Cookies and GDPR: Everything You Need to Know in 2026

Cookies and GDPR: two terms every website publisher encounters daily, but few truly master. Between the European regulation, the ePrivacy Directive, CNIL (French data protection authority) recommendations and accumulating sanctions, the legal framework is dense. This guide covers everything you need to know in 2026 to be compliant.

What is a cookie?

A cookie is a small text file placed on the user’s terminal (computer, smartphone, tablet) by the visited site’s server or by a third party. It stores information: language preferences, session identifier, browsing history, advertising targeting data.

Not all cookies are equal. Some are essential for site operation. Others track user behavior for commercial purposes. This distinction underpins the entire legal framework.

It is important to understand that the term “cookie” in the regulatory context covers a broader scope than HTTP cookies alone. CNIL (French data protection authority) uses the term “trackers” which also encompasses fingerprinting (browser digital fingerprint), tracking pixels, local storage (localStorage, sessionStorage), mobile advertising identifiers and any other technology enabling user activity tracking. The rules described in this guide apply to all these technologies.

The three categories of cookies

Strictly necessary cookies

They enable basic site operation: authentication, shopping cart memorization, server load balancing, security preference retention, fraud protection (CSRF tokens). These cookies are exempt from consent under Article 82 of the French Data Protection Act.

The determining criterion is technical necessity: without these cookies, the service requested by the user could not function. For example, a session cookie maintaining user authentication is strictly necessary. However, a cookie memorizing content personalization preferences (dark theme, preferred language) is debated — CNIL (French data protection authority) tends to consider non-essential preference cookies as requiring consent, unless they are indispensable to the provision of the explicitly requested service.

Audience measurement cookies

They measure site traffic: visitor count, page views, time spent, bounce rate, navigation paths. CNIL (French data protection authority) provides a consent exemption under strict conditions:

• Data must be anonymous (no cross-referencing with other processing allowing identification)
• Data must be used exclusively by the site publisher (no transmission to third parties)
• Data must not be cross-referenced with other processing (CRM, customer database, advertising)
• Tracker lifespan must be limited to 13 months maximum
• Tracker scope must be limited to a single site or single application

Only certain tools benefit from this exemption. CNIL (French data protection authority) maintains a list of compliant solutions on its site, including notably Matomo (in certain configurations) and some other privacy-respecting tools. Standard Google Analytics configurations, for example, generally do not meet these criteria — particularly because data passes through Google’s servers and can be cross-referenced with other Google services.

Marketing and advertising cookies

Behavioral targeting, retargeting, advertising campaign measurement, social share buttons that place trackers, marketing chatbot scripts, A/B testing tools that collect personal data: all these cookies require explicit prior consent. This is the most regulated and most sanctioned category.

These cookies are often the most numerous on a site. A technical audit frequently reveals that dozens of third-party cookies are placed by advertising scripts, social networks and marketing tools — often without the publisher’s knowledge, via opaque advertising subcontracting chains.

What does the GDPR say exactly?

The GDPR (General Data Protection Regulation), in force since May 2018, governs personal data processing. It does not mention cookies by name, but applies as soon as a cookie enables direct or indirect identification of a person — which is the case for virtually all marketing and audience measurement cookies.

Article 4(11): the definition of consent

Consent is defined as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

Four cumulative conditions: free, specific, informed, unambiguous. If one is missing, consent is invalid.

• Free: the user must not face any pressure or negative consequences for refusing. A cookie wall without alternatives potentially contravenes this requirement.
• Specific: consent must relate to a precise purpose. Grouping advertising and audience measurement under one consent is not specific.
• Informed: the user must have all necessary information to understand what they are consenting to. Incomprehensible technical jargon informs no one.
• Unambiguous: consent must result from a positive action, not inaction. Silence, pre-checked boxes or inactivity do not constitute consent.

Article 7: conditions of consent

Article 7 imposes three additional obligations:

1. Proof of consent: the data controller must be able to demonstrate that the individual consented. A local cookie is not enough — a verifiable, timestamped, server-side trace is needed.

2. Purpose separation: if consent is requested as part of a written declaration that also concerns other matters, the consent request must be presented in a distinct, comprehensible and easily accessible manner, formulated in clear and simple terms.

3. Right of withdrawal: the individual must be able to withdraw consent at any time, and it must be as easy to withdraw consent as to give it. An “Accept” button requiring one click but a withdrawal requiring an email to the DPO is not compliant.

Article 6: legal basis for processing

For non-essential cookies, the only applicable legal basis is consent (Article 6.1.a). Legitimate interest cannot be invoked to justify advertising or tracking cookies. CNIL (French data protection authority) has been very clear on this point, in contrast to certain interpretations of the IAB’s TCF (Transparency and Consent Framework) that allow invoking legitimate interest for certain purposes.

