ePrivacy and Cookies: What's Still Required in 2026

Cookie consent remains one of the most commonly misunderstood and frequently violated areas of EU data protection law. Despite years of enforcement, many organisations still run non-compliant implementations — pre-ticked boxes, no reject option, consent bundled with terms of service.

This guide covers the legal framework, what requires consent, what is exempt, and what a compliant implementation actually looks like in 2026.

The Legal Framework: ePrivacy Directive Still Applies

The ePrivacy Directive (2002/58/EC as amended by 2009/136/EC) continues to govern the use of cookies and similar tracking technologies across the EU. The ePrivacy Regulation — which was intended to replace it — is still stalled in EU legislative negotiations. As of April 2026, the Directive remains in force, transposed into national law across all member states.

The Directive's cookie rules are in Article 5(3): storing information, or gaining access to information already stored, on a user's terminal equipment is only permitted if the user has given prior informed consent. This applies to cookies, local storage, IndexedDB, pixels, browser fingerprinting, and any other technology that reads from or writes to a user's device.

GDPR applies to the consent mechanism itself: consent must meet the Article 7 standard — freely given, specific, informed, unambiguous, demonstrated by a clear affirmative action, and withdrawable at any time without detriment.

What Is Exempt

Article 5(3) has two exemptions — technologies that are strictly necessary and therefore do not require consent:

1. Storage solely for the purpose of carrying out a communication — e.g., session routing, load balancing across servers. These are infrastructure-level and do not persist after the communication ends.

2. Strictly necessary for a service explicitly requested by the user — e.g., shopping cart cookies, session authentication cookies, user preference cookies (language, accessibility settings) that the user set. The key word is "strictly" — the service would not function without them.

These exemptions are narrow. They are not "nice to have." A cookie is strictly necessary if removing it would break a feature the user has explicitly requested. Convenience, analytics, and optimisation are not sufficient grounds.

What Requires Consent

The following categories require prior informed consent — meaning consent must be obtained before the cookie is set, not after:

| Category | Examples | Exempt? | |----------|---------|---------| | Analytics | Google Analytics 4, Matomo cloud, Mixpanel | No | | Marketing / advertising | Meta Pixel, Google Ads conversion, retargeting | No | | Social media | Facebook Like button scripts, Twitter widgets | No | | A/B testing | Optimizely, VWO, Google Optimize | No | | Chat widgets | Intercom, Drift, Zendesk (where they set persistent cookies) | No | | Personalisation | Recommendation engines that set user profiles | No | | Session authentication | Login cookies, CSRF tokens | Yes | | Load balancing | Server affinity cookies | Yes | | User preferences | Language, accessibility settings set by user | Yes |

The most common mistake: treating first-party analytics as exempt. They are not. The exemption is about technical necessity, not first-party vs third-party. GA4 with IP anonymisation still requires consent under the ePrivacy Directive.

Valid Consent: The GDPR Standard

Because the ePrivacy Directive defers to GDPR for the consent standard, consent must satisfy Article 7 and Recital 32:

Freely given — the user cannot be penalised for refusing consent. This means the reject option must be as accessible as the accept option. Hiding the reject button behind a "manage settings" flow while displaying "Accept all" prominently is not freely given consent.

Specific — consent must be given separately for each distinct purpose. A single "I accept cookies" button that covers analytics, marketing, and social media is not specific consent.

Informed — users must know what they are consenting to: which cookies, which purposes, which third parties, how long the data is retained.

Unambiguous — consent must be signalled by a clear affirmative action. Pre-ticked checkboxes are invalid. Scrolling a page is not consent. Continuing to browse is not consent.

Withdrawable — users must be able to withdraw consent as easily as they gave it. A preferences centre accessible from a persistent link (typically in the footer) is required.

"Consent or pay" models — where users can either consent to advertising cookies or pay a fee — are under active scrutiny from DPAs across the EU. The EDPB issued guidance in 2024 concluding that in most cases these models do not constitute freely given consent. Proceed with caution.

Cookie Banner Requirements

A compliant cookie banner must include:

• Clear description of each purpose — not "improve your experience" but "measure advertising campaign performance" or "create a profile of your interests for targeted advertising."
• Retention period for each category of cookie.
• Third parties — identify which third-party companies receive data via cookies.
• Granular controls — users must be able to accept or reject individual categories, not just all or nothing.
• Reject option as prominent as accept — the reject button must be at the same visual level as the accept button, not buried in a "manage preferences" link.
• No dark patterns — consent buttons styled to appear inactive, pre-ticked boxes, confusing toggle logic (where "on" means consent rejected), and repeated consent requests after rejection are all unlawful.

Legitimate Interest: Cannot Be Used for Cookies

Legitimate interest (GDPR Article 6(1)(f)) cannot be used as the legal basis for non-essential cookies under the ePrivacy Directive. The Directive requires consent specifically. Legitimate interest is not a substitute.

This was confirmed by the CJEU in Planet49 (Case C-673/17, 2019) and has been consistently applied by DPAs across the EU since. If you see a CMP pre-selecting "legitimate interest" for analytics or advertising purposes, that is a non-compliant implementation.

Enforcement: What Has Actually Happened

Enforcement has intensified since 2023. Notable actions:

• CNIL (France) fined Google €150M and Facebook €60M in 2022 for making it harder to refuse cookies than to accept them. The CNIL found that one click to accept vs multiple clicks to refuse violated the freely given standard.
• APD (Belgium) and Datatilsynet (Norway) have both issued decisions against major publishers for cookie banner dark patterns.
• IAB Europe's Transparency and Consent Framework was found by the APD to violate GDPR and required to be rebuilt — showing that even industry-standard CMPs can be non-compliant.
• Multiple DPAs across the EU have issued cookie sweep enforcement actions targeting specific sectors (news media, e-commerce, public sector websites).

Technical Implementation Checklist

Consent Management Platform (CMP) requirements:

• Blocks all non-essential cookies before consent (no cookies set on page load)
• Records consent with timestamp, version, and user-specific identifier
• Provides granular category controls
• Surfaces withdraw mechanism on all pages
• Passes consent signal correctly to all third-party scripts

Cookie audit:

• Maintain an inventory of all cookies set by your site and their purposes
• Classify each cookie as strictly necessary, functional, analytics, or marketing
• Verify that classification against the technical reality (what does the cookie actually do?)
• Review after any new third-party tool is added

Quarterly review:

• Re-audit cookies after platform updates
• Check CMP is blocking non-essential cookies before consent
• Test the reject flow: verify no analytics or marketing cookies are set after clicking reject

---

Last updated: April 2026. For informational purposes only — not legal advice.