GDPR Cookie Compliance Checklist for 2026

Why a Cookie Compliance Checklist Still Matters in 2026

Cookie compliance is no longer a box-ticking exercise. European data protection authorities have spent the last several years moving from guidance to enforcement, and the bar for what counts as valid consent keeps rising. A banner that looked fine in 2021 may now be non-compliant on three or four separate points — from pre-ticked boxes to a missing “reject all” button.

This checklist breaks GDPR cookie compliance into the concrete steps that regulators actually examine. It assumes you run a website that serves visitors in the European Economic Area (EEA) or the UK and that you use at least some non-essential cookies (analytics, advertising, embedded media, or personalisation). If you are still unclear on the underlying law, start with our explainer on what GDPR is and the broader GDPR requirements for websites, then return here to operationalise them.

The Two Laws You Are Actually Complying With

Cookie consent in Europe sits at the intersection of two instruments, and conflating them is the most common source of confusion:

• The ePrivacy Directive (2002/58/EC, as amended) is the law that specifically requires prior informed consent before storing or accessing information on a user’s device — i.e. before setting non-essential cookies. This is the rule that makes the banner necessary in the first place.
• The GDPR defines what valid consent must look like: freely given, specific, informed, and unambiguous, given by a clear affirmative action (Article 4(11) and Article 7).

In practice you satisfy ePrivacy’s “when” using GDPR’s “how.” Our guide to the ePrivacy Directive and cookie law covers this relationship in depth. The checklist below is organised so that each item maps to a specific legal expectation.

Step 1: Audit Every Cookie and Tracker

You cannot obtain valid consent for trackers you have not catalogued. The foundation of compliance is an accurate, current inventory of every cookie, pixel, SDK, and local-storage key your site sets — including those loaded by third-party scripts you may have forgotten about (chat widgets, embedded video, ad tags, A/B testing tools).

For each item, record: the name, the provider, its purpose, whether it is first- or third-party, its retention period, and the category it belongs to. A point-in-time manual check is rarely enough because marketing teams add tags continuously and third parties change their own behaviour. This is why ongoing scanning matters — see how cookie scanners work for the difference between a one-off snapshot and continuous monitoring. Map each cookie to one of the standard cookie categories (strictly necessary, functional/preferences, analytics, marketing) so your banner can offer granular choices.

Step 2: Block Non-Essential Cookies Until Consent

This is the single most-cited failure in enforcement actions. Under the ePrivacy Directive, non-essential cookies must not be set before the user consents. “We’ll set the cookies and stop if they reject” is not compliant — the storage must not happen in the first place.

Technically this means your tags must be gated: analytics and marketing scripts should only execute after the relevant consent signal is granted. A compliant CMP enforces this at the script level rather than merely hiding a banner. For the implementation patterns, see how to block scripts until consent and the comparison of how CMPs block scripts. If you use Google tags, pair this with Google Consent Mode v2 so tags respect the consent state rather than firing unconditionally.

Step 3: Make Rejection as Easy as Acceptance

Regulators have repeatedly held that consent is not “freely given” if refusing is harder than accepting. The French regulator CNIL fined several large operators specifically because their interfaces let users accept all cookies in one click but required multiple steps to refuse them.

On your first layer (the initial banner), you should provide clearly visible options of equal prominence: typically “Accept all,” “Reject all,” and “Manage preferences.” Avoid dark patterns — a greyed-out reject button, a reject link buried in a second screen, or colour contrast that nudges users toward acceptance all undermine validity. Our cookie banner design best practices guide covers compliant layouts that still perform well.

Step 4: No Pre-Ticked Boxes, No Implied Consent

The Court of Justice of the European Union settled this in the Planet49 ruling: a pre-ticked checkbox does not constitute valid consent, because consent requires a clear affirmative action. The same logic rules out “consent by continuing to browse,” “consent by scrolling,” and any design where inaction is treated as agreement.

Practical implications for your banner:

• All non-essential categories must default to off.
• Closing the banner with an “X” or clicking away must not be interpreted as consent.
• Strictly necessary cookies may be on by default and do not require consent — but you must not mislabel analytics or marketing cookies as “necessary.”

