GDPR Cookie Consent in 2026: ePrivacy, Legitimate Interest, and What Actually Compliant Looks Like

On February 11, 2025, the European Commission formally withdrew the proposed ePrivacy Regulation after eight years of stalled negotiations. That matters more than the news coverage suggested. The practical consequence is that cookies in the EU continue to be governed by the ePrivacy Directive 2002/58/EC as amended, transposed differently by each Member State. Harmonization is not coming. The divergence and the enforcement intensity are both going to grow.

In 2025, the French CNIL fined Google €325M and Shein €150M in a single day for cookie violations. The EDPB expanded the scope of Article 5(3) to pixels, URL tracking, and fingerprinting. The Brussels Market Court of Appeal partially overturned the Belgian DPA's ruling on the IAB's Transparency and Consent Framework. The Commission fined Meta €200M under the Digital Markets Act for its consent-or-pay model. For teams running EU cookie compliance, 2026 is a substantially different regulatory environment than 2023 was.

This post is the working guide for that environment. It is written for privacy engineers, DPOs, and in-house counsel who need to defend an EU cookie implementation against the current case law, the current EDPB guidance, and the current DPA enforcement pattern. If you want the companion piece for California, see the CCPA Cookie Banner Requirements pillar. This post is Europe.

TL;DR. Seven things. (1) The ePrivacy Regulation is dead. Cookies are governed by the Directive plus national law. (2) ePrivacy Art. 5(3) requires prior consent for storage or access on terminal equipment, and legitimate interest under GDPR Art. 6 does not substitute. (3) EDPB Guidelines 2/2023 (final October 2024) expanded Art. 5(3) beyond cookies to pixels, URL tracking, IP-only tracking, and fingerprinting. (4) CJEU Planet49, Orange Romania, and Meta v. Bundeskartellamt set the valid-consent bar: affirmative action, burden of proof on the controller, dominant position is a relevant factor. (5) Reject must be as easy as accept per the EDPB Cookie Banner Task Force and now enforced in €100M+ CNIL fines. (6) Consent-or-pay is permissible only with a free equivalent alternative per EDPB Opinion 08/2024. (7) TCF is legally operational after the May 2025 Brussels Market Court ruling, but compliance with TCF signals is not a safe harbor under GDPR.

The ePrivacy Regulation withdrawal and what it means

The European Commission's 2025 Work Programme, published February 11, 2025, formally withdrew the proposed ePrivacy Regulation, citing "no foreseeable agreement" and that "the proposal is outdated in view of some recent legislation in both the technological and the legislative landscape." Coverage in Hunton and TechCrunch captures the policy context.

The practical effect: cookies in the EU remain governed by the ePrivacy Directive 2002/58/EC as amended by Directive 2009/136/EC, which is transposed into each Member State's national law. France transposes it via Article 82 of the Data Protection Act. Italy via the Codice della Privacy. Germany via TDDDG. Enforcement, exemptions, and interpretive nuance all vary at the Member State level.

For compliance teams, this changes two things:

• Harmonization is not coming. The Regulation would have created a single set of rules with direct effect across all Member States. Its withdrawal means national DPAs retain interpretive authority and will continue to diverge on specifics like analytics exemptions.
• National enforcement gets more important. The CNIL, Garante, AEPD, and BfDI (and their analogs) are the operative regulators. Their published opinions and fines are the real guidance.

The statutory architecture: GDPR vs. ePrivacy

This is the first-principles confusion that trips practitioners most often, and it matters because getting the lawful basis wrong is what gets sites fined.

GDPR Article 6 lists six lawful bases for processing personal data: consent, contract, legal obligation, vital interests, public task, and legitimate interests. For most data processing, you pick one.

ePrivacy Article 5(3) requires prior consent before storing or accessing information on a user's terminal equipment, with two narrow exemptions: strictly necessary for the transmission of a communication, or strictly necessary to provide a service the user has explicitly requested.

The relationship: ePrivacy is the lex specialis for terminal-device storage and access. When you drop a cookie, set a localStorage entry, or read a device fingerprint, Article 5(3) is the governing provision. Consent is the only lawful basis for that step (outside the exemptions). The other five GDPR Art. 6 bases, including legitimate interest, cannot substitute.

Once you have consent under Article 5(3) and have stored or accessed the data, any subsequent processing of that data is governed by GDPR Art. 6. You need a separate lawful basis for the processing step. In practice, that basis is usually consent again, because any other basis creates a conflict where the user revokes ePrivacy consent but the GDPR processing continues under legitimate interest. Most mature implementations align the two on consent.

The EDPB Guidelines 05/2020 on consent confirm this reading at § 3.1.1.

