Cookie Consent in 2026: What's Changed, What's Still Wrong, and How to Get It Right

Elena: Cookie consent has been a legal requirement under the ePrivacy Directive — implemented as PECR in the UK — since 2003. GDPR added consent requirements from 2018. It is now 2026. Most websites are still non-compliant. Why?

Elena: Partly because enforcement has been inconsistent — major violators received warnings more often than fines for several years. That's changing. The IAB Europe received a major ruling on its Transparency and Consent Framework. CNIL fined several major platforms hundreds of millions of euros over dark patterns. The enforcement environment has tightened significantly.

Elena: The five most common violations I see. One: no reject option. You must offer an equally prominent "reject all" option alongside "accept all." A "manage preferences" button hidden in small grey text does not satisfy this.

Elena: Two: pre-ticked boxes. Consent cannot be inferred from silence or pre-ticked boxes. Every non-essential cookie must be off by default and switched on by active user choice.

Elena: Three: withdrawing consent is harder than giving it. GDPR requires withdrawal to be as easy as giving consent. If the user accepted in one click, they must be able to withdraw in one click.

Elena: Four: functional cookies miscategorised. Cookies required for a function the user explicitly requests are exempt. Analytics, advertising, and personalisation cookies are not. I see analytics routinely mislabelled as "functional."

Elena: Five: no record of consent. You must be able to demonstrate consent was given — who, when, what they consented to. Most cookie consent platforms handle this; rolling your own without logging it is a common gap.