What does the ePrivacy Directive say?

Directive 2002/58/EC (the “privacy and electronic communications” directive), known as the ePrivacy Directive, is the text specific to cookies. Its Article 5(3) sets the principle: any action aimed at storing information or accessing information already stored on a user’s terminal requires prior consent, unless the storage is strictly necessary for service provision.

In France, this article is transposed by Article 82 of the French Data Protection Act.

The ePrivacy Directive is a 2002 text, updated in 2009. A proposed ePrivacy Regulation has been under discussion at the European level since 2017 to replace it, but it has still not been adopted in 2026. This delay creates a paradoxical situation: the rules applicable to cookies rest on a text over 20 years old, supplemented by the GDPR and interpretations from national authorities. Current rules therefore remain in force, and CNIL (French data protection authority) applies them with increasing rigor.

The relationship between the ePrivacy Directive and the GDPR is one of lex specialis: the ePrivacy Directive is the special text that applies first for anything concerning access to the user’s terminal (cookie placement and reading). The GDPR then applies for everything concerning the processing of data collected via these cookies.

What does CNIL (French data protection authority) say?

CNIL (French data protection authority) is the national authority responsible for enforcing these texts in France. Its guidelines and recommendation of September 17, 2020 (deliberation No. 2020-091 and No. 2020-092) constitute the reference framework for French publishers.

Key points of the CNIL (French data protection authority) recommendation

No placement before consent. No non-essential cookie may be placed or read before the user has expressed their choice. CNIL (French data protection authority) sanctioned Shein 150 million euros in September 2025 precisely for this violation: advertising cookies were placed upon site arrival.

Symmetry of choices. The refusal mechanism must be present at the same level and with the same ease as acceptance. A “Refuse all” button must be as visible as “Accept all”. This requirement covers size, color, position and number of clicks required.

Prior information. The user must know the identity of data controllers, cookie purposes and how to withdraw consent, before making their choice. This information must be clear, concise and understandable.

Granular consent. The user must be able to consent purpose by purpose. An “Accept all” button is allowed, but category-level detail must remain accessible. The user must be able to accept audience cookies while refusing advertising cookies.

Consent withdrawal. A withdrawal mechanism must be accessible at all times, as easily as consent was given. A floating widget, a footer link or a permanent button are acceptable solutions.

Proof of consent. The publisher must be able to demonstrate at any time that valid consent was collected, with an identifier, timestamp and choice detail.

The December 2025 update

Deliberation No. 2025-131, published in the Official Journal on January 18, 2026, adds a cross-device consent component. A publisher can now collect a single consent for all terminals connected to the same user account, under strict conditions:

• Authenticated environments only: cross-device consent applies only to users logged into an account
• Perfect symmetry between acceptance and refusal on all terminals
• Prior information to the user about the cross-device nature of consent
• Pseudonymization of technical identifiers used to link terminals
• Possibility of withdrawal on each terminal individually

This update addresses a practical publisher need (avoiding re-asking consent on each device) while maintaining a high level of user protection.

2026 cookie compliance checklist

Here are the points to verify to be in compliance. This checklist can serve as a basis for an internal audit.

Before cookie placement

• No non-essential cookies are placed before consent collection
• Third-party scripts (analytics, advertising, social) are technically blocked until consent
• “Strictly necessary” cookies are genuinely essential to service operation
• A complete inventory of site cookies is maintained up to date
• Each cookie is classified in the correct category (necessary, audience, marketing, personalization)

The consent banner

• An “Accept all” button and a “Refuse all” button are present at the same level
• Both buttons have the same size, visibility and visual weight
• Information about purposes and data controllers is accessible before the choice
• Per-purpose (granular) consent is available
• No dark pattern is used (no pre-checking, no ambiguous language, no hidden refusal button)
• The banner is written in clear and understandable language

After consent

• A consent withdrawal mechanism is accessible at all times (floating icon, footer link)
• User choices are retained for a maximum of 6 months
• The banner is re-displayed when this period expires
• In case of refusal, no non-essential cookie is placed or read
• Refusal is effectively enforced (verified by network traffic inspection)

Proof

• Each choice is recorded with a timestamp and unique identifier
• Proof is stored server-side (not only in a local cookie)
• Proofs are retained and accessible in case of CNIL (French data protection authority) inspection
• The banner version presented at the time of choice is archived

Documentation

• The cookie policy is up to date and accessible from every page
• The list of cookies used, their purposes and lifespan is documented
• Third parties placing cookies are identified
• The processing register includes cookie-related processing

Accumulating sanctions

2025 marks a turning point in enforcement. CNIL (French data protection authority) issued 83 sanctions totaling 486,839,500 euros. Among cookie-related cases:

• Google: 325 million euros (September 2025) for cookies placed without consent during account creation and ads inserted in Gmail.
• Shein: 150 million euros (September 2025) for advertising cookies placed before any banner interaction.
• American Express: 1.5 million euros (November 2025) for non-compliance with cookie rules.
• Conde Nast / Vanity Fair: 750,000 euros (November 2025) for cookies placed despite user refusal.