The "legitimate interest for analytics" myth

This is the single most common error I see in EU cookie implementations, and it is worth addressing explicitly.

The argument you will sometimes hear: "We don't need consent for analytics cookies because we can rely on legitimate interest under GDPR Art. 6(1)(f)."

The problem: ePrivacy Art. 5(3) applies to the storage/access step, regardless of the GDPR lawful basis for the downstream processing. Storing an analytics cookie is storage on terminal equipment. Reading it on subsequent pageviews is access. Both trigger Art. 5(3), which requires consent. Legitimate interest cannot cure the ePrivacy requirement.

This has been the EDPB's position since Guidelines 05/2020 and has been reaffirmed in the EDPB Guidelines 2/2023 on the Technical Scope of Article 5(3), finalized October 7, 2024. The 2/2023 Guidelines went further and expanded the scope of Art. 5(3) beyond traditional cookies to:

• Pixel tracking (including cookie-less tracking pixels)
• URL parameter tracking that persists identifiers
• Local processing on the device that accesses terminal information
• IP-only tracking (access to the IP address as device information)
• Intermittent IoT reporting
• Persistent unique identifiers in any form, including fingerprinting

The implication is significant: the "cookie-less" analytics tools that market themselves as exempt from cookie rules are probably not exempt under Art. 5(3) either, because Art. 5(3) applies to any storage or access on terminal equipment. The specific wording in the Directive is "storing of information, or the gaining of access to information already stored."

The narrow strictly-necessary exemption. Art. 5(3) exempts two cases:

• Storage or access "for the sole purpose of carrying out the transmission of a communication." This covers session cookies for stateful interactions.
• Storage or access "strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service." This covers authentication tokens, shopping-cart state, load balancing, UI preferences the user actively set.

In practice, the exemption does not cover analytics, advertising, or personalization in most Member States.

The Member State exceptions that do exist. The CNIL (France), AEPD (Spain), and Garante (Italy) have carved out narrow exemptions for first-party, aggregate analytics under specific conditions. Matomo has been explicitly approved by the CNIL for consent-less deployment when configured to these specs. The Matomo CNIL FAQ has the details. These are jurisdiction-specific and not a pan-EU exemption. If you operate across multiple Member States, consent is the safe default.

What "valid consent" actually requires

The baseline is GDPR Article 4(11): "'consent' of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."

And Article 7, on the conditions:

• 7(1): The controller must be able to demonstrate that the data subject consented. This is the accountability obligation.
• 7(3): The data subject has the right to withdraw consent at any time, and withdrawal must be as easy to give as consent.
• 7(4): When assessing whether consent was freely given, "utmost account" is taken of whether performance of a contract is conditional on consent.

Recital 32: "Consent should be given by a clear affirmative act... This could include ticking a box when visiting an internet website... Silence, pre-ticked boxes or inactivity should not therefore constitute consent."

Recital 42: "Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment."

The CJEU cases that matter

Planet49 (Case C-673/17, October 1, 2019) established that pre-ticked boxes cannot constitute valid consent. The Court held that "consent which a website user must give to the storage of and access to cookies on his or her equipment by way of a pre-checked checkbox which that user must deselect to refuse his or her consent is not validly constituted." Continued browsing and scrolling are similarly not affirmative actions.

Orange România (Case C-61/19, November 11, 2020) placed the burden of proof on the controller. The Court held that "it is for the data controller to demonstrate that the data subject has, by active behaviour, given his or her consent to the processing of his or her personal data." A pre-ticked consent clause in a signed contract was insufficient.

Meta v. Bundeskartellamt (Case C-252/21, July 4, 2023) held that dominant market position is a relevant factor in assessing whether consent is freely given, even though dominance does not automatically invalidate consent. Competition authorities can investigate GDPR breaches in dominance cases.

IAB Europe (Case C-604/22, March 7, 2024) confirmed that the TC String used in the IAB Transparency and Consent Framework is personal data under GDPR, and that IAB Europe is a joint controller only in relation to creation and use of TC Strings, not for downstream ad processing by TCF participants.

The EDPB Cookie Banner Task Force: the operational rulebook

The EDPB Cookie Banner Task Force Report, adopted January 17, 2023, is the coordinated DPA position on banner design. It is the primary operational reference for what passes and what does not. Key findings:

• No "continued browsing = consent" (§ 3.3). Affirmed by Planet49.
• No scrolling as consent (§ 7.11).
• Asymmetric Accept vs. Reject is a dark pattern (§ 2.2). "Reject All" must be as prominent and as few clicks as "Accept All" on the first layer.
• Pre-ticked legitimate-interest toggles invalid (§ 2.7).
• Cookie walls generally not freely given (referenced in Guidelines 05/2020 § 3.1.2).
• Immediate re-prompting after reject is a dark pattern (§ 2.4). Practical guidance converging across DPAs: no re-prompt for at least six months, or on material change.
• Withdrawal as easy as giving (Art. 7(3)). The preference link must be as accessible as the banner.

