The official GDPR.eu guide on cookies remains one of the most consulted references of the year when someone starts a new web project. The reason: cookie consent is split between two laws (GDPR for personal data, ePrivacy Directive from 2002/2009 for the rest), and the promised ePrivacy Regulation has been pending for years. The result is a terrain where it's very easy to comply poorly and very expensive to comply well. This updated guide covers what you need to have in 2026, which banner patterns work without destroying UX, and the typical errors European regulators sanction.

The framework: two laws for one decision

GDPR

Applies when cookies process personal data (identify the user, profile, individual tracking). The session-id cookie that only manages technical login isn't personal data. The Facebook Pixel cookie is.

ePrivacy Directive

Applies to ALL cookies that aren't strictly necessary to provide the service, whether they're personal data or not. That's why you need consent for Google Analytics even though GDPR alone wouldn't require it with certain configurations.

Result: in practice, any cookie that isn't strictly necessary requires explicit consent before being planted in the user's browser. "Continuing to browse implies acceptance" died years ago, but still appears on many sites.

The four operating rules of the consent banner

1. Visual asymmetry is no longer acceptable

Large green "Accept" button + small gray "Configure" link = sanctionable banner. Spanish and French regulators lead specific fines on this pattern. The "Reject" option must be at the same visual level as "Accept".

2. No cookies until the user decides

The banner loads, but NO non-strict cookie is planted until the user clicks "Accept" or decides which categories. This includes analytics trackers. If your Google Analytics loads when entering the home, you're already non-compliant.

3. The user must be able to change their mind easily

A permanent link (footer or floating icon) that reopens preferences. "Click on browser cookies and delete manually" doesn't count.

4. Probative record of version and timestamp

When the complaint arrives (and we've already seen AEPD received 64% more in 2025), your defense is proving which policy the user accepted on which date. A banner that only saves "yes/no" without traceability doesn't defend.

Good practicePattern to avoid
"Accept" and "Reject" with symmetric design"Accept" prominent, "Reject" hidden
Expandable cookie categories with explanationHidden categories or generic names without description
Allows preference changes at any timeSingle opportunity when loading the site
Log with version + timestamp per acceptanceOnly saves "accepted: true"

The errors regulators sanction

High-profile cases from 2024-2025 include fines on sites for: loading Google Analytics before consent (France's CNIL), not offering one-click reject (Spain's AEPD), including marketing cookies in the "strictly necessary" category (Italy's Garante). All three are avoidable with a well-designed consent banner.

How it affects your Privacy Policy and Cookie Policy

The consent banner doesn't operate alone. It needs to be backed by:

Detailed Cookie Policy

  • Exhaustive list of cookies you use, grouped by category
  • For each: name, purpose, duration, whether it's third-party (and who)
  • How to disable them (including link to the banner)

Privacy Policy referencing cookies

  • Section linking to the Cookie Policy
  • Specific legal basis (consent) for those that apply
  • Information on international transfers if providers are outside EU (Google Analytics, Meta Pixel, etc.)

The elephant in the room: ePrivacy Regulation

We've spent years waiting for the ePrivacy Regulation (which would replace the 2002 directive) to enter force. In 2026 it still has no date. The good news: when it arrives, it will simplify the current framework. The bad news: until then, you live in a dual system each national authority interprets slightly differently.

Practical recommendation: implement with the strictest standard you know (typically France's CNIL) and reduce operational friction when a new norm arrives. The technical difference between complying with strict vs lax is minimal; the difference facing a sanction is enormous.

Quick checklist to validate your current setup

  1. Does the banner appear before loading any non-strict cookie? □ Yes / □ No
  2. Do "Accept" and "Reject" have the same visual weight? □ Yes / □ No
  3. Is there a permanent link to change preferences? □ Yes / □ No
  4. Is each acceptance logged with timestamp + policy version? □ Yes / □ No
  5. Does your Cookie Policy list all cookies with purpose, duration, third-party? □ Yes / □ No
  6. Does it meet CNIL requirements (strictest EU standard)? □ Yes / □ No

Four "No" or more = real regulatory risk. Zero or one = reasonable setup.

"Maintaining current cookie policies requires continuous effort as regulations evolve" (synthesis from the official GDPR.eu guide on cookies). The phrase seems obvious until the audit arrives.

Conclusion

Cookies are the most visible and sanctioned regulatory matter in the EU. The difference between a site that passes inspection and one that pays a fine isn't having a consent banner: it's having it well-implemented, with symmetric honesty, probative traceability, and ongoing maintenance. Doing it right the first time costs an afternoon; fixing it under proceeding costs months.

If you want to centralize Cookie Policy management, Privacy Policy, and consent banner with an SDK that logs which version each user accepted at each moment, Termerly is free and includes the consent banner SDK that many competitors charge separately.