GDPR and cookies in 2026: what changed and what is coming

TL;DR

The regulatory framework for cookies and personal data protection continues to evolve in 2026. The European Commission proposed the Digital Omnibus (November 2025), which plans targeted modifications to the GDPR and ePrivacy Directive to reduce "consent fatigue" and simplify compliance. The CNIL continues its enforcement with record fines (90 million euros against Google in November 2025, 42 million against Free in January 2026). Consent Mode v2 became mandatory for advertisers in the EEA, and new CNIL recommendations on cross-device consent entered into force in January 2026. This guide covers what has changed and what is coming.

What is currently in force: GDPR and ePrivacy rules

Cookie regulation relies on two complementary texts: the GDPR (European regulation) and the ePrivacy Directive (2002/58/EC), transposed into French law through Article 82 of the French Data Protection Act. These two texts coexist, sometimes creating overlaps.

The GDPR defines the general rules for personal data protection: legal basis for processing, individual rights, security obligations, and penalties. The ePrivacy Directive specifically covers the confidentiality of electronic communications, including rules for placing and reading cookies on the user's terminal.

In France, the CNIL published its guidelines and recommendation on cookies in 2020, with mandatory compliance by March 31, 2021. These rules have not fundamentally changed in 2026, but their enforcement is tightening.

What are the current cookie consent rules?

Any cookie not strictly necessary for the site's operation requires explicit user consent before being placed. This covers advertising cookies, analytics cookies, social media cookies, and any other non-essential tracker.

Consent must be free, specific, informed, and unambiguous. In practice: the Reject button must be as visible and accessible as the Accept button (same level, same format, same size). The CNIL has confirmed that merely having a "Customize" button alongside "Accept all" is not sufficient: a first-level rejection mechanism is mandatory.

No non-essential cookie may be placed before the user has made their choice. Scripts must be blocked by default and only fire after consent. The user must be able to withdraw consent as easily as they gave it.

Strictly necessary cookies (authentication, shopping cart, language preferences, security) are exempt from consent. Certain audience measurement cookies can also benefit from an exemption under strict conditions, as in the case of Matomo configured in CNIL exempt mode.

What changed between 2024 and 2026

Consent Mode v2 mandatory (March 2024)

Google made implementing Consent Mode v2 mandatory for advertisers targeting users in the EEA. Without Consent Mode, remarketing, conversion measurement, and audience creation features are limited or disabled in Google Ads. This requirement forced many sites to revisit their technical consent implementation.

Record CNIL fines (2025-2026)

The CNIL intensified its enforcement and issued significant fines. In September 2025, Google was fined 325 million euros (ads inserted without consent in Gmail, cookies placed without agreement during account creation) and Shein 150 million euros. In November 2025, Google received an additional 90 million euro fine for automatically placing the NID advertising cookie before the consent banner appeared.

In January 2026, Free and Free Mobile were fined a total of 42 million euros for data security failures. These fines serve as a reminder that GDPR compliance extends beyond cookies to the entire data processing chain.

CNIL recommendations on cross-device consent (January 2026)

The CNIL published its final recommendations on cross-device consent on January 16, 2026. These recommendations specify the conditions under which consent given on one device (e.g., a computer) can be extended to other devices belonging to the same user (smartphone, tablet). This is subject to strict identification and transparency conditions.

CNIL consultation on session replay (February 2026)

In February 2026, the CNIL launched a public consultation on a draft recommendation regarding session replay technology. This technology, which records and replays user interactions on a site (clicks, scrolls, inputs), raises specific consent and data minimization questions.

Automated CNIL enforcement

The CNIL now uses bots to automatically detect non-compliant sites. These automated checks verify at scale whether cookies are placed before consent, whether the Reject button is present, and whether dark patterns are used. SMEs are increasingly targeted by these checks, not just large corporations.

What is coming: the Digital Omnibus and the future of cookies

On November 19, 2025, the European Commission published the "Digital Omnibus Package," a set of proposals to simplify the European digital regulatory framework. This text proposes modifications to the GDPR, the ePrivacy Directive, the Data Act, and the NIS2 Directive.

Consent exemption for audience measurement

The Digital Omnibus proposes that consent would no longer be required for cookies used for aggregated audience measurement and security purposes. This measure aims to reduce the number of cookie banners by exempting first-party analytics from the consent requirement, subject to strict conditions (aggregated data, no third-party sharing). The EDPB and EDPS support this objective in their Joint Opinion 2/2026 of February 11, 2026.

Ban on re-requesting consent for 6 months

The Digital Omnibus provides that after a consent refusal, the site cannot re-request consent for the same purpose for at least 6 months. This measure aims to combat "consent fatigue" that drives many users to accept cookies out of weariness.