These sanctions no longer target only giants. CNIL (French data protection authority) has explicitly urged all private and public organizations to audit their websites and mobile applications. Automated online inspections allow CNIL (French data protection authority) to verify any site’s compliance, without travel or advance notice. The risk is real for companies of all sizes.

Choosing the right tool

A CMP (Consent Management Platform) is the technical tool that implements your consent banner. But not all CMPs are equal. Your CMP choice has a direct impact on your actual compliance — not just the appearance of compliance.

Essential criteria:

• Real script blocking: the CMP must technically block third-party script execution, not just display a decorative banner. Verify by network traffic inspection.
• Server-side proof: consent proof must be stored server-side, not only in a local cookie. A consent=true cookie is not proof.
• Data hosting: where is consent data stored? With a US third party subject to the Cloud Act, or on your own servers? Consent data is itself personal data.
• Performance: the widget must not degrade your site’s Core Web Vitals. A heavy script penalizes your SEO and user experience.
• CNIL (French data protection authority) compliance: the CMP must comply with CNIL (French data protection authority) recommendations, not just the IAB TCF standard. Being TCF compliant does not mean being CNIL (French data protection authority) compliant.
• Autonomy: can you configure and update the CMP without dependency on an external provider?

Cookilio was designed by DPLIANCE to meet exactly these criteria. Ultra-lightweight Preact widget, zero scripts executed before consent, server-side consent proof with correlation IDs, and self-hosting on your own servers for total sovereignty.

Consent is not an obstacle to circumvent. It is a commitment to honor.

Discover Cookilio — starting at EUR 9 excl. tax/month.

FAQ

Are cookies covered by the GDPR or the ePrivacy Directive?

Both texts apply complementarily. The ePrivacy Directive (transposed in France by Article 82 of the Data Protection Act) specifically governs cookie placement and reading on the user’s terminal. The GDPR applies as soon as data collected via cookies allows identifying a person, and it defines consent validity conditions. The ePrivacy Directive is the lex specialis (special law) that takes precedence over the GDPR for cookie-specific aspects.

Does Google Analytics require consent?

Yes, in the majority of configurations. CNIL (French data protection authority) provides a consent exemption for audience measurement tools, but under strict conditions: anonymous data, exclusive use by the publisher, no cross-referencing with other processing, tracker lifespan limited to 13 months. Standard Google Analytics configurations generally do not meet these criteria, particularly because data passes through Google’s servers and can be cross-referenced with other Google services.

What to do if a user refuses all cookies?

You must fully respect their choice. No non-essential cookie may be placed or read. The site must remain fully functional (excluding features that by nature require cookies, such as personalization). You cannot block content access due to refusal, except within the strict framework of a compliant cookie wall. In practice, this means your site must be designed to function correctly without any non-essential cookie.

How long should consent proof be retained?

CNIL (French data protection authority) does not set a precise duration, but proof must be available as long as processing based on that consent is ongoing. In practice, retain proofs for the consent validity duration (6 months recommended) plus a reasonable period for inspections — an additional year is common practice. Beyond that, proofs can be deleted in accordance with the minimization principle.

Will the ePrivacy Regulation replace the Directive?

A proposed ePrivacy Regulation has been under discussion at the European level since 2017. As of March 2026, it has still not been adopted. Negotiations stall on several points, notably the scope of the consent exemption for audience measurement cookies and the treatment of communication metadata. Current ePrivacy Directive rules and CNIL (French data protection authority) recommendations therefore remain fully applicable for an indefinite period.

Is fingerprinting subject to the same rules as cookies?

Yes. CNIL (French data protection authority) uses the term “trackers” to encompass all tracking technologies, including fingerprinting (browser digital fingerprint). Article 82 of the French Data Protection Act applies to any operation of accessing or writing information on the user’s terminal. Fingerprinting, which consists of collecting browser technical characteristics to create a unique identifier, is subject to the same consent regime as cookies.

---

Sources: CNIL (French data protection authority), Cookies: what does the law say? — CNIL (French data protection authority), Guidelines and recommendation of September 17, 2020 — CNIL (French data protection authority), Solutions for audience measurement tools — CNIL (French data protection authority), 2025 actions — GDPR.eu, Cookies, the GDPR, and the ePrivacy Directive — CNIL (French data protection authority), Cross-device consent recommendation