put both in a single document, but the AEPD and most European authorities recommend keeping them separate. Main reason: the user must be able to withdraw cookie consent granularly and quickly. If cookie information is buried in a 30-page privacy policy, exercising the right is no longer as easy as giving it, and that alone is a violation.
Legal notice ≠ cookie policy ≠ privacy policy. Three documents under three frameworks: legal notice (LSSI Art. 10, company details); cookie policy (LSSI Art. 22.2); privacy policy (GDPR Arts. 13-14). Mixing them confuses users and, worse, makes it harder to prove you provided complete information when an inspection arrives.
The three laws governing cookies in Europe (2026)
Three frameworks overlap. Knowing which one matters in each situation is what separates a real cookie policy from "a template downloaded off the internet."
1. ePrivacy Directive 2002/58/EC
The European framework for "electronic communications." Its Article 5(3) is the legal basis for every EU cookie regulation: it prohibits storing or accessing information on the user's terminal without prior consent, except for strict technical exceptions. The Directive is not directly applicable: each member state transposes it into national law.
2. LSSI-CE Article 22.2 (Spain)
The Spanish transposition. Requires prior user consent before installing any non-essential cookie. Violations are sanctioned as minor (up to €30,000), serious (up to €150,000), or very serious (up to €600,000), depending on severity and recidivism.
3. GDPR (when there's personal data)
If the cookie identifies the user or makes it possible to do so (persistent login, fingerprinting, advertising IDs, profiling), GDPR also kicks in. The fine can stack on top of the LSSI ceiling: up to 4% of global turnover or 20 million euros, whichever is higher. The double track is what blew up the numbers in 2025.
What happened to the ePrivacy Regulation?
The ePrivacy Regulation was proposed in 2017 to replace the Directive. The Commission formally withdrew it on February 11, 2025 after 8 years of Council deadlock. Instead, on November 19, 2025, the Commission published a GDPR reform proposal that includes, among other things, the legal recognition of automated privacy signals (Global Privacy Control-style). We'll cover that at the end of this article — it's the most relevant change coming in 2026.
Why nobody is going to harmonize this soon: with the ePrivacy Regulation withdrawn, European harmonization is in the air. Each member state will keep interpreting the 2002 Directive with its own guidelines. For a website operating in Spain and France, that means complying with AEPD + CNIL in parallel, with similar but not identical criteria.
Cookie types: the classification that decides whether you need consent
The AEPD Guide classifies cookies by purpose, origin, and duration. The classification matters because only some need prior consent. The rest you can install directly.
By purpose (the classification that matters most)
| Type | What they do | Consent required? |
|---|---|---|
| Strictly necessary technical | Session, shopping cart, login, load balancing, CSRF, basic language | No (exempt) |
| Preferences (some) | Remember language, dark mode, font size | No, if strictly functional |
| Analytics | Site usage measurement, traffic metrics, funnels | Yes (even first-party like GA4) |
| Advertising / marketing | Retargeting, ad frequency, attribution | Yes, always |
| Personalization | Recommend content based on history, per-user A/B testing | Yes (AEPD 2023 ruling) |
By origin and duration
- First-party: set by your own domain. Lower legal risk, but if they're for marketing they still need consent.
- Third-party: set by domains other than yours (Google, Meta, HubSpot…). High legal risk: you must list them and, in many cases, sign data processing agreements with the provider.
- Session: deleted when the browser closes. Usually technical.
- Persistent: remain on the device for days, months, or years. AEPD recommends 24 months max; going beyond without justification is a sign of non-compliance.