Browser-level consent preferences

The proposal provides for users to set their consent preferences directly in their browser, with sites respecting these preferences through automated, machine-readable mechanisms. The EDPB and EDPS strongly support this approach, which could eventually reduce dependence on cookie banners.

Integration of cookie rules into the GDPR

The Digital Omnibus proposes integrating certain cookie rules directly into the GDPR (proposed Article 88a), rather than leaving them in the ePrivacy Directive. The EDPB and EDPS expressed reservations about this approach, as the GDPR only covers personal data, while the ePrivacy Directive protects all information stored on the user's terminal, including non-personal data. This split could create legal uncertainty.

Where does the legislative process stand?

The Digital Omnibus is in consultation phase (closed March 15, 2026 for the main component). The text must still be negotiated by the European Parliament and the Council of the EU. Final adoption is not expected before late 2026 at the earliest, and effective implementation will likely take several more years. Current rules therefore remain fully applicable.

What to do concretely in 2026

Current rules remain in force. The Digital Omnibus will not take effect in the short term. Here are the priority actions for compliance in 2026.

Verify that your cookie banner complies with current CNIL requirements: first-level Reject button, same size and color as Accept, no cookies placed before consent, clear information about purposes.

Implement Consent Mode v2 if you use Google tags (GA4, Google Ads). Basic mode is recommended for EEA users.

Regularly audit your site's cookies and trackers. Third-party scripts can place cookies without your knowledge. Use a cookie scanner to identify present trackers.

Verify that proof of consent is properly stored: who consented, when, to what, with which banner version. Recommended retention is 13 months for cookies and 25 months for proof.

Document your configuration in your processing register. In case of a CNIL audit, you must be able to demonstrate your implementation's compliance.

Common mistakes (and how to avoid them)

Believing the Digital Omnibus changes the rules now. The text is in consultation and negotiation. Current rules (GDPR + ePrivacy + CNIL guidelines) remain fully applicable. Fix: do not relax your compliance in anticipation of simplifications that have not yet been voted on.

Ignoring automated CNIL enforcement. The CNIL now uses bots to scan sites at scale. SMEs are targeted as much as large corporations. Fix: regularly verify your compliance with a cookie audit.

Not updating the banner after adding new scripts. Every new tracker added to the site must be integrated into the consent banner and blocked by default. Fix: audit cookies with every site modification and update your CMP configuration.

Confusing cookie compliance with overall GDPR compliance. Cookies are only one part of the GDPR. Data security (Article 32), individual rights (access, rectification, deletion), processor management, and impact assessments are also obligations. Fix: adopt a comprehensive compliance approach, not one focused solely on cookies.

Relying on a default CMP without configuring it. Installing a CMP is not enough. Default configurations do not always meet CNIL requirements (missing Reject button, scripts not blocked before consent). Fix: choose an appropriate CMP and configure it according to CNIL recommendations.

Underestimating fine amounts. CNIL fines do not only target tech giants. In 2025, over 60% of fines targeted SMEs. Amounts are proportional to revenue but can reach tens of thousands of euros even for small businesses.

Checklist: cookie and GDPR compliance in 2026

1. The cookie banner is CNIL-compliant: first-level Reject button, same size and format as Accept.
2. No non-essential cookies are placed before user consent.
3. Third-party scripts (analytics, advertising, social media) are blocked by default.
4. Consent Mode v2 is implemented for Google tags (basic mode recommended for EEA).
5. The user can withdraw consent as easily as they gave it.
6. Proof of consent is stored (who, when, what, banner version).
7. Cookie lifespan is limited to 13 months maximum.
8. A cookie audit is performed regularly (at minimum with every site modification).
9. The cookie policy is up to date and accessible from the banner.
10. CMP configuration is documented in the processing register.
11. Third-party tags (Facebook, LinkedIn, TikTok) are blocked separately, not only through Consent Mode.
12. CNIL cross-device consent recommendations are considered if applicable.

Conclusion

The cookie and GDPR regulatory framework in 2026 is characterized by two simultaneous movements. On one side, existing rules are enforced with greater rigor: automated checks, record fines, focus on dark patterns and effective script blocking before consent. On the other, the Digital Omnibus proposes simplifications that could reduce consent fatigue, particularly the audience measurement exemption and browser-level consent preferences.

These simplifications are not yet in force. In the meantime, compliance with current rules remains the priority. The fundamentals do not change: free, informed and unambiguous consent, script blocking before consent, first-level Reject button, proof of consent, regular auditing.

To check your site's compliance status and identify trackers that load before consent, run a free scan with FlowConsent.