GDPR Cookie Consent Requirements 2026: What US Companies Must Implement

Last updated: 2026-05-04 — ComplianceStack Editorial Team

Cookie consent is the front door of GDPR compliance for most websites. If your site serves EU residents and you use analytics, advertising, or personalization cookies, you need a valid consent mechanism — not a banner that nudges visitors toward acceptance, not pre-ticked boxes, not a consent wall that denies access to users who decline. Regulators in France, Spain, Germany, and the Netherlands have issued hundreds of cookie enforcement actions since 2022. The standard for valid cookie consent under GDPR Article 7 is specific, and most consent management platforms ship with configurations that fail it. This guide covers what valid consent requires, how to classify your cookies, and what enforcement trends look like heading into 2026.

Cookie Categories and When Consent Is Required

Not all cookies require consent under GDPR. The legal basis for cookie processing depends on cookie purpose:

Strictly Necessary Cookies: Cookies essential to the operation of the site — session management, shopping cart functionality, authentication, load balancing, security tokens. These operate on a legitimate interest or legal necessity basis and do not require consent. However, "strictly necessary" is narrowly interpreted — analytics cookies are not strictly necessary, and regulators have rejected broad definitions.

Functional/Preference Cookies: Cookies that remember user preferences — language settings, region selections, layout preferences. These can arguably be set without consent under legitimate interest if they are not used for tracking or profiling, but the safer approach for GDPR compliance is to include them in the consent request.

Analytics and Performance Cookies: Third-party analytics (Google Analytics, Mixpanel, Hotjar) and session recording tools that track user behavior across sites require consent under GDPR. First-party analytics may qualify under legitimate interest with appropriate safeguards (IP anonymization, short retention, no cross-site tracking), but this position requires a documented Legitimate Interest Assessment.

Marketing and Advertising Cookies: All remarketing, behavioral advertising, and cross-site tracking cookies require explicit consent. No alternative legal basis is accepted by most EU data protection authorities for advertising trackers. This includes Google Ads remarketing pixels, Meta Pixel, and LinkedIn Insight Tag.

For the full GDPR legal basis framework including consent alternatives, see the GDPR Compliance for US Companies 2026.

Valid Consent Under GDPR Article 7 and Recital 32

GDPR Article 7 sets the conditions for valid consent. Article 4(11) defines consent as "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."

Freely Given: Consent must not be a condition of service. A consent wall that denies access to users who decline cookie consent is problematic — the Dutch DPA (AP) found consent walls invalid in 2023, though the EDPB's updated guidance leaves room for proportionate access restrictions in certain cases. Consent cannot be bundled with terms of service acceptance.

Specific: Consent must be obtained for each specific purpose separately. A single checkbox for "all cookies" does not satisfy specificity if it covers both analytics and advertising. Users must be able to accept analytics while declining advertising.

Informed: Users must understand who is processing their data, for what purposes, and for how long before consenting. The identity of all third-party data controllers receiving data from the cookie must be disclosed — not just the categories.

Unambiguous Indication: Pre-ticked boxes are prohibited (Recital 32). Consent by scrolling or browsing the page is insufficient. A clear affirmative action is required — clicking an "Accept" button or checking an unchecked box.

Withdrawal must be as easy as giving consent: Under Article 7(3), users must be able to withdraw consent at any time, and withdrawal must be as easy as giving it. If acceptance is one click, withdrawal must also be one click — not a buried settings menu after three navigation steps.

See the GDPR Framework Overview for the complete legal basis framework.

Cookie Banner Requirements: What Compliant Looks Like

Based on enforcement decisions from CNIL (France), AP (Netherlands), Garante (Italy), AEPD (Spain), and the ICO (UK), a GDPR-compliant cookie banner must:

Present Accept and Reject options at equal prominence: CNIL's 2022 enforcement against Google and Facebook specifically cited the absence of an easy-to-find "Refuse All" option at the same level as "Accept All." Reject must not require navigating to a second level. If "Accept All" is a prominent button, "Reject All" must be equally prominent.

Not use dark patterns: Gray-out effects on the Reject button, smaller font for decline options, misleading button labels ("Allow" vs. "Learn More") constitute dark patterns that invalidate consent under EDPB Guidelines 3/2022 on Dark Patterns.

Name third-party controllers: The banner must disclose the identities of third parties who will process data — not just categories. Listing "advertising partners" without naming Google Ads, Meta, The Trade Desk, etc. does not meet the specificity requirement.

Store consent evidence: GDPR Article 7(1) places the burden of proof on the controller to demonstrate that consent was obtained. Consent records must include: timestamp, user identifier (session or cookie ID), the version of the consent notice shown, and which purposes were accepted or declined.

Reconsent when purposes change: If you add new analytics tools or advertising partners, you must obtain fresh consent for those new processors. Banner version management is critical for compliance documentation.

For US-based companies whose sites receive EU traffic, these requirements apply regardless of where the company is incorporated. See the GDPR for US Companies guide for the full extraterritorial scope analysis.

The ePrivacy Directive and Its Relationship to GDPR

Cookie consent in the EU actually derives from two overlapping legal instruments: GDPR governs the personal data processing aspects, while the ePrivacy Directive (Directive 2002/58/EC, as amended by Directive 2009/136/EC) specifically governs cookies and similar tracking technologies.

Article 5(3) of the ePrivacy Directive requires "prior informed consent" before storing or accessing information on a user's terminal equipment — including cookies, device fingerprinting, pixel trackers, and localStorage. This applies to all stored information, not just personal data under GDPR.