Real cookies almost every site has
| Cookie | Provider | Purpose | Duration | Consent? |
|---|---|---|---|---|
| _ga, _ga_* | Google Analytics 4 | Analytics | 2 years | Yes |
| _gid | Google Analytics | Analytics | 24 hours | Yes |
| _fbp, fr | Meta Pixel | Marketing | 3 months | Yes |
| VISITOR_INFO1_LIVE, YSC | YouTube embed | Marketing | 6 months / session | Yes |
| _hjid | Hotjar | Analytics | 1 year | Yes |
| __stripe_mid, __stripe_sid | Stripe | Anti-fraud (technical) | 1 year / 30 min | No (exempt) |
| _cfduid | Cloudflare | Security (technical) | 30 days | No (exempt) |
| i18n_redirected | Your app | User language | 1 year | No (technical) |
Common trap: Google Analytics 4, even configured with IP anonymization and no User-ID, still requires consent in the EU. Features like Google Signals, Enhanced Conversions, or any Ads integration trigger additional processing the AEPD already considers non-exempt. If you want consent-free analytics, look at alternatives like Plausible, Fathom, or self-hosted Matomo.
The legal consent banner in 2026
The banner is the most visible piece and the one generating the most fines. The 2023 AEPD Guide, aligned with the EDPB Guidelines 03/2022 on deceptive patterns, sets concrete rules your CMP must follow.
The three required actions
The banner must offer, on the first layer, three equivalent options:
- Accept all
- Reject all (as easily as accept)
- Configure / Customize (granularity by purpose at minimum)
If your current banner only has "Accept" and a tiny "Learn more" link, you're not compliant. If "Reject all" requires opening a panel, extra clicks, and unchecking boxes, you're not compliant either.
Visual equality rules
- Same size for accept and reject
- Same color or, at least, the same contrast level against the background
- Same number of clicks to accept and reject (CNIL fined Google €150M in 2022 for requiring 5 clicks vs 1)
- Same hierarchical position: if accept is a button, reject is too
- No nudging: no "Accept (recommended)," no green only on accept and gray on reject
Cookie wall: why it's illegal
A cookie wall blocks site access if the user doesn't accept. AEPD prohibits it as a general rule: consent under coercion is not free consent. The allowed exception is offering an equivalent cookie-free alternative, which can be paid (the "consent or pay" model some European media use, still in a gray area but tolerated by some authorities).
Correct vs incorrect banner
// ❌ INCORRECT (guaranteed fine)
┌──────────────────────────────────────────────────┐
│ We use cookies to improve your experience. │
│ Learn more in our policy. │
│ │
│ [ ACCEPT (green) ] │
└──────────────────────────────────────────────────┘
// ❌ INCORRECT (Shein style — €150M)
┌──────────────────────────────────────────────────┐
│ We use cookies. │
│ │
│ [Configure] [Reject all] [ ACCEPT ALL ] │
│ ← gray ← gray ← big green │
└──────────────────────────────────────────────────┘
(And clicking "Reject all" did nothing — cookies kept
installing. That's what CNIL caught.)
// ✅ CORRECT (AEPD Guide 2023)
┌──────────────────────────────────────────────────┐
│ 🍪 We use cookies │
│ Technical, analytics and marketing cookies. │
│ Analytics and marketing require your consent. │
│ More info at /cookies │
│ │
│ [ Reject all ] [ Configure ] [ Accept all ] │
│ same size same size same size │
│ same color same color same color │
└──────────────────────────────────────────────────┘Shein case, €150M (CNIL, September 2025): the site installed advertising cookies before the user interacted with the banner. The first banner didn't disclose advertising purposes. A second banner only allowed acceptance. And, most damning: when the user clicked "Reject all" or withdrew consent, new cookies kept being installed. Lesson: your CMP must block third-party scripts before any user response, and "Reject all" must actually reject. Source: CNIL.
Common errors that generate fines
The vast majority of AEPD cookie sanctions come from the same ten errors. Audit your site in five minutes:
- Cookies fired before consent. Most common and most expensive error. Your CMP must block all third-party scripts until the user decides.
- "By continuing to browse, you accept." Invalidated by the CJEU in Planet49 (C-673/17). Scrolling is not consent.
- Pre-ticked boxes. Same case. They must be unchecked by default, except for exempt technical ones.