Step 5: Give Clear, Specific Information Before Consent

Informed consent means users understand what they are agreeing to before they agree. Your banner’s first layer should name the purposes (e.g. analytics, advertising), and a second layer or linked cookie policy should provide the granular detail: the specific cookies, the third parties involved, retention periods, and whether data is transferred outside the EEA.

Keep the language plain. A wall of legalese can itself undermine the “informed” requirement. Link prominently to your privacy policy and a dedicated cookie policy that you keep in sync with the inventory from Step 1.

Step 6: Enable Granular, Purpose-Level Choice

Bundling all tracking into a single accept/reject toggle is increasingly viewed as non-compliant where purposes are genuinely distinct. Users should be able to consent to analytics while refusing advertising, for example. Offer category-level toggles at minimum, and align your categories with the purposes you documented during the audit.

This granularity is also what makes downstream signals such as Consent Mode meaningful: a per-purpose choice maps cleanly onto the individual consent signals that analytics and ad platforms expect.

Step 7: Make Withdrawal Easy and Ongoing

GDPR Article 7(3) requires that withdrawing consent be as easy as giving it. In practice, this means a persistent, always-available way to reopen the preferences — commonly a small floating button or a footer link — so a visitor can change their mind at any time without hunting for it. A consent that cannot be easily withdrawn is not valid consent.

Equally important: when a user withdraws consent, your tags must actually stop. Re-check that revoking analytics consent prevents further analytics storage on the next page load.

Step 8: Keep Proof of Consent

Under GDPR’s accountability principle (Article 5(2)) and Article 7(1), you must be able to demonstrate that a user consented. If a regulator or a user asks, “prove it,” you need a record. A defensible consent log typically captures: a pseudonymous identifier, a timestamp, the consent state per category, the banner/policy version shown, and the method of collection.

Store these records securely and retain them for as long as you rely on the consent (and a reasonable period after, to handle disputes). Consent records are also what let you honour withdrawal and respond to data subject requests accurately.

Step 9: Re-Prompt Periodically and on Material Change

Consent is not forever. Most EEA regulators expect you to refresh consent at a sensible interval — CNIL, for example, has pointed to a period in the region of six months as reasonable for re-asking, though there is no single hard-coded number in the law. You should also re-prompt when something material changes: a new advertising vendor, a new purpose, or a significant change to your cookie policy.

Set an expiry on stored consent and trigger a fresh banner when it lapses or when your tracker inventory changes in a way that affects what the user originally agreed to.

Step 10: Handle Regional Differences Deliberately

Not every visitor is governed by GDPR. US state laws such as the CCPA/CPRA generally follow an opt-out model rather than prior opt-in, and other regions have their own rules. Serving an aggressive GDPR opt-in banner worldwide is not illegal, but it can needlessly depress engagement where it is not required — while serving a US-style opt-out banner to EEA visitors is a compliance failure.

A regional consent strategy adapts the banner’s behaviour to the visitor’s location. For the legal landscape, compare GDPR vs CCPA vs PECR. The principle: apply opt-in where the law requires prior consent, and opt-out where that is the local standard.

What Non-Compliance Actually Costs

GDPR fines can reach up to €20 million or 4% of total worldwide annual turnover, whichever is higher (Article 83). In practice, most cookie-specific enforcement has produced smaller but still significant penalties, often issued under national ePrivacy implementations rather than the GDPR’s headline tier. The reputational cost — and the engineering cost of retrofitting compliance under deadline pressure — usually exceeds the fine itself.

The reassuring news is that cookie compliance is highly tractable. Almost every item on this checklist is a configuration decision rather than a legal grey area, and a well-configured consent platform handles most of them automatically.

Authoritative Sources

Always verify against primary sources, as guidance evolves:

• The full text of the GDPR (Regulation (EU) 2016/679) on EUR-Lex
• The ePrivacy Directive (2002/58/EC) on EUR-Lex
• UK ICO guidance on cookies and similar technologies
• CNIL guidance on cookies and other trackers
• EDPB Guidelines 05/2020 on consent