Relationship between ePrivacy and GDPR: For cookies that process personal data, both ePrivacy Article 5(3) and GDPR apply. Where both apply, the stricter standard governs. ePrivacy consent aligns with GDPR consent — freely given, specific, informed, and unambiguous.

ePrivacy Regulation (proposed): The EU has been working on a replacement ePrivacy Regulation since 2017 that would harmonize cookie consent rules across member states and apply directly as a regulation (without national transposition). As of 2026, the ePrivacy Regulation has not been finalized. The Directive remains in effect, implemented differently in each member state — creating variation in enforcement standards across EU jurisdictions.

UK PECR: Following Brexit, the UK's Privacy and Electronic Communications Regulations (PECR) implement the ePrivacy Directive requirements for UK visitors. The ICO enforces PECR separately from UK GDPR. US companies with UK traffic must satisfy both UK GDPR and PECR requirements.

Major Cookie Consent Enforcement Actions (2022-2026)

Regulators have issued significant fines for cookie consent failures:

Google (CNIL, France, 2022): €150 million for making it difficult to refuse cookie consent and failing to explain the purposes of cookies clearly. CNIL found that the "Refuse All" button required more clicks than "Accept All" — a dark pattern under Article 7.

Facebook/Meta (CNIL, France, 2022): €60 million for the same deficiency — no equivalent "Refuse All" button at the first level of the cookie consent interface.

TikTok (ICO, UK, 2023): £12.7 million fine primarily for processing children's data without consent, including through tracking cookies. The enforcement highlighted that age verification failures compound cookie consent failures.

Microsoft (German State DPAs, 2022-2023): Multiple investigations into Microsoft Clarity behavioral analytics tool deployed without adequate consent on German government websites.

Google Analytics (Austrian DSB, 2022; CNIL, France, 2022): Both regulators found Google Analytics (Universal Analytics) transfers to US servers to violate GDPR Schrems II requirements — not just a consent issue. This triggered the migration to GA4 and Standard Contractual Clauses.

For a complete view of GDPR enforcement trends and penalty ranges, see the GDPR for US Companies guide and the Real Cost of Non-Compliance 2026.

What US Companies Must Do for EU Cookie Compliance

If your website serves EU or UK residents — whether you intend to or not — GDPR applies to the personal data collected through cookies. Required steps for US-based companies:

Cookie Audit: Inventory every cookie and tracker your site drops. Use browser developer tools or cookie scanning tools (OneTrust, Cookiebot, CookieYes) to identify all first-party and third-party cookies. Classify each by purpose: strictly necessary, functional, analytics, advertising.

Consent Management Platform (CMP): Deploy a CMP that generates a GDPR-compliant banner. Leading CMPs include OneTrust, Cookiebot (Cybot), TrustArc, and Didomi. Configure with equal-prominence Accept/Reject buttons, granular purpose categories, and named third-party processors.

Block cookies until consent: The CMP must actually block non-essential scripts from firing before user consent is obtained. Many implementations show the banner but load analytics and advertising cookies simultaneously — this is invalid consent and how most enforcement cases begin.

Data Processing Agreement with CMP vendor: Your CMP vendor processes consent data and may qualify as a business associate. Ensure a GDPR-compliant Data Processing Agreement (DPA) is in place. For the full DPA requirements, see the GDPR DPA Template Guide.

Google Analytics configuration: For GA4, enable IP anonymization, disable cross-device reporting for users who decline, and ensure the Standard Contractual Clauses (SCCs) with Google LLC are in place for data transfers. Use the Compliance Gap Analyzer to assess your current GDPR data transfer compliance posture.

Frequently Asked Questions: GDPR Cookie Consent

Can we use legitimate interest instead of consent for analytics cookies?
It depends on the data protection authority and the nature of the analytics. The EDPB's position (Guidelines 2/2023) is that third-party analytics that involve cross-site tracking, advertising profiling, or data sharing with advertising networks cannot rely on legitimate interest — consent is required. First-party analytics with IP anonymization, no cross-site tracking, and short retention may qualify for legitimate interest in some jurisdictions. However, after the CNIL actions in 2022 and the Austrian DSB's Google Analytics decision, most compliance practitioners recommend treating all analytics as requiring consent to avoid jurisdiction-by-jurisdiction risk. Document a Legitimate Interest Assessment if you proceed without consent.

Does GDPR apply to our website if we are a US company?
Yes, if you process personal data of individuals located in the EU in connection with offering goods or services to them (GDPR Article 3(2)(a)) or monitoring their behavior within the EU (Article 3(2)(b)). A US-based SaaS company with EU customers offering its service is subject to GDPR for that processing. A US-based e-commerce company shipping to EU customers is subject to GDPR. A US-based blog that uses Google Analytics and advertising cookies is subject to GDPR if EU residents visit the site — even without any direct commercial relationship. The full extraterritorial scope analysis is in the GDPR for US Companies 2026 guide.

How long must we keep consent records?
GDPR does not specify a retention period for consent records. Best practice, supported by regulatory guidance, is to retain consent records for the duration of the processing plus the applicable limitation period for regulatory actions (3 years under many EU competition and data protection frameworks, longer under some member state rules). The consent record must document: the date and time consent was obtained, the version of the notice shown, the user identifier, the specific purposes accepted and declined, and the method of consent collection (cookie banner v2.3, for example).

More GDPR Resources

• GDPR Framework Guide
• GDPR Tier 1 Fines
• GDPR Tier 2 Fines
• GDPR for SaaS Companies
• Compliance Gap Analyzer (Free)
• Free 5-Minute Compliance Quiz
• Regulatory Deadline Tracker
• Remediation Action Plan ($49)
• Find a GDPR Compliance Consultant