- "Reject all" hidden or with extra clicks. Must be at the same friction level as "Accept all."
- No "Reject" button on the first layer. Just "Accept" and a "Configure" link is not enough.
- Fake granularity. A single "Marketing cookies" toggle bundling 40 vendors isn't granular: the user must be able to choose by specific purpose.
- Not re-asking consent after 24 months. Consent expires; you must renew it past that period.
- Pure cookie wall. "Accept or get out" without an alternative.
- Cookie policy without detailed table. You must list each cookie with its name, provider, purpose, duration, and category. Generic statements don't cut it.
- "Reject all" that doesn't reject. Shein's mistake. A technical test before publishing avoids €150M.
Watch the CMP you use: many free templates (even from well-known providers) ship with default settings that are wrong for the EU. Before installing, make sure it has: script blocking before consent, "Reject all" on the first layer, granularity by purpose, and consent expiry ≤ 24 months. If your CMP can't do this, switch CMP.
Cookie policy template
Minimum viable structure. Copy it, replace the placeholders, and most importantly, fill the table with your actual cookies (don't make them up or copy from another company).
1. What cookies are
Small data files your browser stores when you visit a
website. They allow remembering information (language,
session) or recording your activity (analytics, ads).
2. Who is the controller
- Legal name: [YOUR COMPANY, S.L.]
- Tax ID: [B12345678]
- Email: [privacy@your-domain.com]
3. What cookies we use (full table)
┌─────────────────┬──────────────┬────────────┬───────────┬───────────┐
│ Name │ Provider │ Purpose │ Duration │ Type │
├─────────────────┼──────────────┼────────────┼───────────┼───────────┤
│ session │ [your-domain]│ Login │ Session │ Technical │
│ _ga, _ga_XXXX │ Google │ Analytics │ 2 years │ 3rd-party │
│ _fbp │ Meta │ Marketing │ 3 months │ 3rd-party │
│ ... │ ... │ ... │ ... │ ... │
└─────────────────┴──────────────┴────────────┴───────────┴───────────┘
4. Legal basis
- Exempt technical cookies: LSSI Art. 22.2
- Analytics and marketing cookies: user consent
(GDPR Art. 6.1.a + LSSI Art. 22.2)
5. Consent duration
The consent you give expires after [12-24] months.
After that, we'll ask again.
6. How to withdraw consent
- Click the "Cookie preferences" icon always available
in the footer.
- Delete cookies from your browser.
- Change your decision at /cookies anytime.
7. International transfers
Some providers (Google, Meta) store data in the US.
The transfer relies on standard contractual clauses
and, since July 2023, the EU-US Data Privacy Framework.
8. Rights
Access, rectification, erasure, objection. Complaints
to the AEPD (www.aepd.es).
9. Changes
Version [1.0] - Last update: [date]This template is a skeleton. The cookie table is what gets the most scrutiny in an inspection: if it's incomplete or outdated, the fine comes for insufficient information even if the banner is perfect.
Cookie audit: how to know what you actually have on your site
The first step in any serious cookie policy is scanning your site to see what actually loads. Most founders are surprised to find 30-50 third-party cookies they don't remember adding (they come from YouTube embeds, marketing scripts, plugins).
How to scan your site
- Browser DevTools: open your site, F12, Application tab → Cookies. Full list per domain.
- Free cookie scanners: CookieServe, CookieMetrix, Termly Scanner. Auto-generated report.
- Your CMP: serious CMPs (Cookiebot, Iubenda, OneTrust, Termly) scan and keep the table updated.
When to re-ask for consent
Three situations require renewing consent:
- More than 24 months have passed since the user consented.
- You added a new provider (a new marketing pixel, a new analytics tool).
- You changed the purpose of existing cookies (for example, GA4 now sending data to Ads).