The Task Force also established the 2023 coordinated enforcement action that produced the wave of cookie banner investigations across Member States. Many of the 2024 and 2025 DPA fines trace back to this Task Force's findings.

A subsequent EDPB Guidelines 3/2022 on Deceptive Design Patterns extended the dark-patterns analysis to other consent interactions. These guidelines use structured categories (Overloading, Skipping, Stirring, Obstructing, Fickle, Left in the Dark) that map directly onto common banner antipatterns.

The 2024-2025 enforcement record

The French CNIL is the most active cookie regulator in Europe. The September 1, 2025 announcements were the turning point.

Google: €325M (September 1, 2025). Split €200M against Google LLC and €125M against Google Ireland. Violations: advertising inserted between Gmail messages without consent; cookies placed during Google account creation without valid consent; "it was more difficult to refuse cookies linked to personalised advertising than to accept them." Penalty of €100,000 per day for non-compliance within six months. CNIL press release.

Shein: €150M (September 1, 2025). Based on an August 2023 inspection. Violations: advertising cookies deposited before any user interaction; incomplete information on both banner layers; no third-party identities disclosed; clicking "Refuse all" still resulted in new cookies being placed; withdrawal did not stop existing cookie reads. CNIL press release.

Les Publications Condé Nast (vanityfair.fr): €750,000 (November 20, 2025). Cookies placed without consent. CNIL press release.

CNIL 2025 total: €486,839,500. Roughly nine times the €55M total for 2024. CNIL 2025 sanctions review. In 2024 specifically, eleven organizations were sanctioned for making refusal harder than acceptance.

Google historical fine trajectory: €100M (December 2020) → €150M (January 2022) → €325M (September 2025). The trend is upward.

AEPD (Spain) SEAT SA: €20,000 reduced to €12,000 (November 2024). Cookies placed automatically at session start without prior consent. Spain's underlying LSSI statute caps cookie fines, which explains the smaller number. Captain Compliance report.

Garante (Italy) continues to treat cookie compliance as a priority inspection area. Ediscom (€300,000, February 2023) was the first EU DPA decision formally sanctioning dark patterns in cookie banners as a standalone GDPR violation.

The "consent or pay" question

The "consent or pay" model (accept tracking or pay a subscription) has been the most contested cookie-banner development of the last two years. The key document is EDPB Opinion 08/2024, issued April 17, 2024.

The Opinion addresses "large online platforms" specifically (Meta was the trigger). The central finding: "in most cases, it will not be possible for large online platforms to comply with the requirements for valid consent, if they confront users only with a binary choice between consenting to processing of personal data for behavioural advertising purposes and paying a fee."

For consent to be valid under the consent-or-pay model, the Opinion lays out conditions:

1. Controllers should consider providing a free equivalent alternative without behavioural advertising (e.g., with contextual ads).
2. Fees must not be so high that they compel consent. Assessed on conditionality, detriment, imbalance of power, and granularity.
3. Consent (even if valid on freely-given grounds) does not cure other compliance gaps: purpose limitation, minimization, lawful basis for any further processing.
4. The fundamental right to data protection should not be transformed into "a feature that individuals have to pay to enjoy."

Meta's challenge. On June 14, 2024, Meta filed T-319/24 challenging the Opinion. The General Court dismissed the challenge in 2025, finding the Opinion was preparatory and non-binding under Art. 263 TFEU.

The DMA fine. Separately, on April 24, 2025, the European Commission fined Meta €200M under the Digital Markets Act (not GDPR) for non-compliance with DMA Art. 5(2). The binary consent/pay model failed to offer a "less personal data" alternative that was otherwise equivalent. This is the first-ever DMA fine. Taylor Wessing analysis.

Meta's adjustment. In November 2024, Meta introduced a third "less personalised ads" free option and cut subscription prices 40% (€5.99/month web, €7.99 mobile).

National DPA divergence. The CNIL has taken a case-by-case position, supporting proportionate subscription fees with informed consent. The UK ICO, in its January 23, 2025 guidance, is more permissive: consent or pay is possible in principle under UK GDPR and PECR, but requires a documented case-specific assessment.

