In 2026, cookies remain one of the most heavily scrutinised areas of data protection enforcement across the European Union. The CNIL (France’s data protection authority) has been at the forefront, issuing landmark fines and detailed guidelines since October 2020. But the issue extends far beyond France: under the GDPR and the ePrivacy Directive 2002/58/EC, every website accessible within the EU must comply with strict cookie consent rules. With fines reaching up to 20 million euros or 4% of global annual turnover, a compliant cookie policy is no longer optional — it is a legal necessity.
The Legal Framework for Cookies in the EU
Cookie regulation rests on two pillars: the ePrivacy Directive 2002/58/EC and the GDPR. The ePrivacy Directive establishes the principle that storing information or accessing information already stored on a user’s terminal equipment requires prior consent, with limited exceptions. Each EU member state has transposed this directive into national law — in France through Article 82 of the Informatique et Libertés Act.
The CNIL’s guidelines of 1 October 2020, supplemented by its recommendation of 17 September 2020, set out the detailed requirements for valid consent. These guidelines have become a de facto reference across the EU, with other data protection authorities adopting similar positions.
The GDPR (Articles 5, 6 and 7) governs the conditions for valid consent: it must be freely given, specific, informed and unambiguous. Article 13 requires that users receive comprehensive information about data processing linked to cookies. To check whether your website falls under these obligations, see our complete guide on who is actually affected by GDPR.
Types of Cookies and Their Rules
Not all cookies are subject to the same requirements. The CNIL and other EU data protection authorities distinguish clearly between two categories:
Cookies Exempt from Consent
Certain cookies are strictly necessary for the website to function and do not require consent. These include session cookies (shopping cart, authentication), language preference cookies, server load-balancing cookies, and audience measurement cookies when configured so as not to allow cross-site tracking (such as a restricted Matomo or AT Internet configuration).
Cookies Requiring Explicit Consent
Prior consent is mandatory for advertising and targeting cookies, social media cookies (share buttons, embedded widgets), navigation analysis cookies used for commercial purposes (Google Analytics in its standard configuration), content personalisation cookies based on user profiles, and third-party tracking pixels.
A fundamental point emphasised by the CNIL and confirmed by other EU authorities: simply continuing to browse a website does not constitute valid consent. The user must take a clear, positive action for each processing purpose.
The Compliant Cookie Banner: What Is Required
The cookie banner is the mechanism through which you collect user consent. EU data protection authorities impose precise requirements for it to be considered compliant:
Inform the user clearly: the banner must mention the purposes of cookies, the identity of the data controllers (or a link to the full list), and the ability to accept or refuse.
Offer a genuine choice: the “Refuse” (or “Continue without accepting”) button must be as visible and accessible as the “Accept” button. The CNIL has fined numerous companies for deceptive designs where refusal was deliberately made more difficult.
Enable granular consent: the user must be able to accept or refuse cookies purpose by purpose (advertising, analytics, social media, etc.), either directly from the first screen or via a second level accessible in one click.
Do not deploy cookies before consent: non-essential cookies must not be set until the user has given their agreement. The loading of third-party scripts (Google Analytics, Facebook Pixel, etc.) must be conditional on consent.
Retain proof of consent: you must be able to demonstrate that the user consented, when, and for which purposes. The validity period for consent is a maximum of 13 months according to the CNIL recommendation.
What Your Cookie Policy Must Contain
Beyond the banner, the cookie policy is a separate document that details your entire cookie practice. Under GDPR Articles 12 and 13, it must include:
- The identity and contact details of the data controller
- An exhaustive list of cookies used (name, purpose, lifespan, issuer)
- The purposes of each cookie, described clearly and comprehensibly
- The legal basis for processing (consent for non-essential cookies, legitimate interest for technical cookies)
- The recipients of collected data (advertising partners, analytics tools, etc.)
- Any transfers of data outside the EU
- Data retention periods
- User rights (access, rectification, erasure, objection) and how to exercise them
- How to manage cookies (how to modify or withdraw consent)
This policy must be permanently accessible, typically via a footer link, and must be separate from your privacy policy, even though the two documents complement each other.
The Most Common Mistakes
Many websites still make errors that expose them to enforcement action:
The “cookie wall” without an alternative. Blocking access to the website if the user refuses cookies is generally considered non-compliant, as it undermines the freely given nature of consent. Limited exceptions exist for press websites offering a paid subscription alternative.
Deceptive design (dark patterns). A brightly coloured “Accept all” button paired with a discreet grey “Settings” link constitutes a dark pattern. Data protection authorities require equivalent visibility for acceptance and refusal options.
No option to withdraw consent. The user must be able to withdraw consent at any time, as easily as it was given. A permanent link to cookie settings (often via a small widget at the bottom of the page) is essential.
Deploying cookies before consent. Many websites load Google Analytics, Facebook Pixel, or other trackers as soon as the page loads, before any interaction with the banner. This is a direct violation of ePrivacy rules.
Confusing the cookie policy with the legal notice. These are distinct documents serving different legal obligations. One does not replace the other.
Sanctions: What You Risk
Data protection authorities across the EU have a range of sanctions proportionate to the severity of the infringement:
Formal notices: the authority can order compliance within a set period, typically 1 to 3 months. This is often the first step, but it is made public and can damage your reputation.
Administrative fines: under the GDPR, fines can reach 20 million euros or 4% of global annual turnover. The CNIL has imposed significant fines for cookie-related infringements, affecting major corporations and SMEs alike. For a comprehensive overview of notable sanctions, see our ranking of the 15 largest CNIL fines.
Injunctions: the authority can order the immediate cessation of non-compliant processing, which may require disabling all your analytics and advertising tools.
Penalty payments: in case of non-compliance with an injunction, penalties of up to 100,000 euros per day of delay can be imposed.
In 2026, enforcement actions are more frequent than ever, with thematic campaigns specifically targeting cookie practices. Complaints filed by users through data protection authority websites also serve as a significant trigger for investigations.
How to Get Compliant: Your Options
Hire a specialised lawyer (300-800 euros): a digital law specialist will draft a bespoke cookie policy and can audit your consent banner. This is the most personalised solution, but the cost is high and the turnaround is several weeks. It is best suited for high-traffic websites or those with complex data processing.
Use free online templates (0 euros but risky): cookie policy templates exist, but they are rarely up to date with the latest regulatory requirements and need 3-5 hours of customisation. Without technical expertise, it is difficult to compile the exact list of cookies deployed by your site.
Use generic AI (ChatGPT, Claude) (0 euros + lawyer review 150-300 euros): these tools can produce a first draft, but a cookie policy requires precise technical information (cookie list, lifespans, third-party scripts) that AI cannot know without a prior audit. Legal review remains necessary.
Use specialised legal AI (€14.90-19.90): solutions like WebLegal.ai generate a compliant cookie policy in minutes by guiding you through the right questions. The document covers GDPR and ePrivacy requirements, includes a structured list of cookies by purpose, and is ready to publish. For complete protection, combine it with the 4 essential legal documents for your website.
Conclusion
A cookie policy and a compliant consent banner are no longer optional in 2026: they are legal obligations whose non-compliance exposes you to substantial fines and significant reputational risk. With increased enforcement across the EU, every website must have a compliant banner and a complete, up-to-date cookie policy. Do not wait for an investigation to catch you off guard — ensure your compliance today.