The shortcut: generate your cookie policy with Termerly
Maintaining a cookie policy that's updated cookie by cookie, and synced with a banner that complies with the AEPD 2023 Guide, is ongoing work. That's why we built Termerly's cookie policy generator: it asks what tools you use (Analytics, Pixel, Hotjar, Stripe…) and produces a policy with a complete cookie table, the right legal basis, and a link to the configuration panel.
Try it in 3 minutes: termerly.com/cookie-policy-generator. Auto-detects the most common cookies and emails you when a regulation or vendor changes.
What's coming in 2026: automated privacy signals
On November 19, 2025, the European Commission published its formal GDPR reform proposal. The most relevant change for cookies is the legal recognition of automated privacy signals: signals the browser sends with every HTTP request indicating whether the user wants to be tracked.
The de facto standard is Global Privacy Control (GPC): a Sec-GPC: 1 header that Firefox, Brave, and DuckDuckGo already send by default, and that Safari allows enabling. The proposal turns these signals into legally binding objection to data processing. Practical implications:
- If your CMP detects Sec-GPC: 1, it must treat it as automatic "reject all" and not show the banner.
- Ignoring the signal when it's legally binding is grounds for sanction.
- CMPs that don't support GPC will fall out of compliance during 2026.
Get ahead: although the proposal still has to pass through the European Parliament, California has been enforcing GPC since 2021 (CCPA). Configuring your CMP to respect it today gets you ahead of the change at no extra cost.
Conclusion
Cookies are, in 2026, the most actively sanctioned compliance area in Europe. The good news: the rules are clear and practically the same across EU countries. The three critical points you can't skip:
- Block before consent. No third-party script runs until the user decides. The most expensive error.
- Visual and friction equality between accept and reject. Same size, same color, same number of clicks. If this doesn't hold, nothing else matters.
- Real and updated cookie table. Each cookie with name, provider, purpose, duration. No inventions, no copy from another company.
If your site doesn't meet all three, open your banner now and start by blocking the scripts. If you're drafting your first cookie policy, use the Termerly guided template with auto-detection so you don't miss anything.
Frequently asked questions
Can the cookie policy go inside the privacy policy?
Legally yes, but the AEPD discourages mixing them because it makes granular consent withdrawal harder. The recommended practice is publishing two interlinked documents.
Do I need a paid CMP like OneTrust or Cookiebot, or is a free one okay?
Free ones work as long as they: block scripts before consent, show "reject all" on the first layer, allow granularity by purpose, expire consent at ≤ 24 months, and keep an auditable log. Cookiebot, Iubenda, and Termly have free tiers that comply for small sites. Open-source CMPs like Klaro or cookieconsent (Orest Bida) also work if you configure them correctly.
What if the user navigates without clicking anything?
That's not consent. Until the user actively clicks "Accept" or configures and saves, you can't install cookies that aren't exempt technical ones. Silence is never "yes."
Do Google Analytics 4 cookies without User-ID still require consent?
Yes. Although GA4 no longer uses identifiers like Universal Analytics, it's still a third-party analytics cookie. The AEPD clarified in its 2023 Guide that analytics aren't exempt, not even with IP anonymization.
Is a cookie wall ever legal?
The pure cookie wall (accept or get out) isn't. The exception some European authorities allow is the "consent or pay" model: offering an equivalent paid alternative to users who reject. Still in a gray area, and the AEPD hasn't ruled as favorably as authorities like France's.
How long does consent last?
The AEPD Guide recommends 24 months max. After that you must ask again. Some companies opt for 12 months to reduce risk, especially in sectors with frequent audits.
Does the GDPR reform of 2026 force me to change my banner?
The November 19, 2025 proposal introduces legal recognition of privacy signals (Global Privacy Control). If your CMP doesn't detect the Sec-GPC: 1 header and treat it as "reject all," you'll need to update it. The proposal still needs to pass, but serious CMPs are already preparing. Don't wait until the last day.
You might also like...
Stay up to date
Subscribe to get notified when new articles are published.