The practical guidance: if you are considering a consent-or-pay model, the risk is concentrated if you are a very large platform (likely a gatekeeper under DMA) and diminished if you are a small publisher. Even then, offering a third "reduced personalization" option materially improves defensibility.

TCF v2.2, v2.3, and the IAB case

The IAB Europe Transparency and Consent Framework (TCF) is the most common industry framework for communicating consent signals to downstream ad-tech. Its legal status has been unsettled for several years and is now partially resolved.

Timeline: TCF v2.2 launched May 16, 2023, with a compliance deadline extended to November 20, 2023. TCF v2.3 launched April 2025 to resolve legitimate-interest ambiguity; TCF participants have until February 28, 2026 to adopt v2.3.

Belgian APD decision (February 2022): The Belgian DPA fined IAB Europe €250,000 and declared the TCF unlawful, holding the TC String was personal data and IAB Europe a joint controller for all TCF-based processing.

CJEU C-604/22 (March 7, 2024): The Court confirmed the TC String is personal data, but limited IAB Europe's joint-controller status to the creation and use of TC Strings, not to downstream processing by TCF participants.

Brussels Market Court of Appeal (May 14, 2025): Partially annulled the APD's February 2022 decision. The Court found the APD's analysis insufficient to treat the TC String as personal data without more specific reasoning on identifiability. It upheld joint-controller status only for TC String creation and use. Belgian DPA statement.

Practical effect in 2026: TCF is legally operational. CMPs implementing it can continue to do so. But TCF compliance is not a GDPR safe harbor. The underlying obligations (valid consent, symmetrical choice, reject-as-easy-as-accept, pixel-level respect for the signal) still apply. The TC String is a technical artifact for communicating consent state; it does not discharge the controller's substantive obligations.

Google Consent Mode v2 under GDPR

Consent Mode v2 was mandatory for advertisers using Google Ads, Google Analytics 4, Floodlight, or Google Tag for EEA and UK traffic starting March 6, 2024. Non-compliance breaks remarketing audiences and conversion tracking for EEA users. Google Tag Manager Help 13695607.

The four consent signals:

• ad_storage
• analytics_storage
• ad_user_data
• ad_personalization

Basic vs. Advanced mode. Basic blocks all Google tags until consent is granted. Advanced fires "cookie-less pings" with consent signals pre-consent to feed Google's conversion modeling.

The GDPR concern with Advanced mode. The cookie-less pings still constitute processing of personal data (IP address, timestamp, URL are transmitted) and arguably involve access to terminal equipment (reading page state). Under ePrivacy Art. 5(3), access to terminal information triggers the consent requirement. The question of whether Advanced mode pings are compliant pre-consent has not been formally decided by any major DPA, but the conservative privacy-counsel position is that they are not, and Basic mode is safer for EEA traffic. Google's public position treats Advanced mode as lawful without prior consent.

Consent Mode v2 is a technical enabler, not a compliance substitute. Implementing it correctly helps you respect your users' consent; it does not discharge your obligation to obtain consent validly.

A full technical walkthrough, including race conditions, region-specific defaults, and the interaction with GPP, lives in the Google Consent Mode v2 + GPC + GPP unified implementation guide.

The banner design checklist

Applying all of the above to the banner itself, the compliant pattern is:

First layer:

• Clear, concise description of processing purposes (not just "we use cookies")
• Link to the full privacy and cookie policy
• Two equally-prominent buttons: "Accept All" and "Reject All", same visual weight, same click distance, same color prominence
• No pre-ticked boxes for any non-essential category
• No scroll or continued-browsing as consent

Second layer (granular preferences):

• Categories listed with clear descriptions (strictly necessary, functional, analytics, marketing, personalization)
• Toggles default to off for all non-essential categories
• Per-vendor detail available (especially for TCF-participating ad-tech)
• Legitimate interest columns, where shown, are not pre-ticked and are clearly distinguished from consent columns
• Save button applies the preferences exactly as selected

Persistent access:

• A persistent preferences link (typically a small floating button or footer link) that allows the user to reopen the banner at any time to modify consent
• Withdrawal of consent must be as easy as giving it per Art. 7(3)

No re-prompting:

• After a user rejects, no re-prompt for at least six months (industry-converged interpretation of the Cookie Banner Task Force's dark-pattern analysis)
• Re-prompt on material change to processing purposes or vendor list is acceptable

Accessibility:

• WCAG 2.1 AA compliance. Screen-reader labels, keyboard navigation, color contrast, ARIA roles. This is an underappreciated requirement that regulators are starting to cite.

Consent logging:

• Timestamp (ISO 8601 with timezone)
• Pseudonymous user or session identifier
• Per-purpose consent state (JSON or TCF TC String)
• Notice version (hash of the displayed text)
• CMP vendor and policy version
• Language locale
• Retention: as long as consent is active plus the statutory limitation period (three to six years typical)

FAQ

Does GDPR still apply to cookies now that the ePrivacy Regulation is dead?

Yes. GDPR applies to any processing of personal data. ePrivacy Directive 2002/58/EC (as amended) applies to storage and access on terminal equipment. The Directive is fully in force, transposed into national law across all Member States. The Regulation that would have replaced the Directive is what was withdrawn; the Directive remains.

Can I rely on legitimate interest for analytics cookies?

Not as a substitute for ePrivacy consent. Storing or reading an analytics cookie requires consent under Article 5(3) regardless of the GDPR lawful basis for subsequent processing. Some Member States (notably France, Italy, Spain) have narrow exemptions for first-party, aggregate analytics tools configured to specific specs. These are not pan-EU.

What about "cookie-less" analytics like Plausible?

EDPB Guidelines 2/2023 (October 2024) expanded the scope of Article 5(3) to any storage or access on terminal equipment, not just cookies. Tools that don't set cookies but do access terminal information (IP address, page state, user agent) are arguably in scope. The conservative position is that consent is required unless a specific Member State has explicitly carved out the tool.

Is "Accept All / More Options" compliant if "Reject All" is in the second layer?

No. The EDPB Cookie Banner Task Force found this pattern violates the symmetry requirement. Reject All must be on the same layer and of equal prominence as Accept All. A second-layer reject is asymmetrical and a dark pattern.

What if my site is US-based and I only have some EU traffic?

GDPR applies if you target the EU market, monitor EU users' behavior, or offer goods and services to EU residents. If you run a global site with EEA visitors and you use any analytics, advertising, or cross-site tracking, GDPR and ePrivacy will generally apply to those visitors. The pragmatic pattern for mixed-region traffic is region-aware consent: GDPR-style prior consent for EEA/UK, CCPA-style symmetrical opt-out for California, baseline notice elsewhere.

Is a cookie wall ("accept or leave") ever valid?

Per EDPB Guidelines 05/2020 § 3.1.2, a cookie wall that conditions access on consent is generally not freely given and therefore not valid. National variation exists; some Member States permit cookie walls on news media sites under strict conditions. The default assumption should be that a cookie wall is invalid.

How long before I can re-prompt after a user rejects?

The regulation doesn't prescribe a period, but the EDPB Cookie Banner Task Force found that immediate re-prompting is a dark pattern. Industry convergence is at least six months, or on material change to processing. Re-prompting on every session or every week is the pattern that draws DPA attention.

Does the IAB TCF make my site GDPR-compliant?

No. The TC String is a way to communicate consent signals to downstream ad-tech. TCF implementation does not discharge the substantive obligations of obtaining valid consent in the first place. The CJEU's IAB Europe decision and the May 2025 Brussels Market Court ruling both distinguish between the TCF signaling mechanism and the underlying consent validity.

What do I actually log to satisfy Article 7(1)?

At minimum: timestamp with timezone; pseudonymous user/session identifier; per-purpose consent state; the version of the notice shown to the user; CMP vendor and policy version; language locale. Retain as long as consent is active plus the applicable statutory limitation period (typically three to six years).

Do US state laws affect my EU cookie strategy?

They can, if you run a single consent banner globally. If your US traffic triggers CCPA or similar obligations and you also have EEA traffic under GDPR, your banner logic needs to handle both regimes. The cleanest pattern is region-aware behavior: GDPR-style prior consent for EEA/UK, symmetrical opt-out with GPC for California, and whatever applies elsewhere. The US state privacy law tracker covers the state-by-state picture.

Where to go from here

If your EU cookie implementation hasn't been re-audited since before October 2024 (when EDPB Guidelines 2/2023 were finalized) or before September 2025 (when the CNIL's Google and Shein fines reshaped enforcement expectations), the single most valuable action is a fresh audit. Start with the reject-as-easy-as-accept test on the first layer, then the no-cookies-before-consent test on the initial pageview, then the withdrawal-as-easy-as-giving test on the preferences link.

For the orchestration of Consent Mode v2, GPC, and GPP, see the unified implementation guide. For the California counterpart, see the CCPA Cookie Banner Requirements pillar. For the multi-state US picture, see the US state privacy law tracker.

If you want a practitioner's read on where your current EU implementation sits against the 2024-2025 CNIL enforcement pattern and the EDPB 2/2023 expanded scope, Consenteo's engineering team has built this exact layer for 200+ corporate sites across major European jurisdictions. Get in touch for a fast review.