Cookie Consent Management: GDPR Guide 2026

Cookie consent management is not a secondary technical concern. It’s the point of contact between your website, European law, and your users’ trust. In 2025, CNIL (French data protection authority) issued 83 sanctions totaling nearly 487 million euros. The vast majority of violations involved consent: cookies deployed before agreement, nonexistent proof, poorly implemented refusal.

This guide covers everything a website publisher needs to know to implement GDPR-compliant consent management in 2026.

A Real Financial Risk

CNIL sanction amounts are no longer symbolic. In September 2025, Google was fined 325 million euros and Shein 150 million for cookie-related violations. In November 2025, Conde Nast (Vanity Fair) was sanctioned for 750,000 euros, American Express for 1.5 million euros. SMBs are not spared: CNIL has explicitly invited all private and public organizations to audit their sites.

The math is simple: the cost of a serious compliance effort is measured in hundreds or thousands of euros. The cost of a CNIL sanction can reach 4% of annual global revenue. Not to mention legal fees, team time diverted, and the negative publicity associated with a decision published on CNIL’s website.

A Reputational Risk

A non-compliant cookie banner is visible to every visitor. It’s often the first point of contact with your brand. A dark pattern — hidden refusal button, manipulative design, pre-checked boxes — sends a clear signal: you don’t respect your users’ choices. In a context where privacy awareness keeps growing, this first impression can be decisive.

CNIL sanctions are public. They’re picked up by specialized and mainstream press. A conviction for violating cookie rules signals poor data governance that can affect trust from customers, partners, and investors.

An Unambiguous Legal Obligation

Article 82 of the French Data Protection Act (loi Informatique et Libertés), Article 7 of the GDPR, and CNIL’s September 17, 2020 recommendation leave no room for interpretation. Consent must be freely given, specific, informed, and unambiguous. Proof must be retained. Withdrawal must be as easy as giving consent. These requirements are not optional recommendations — they are enforceable obligations.

How CNIL Audits

CNIL no longer just handles complaints. It conducts proactive, increasingly sophisticated technical audits that go well beyond simple visual inspection of a banner.

Automated Online Audits

CNIL analyzes network traffic generated by websites. It uses automated tools that replicate user behavior: page loading, inspection of cookies deployed before any interaction, verification of outbound network requests. It checks whether non-essential cookies are deployed before the user interacts with the banner.

This is how Shein was caught: advertising cookies were active as soon as the page loaded, before any user action. CNIL can perform these checks on any site, without notice and without physical inspection. The volume of auditable sites is therefore considerably higher than with traditional on-site audits.

Verifying Effectiveness of Choices

CNIL doesn’t stop at checking whether a banner exists. It tests whether refusal is actually respected in the technical implementation. In the Conde Nast / Vanity Fair case (November 2025), CNIL found that cookies were still being deployed and read after the user clicked “Refuse All.” The 750,000 euro fine specifically sanctioned this gap between the appearance of compliance and the technical reality.

This type of audit is particularly powerful: it exposes situations where the publisher installed a visually compliant banner but where the technical implementation is flawed. A misconfigured CMP, a forgotten third-party script, an update that reintroduces an unconsented cookie — all flaws that CNIL detects through network inspection.

Strengthened Technical Approach

The 2025 sanctions against Orange, Shein, Conde Nast, and American Express mark a fundamental shift: systematic network traffic monitoring, strict verification of the effectiveness of user choices, and increased publisher accountability for their technical architecture. The message is clear: a decorative banner is no longer enough. Compliance must be verifiable at the code and network level.

CNIL has also invested in internal technical expertise. Audit agents are trained in network traffic analysis, cookie inspection via browser developer tools, and JavaScript behavior verification. The technical sophistication of audits has significantly increased.

Formal Notices for Dark Patterns

In December 2024, CNIL issued formal notices to several publishers for dark patterns in their banners. Identified violations: oversized accept button compared to refuse, ambiguous language for refusal (“Customize My Choices” instead of “Refuse All”), refusal requiring multiple clicks while acceptance requires just one. Compliance deadline: one month, under threat of financial sanctions.

These formal notices serve as a warning to the entire market: CNIL no longer tolerates manipulative designs, even subtle ones. Asymmetry between acceptance and refusal has become a priority audit criterion.

TCF 2.2 vs CNIL Requirements

The Transparency and Consent Framework (TCF) from IAB Europe is a technical standard widely used by the advertising industry. Version 2.2 is the current standard. But being TCF-compliant does not mean being CNIL-compliant — and this distinction is crucial.

What TCF Provides

TCF standardizes how consent is collected, stored, and transmitted between publishers, CMPs, and ad tech vendors. It defines processing purposes, legal bases, and a technical format (TC String) to encode user choices.

TCF 2.2 improved transparency over previous versions: mandatory display of total partner count on the first screen, more accessible purpose descriptions, ability for users to modify choices at any time, and removal of certain contested legal bases.

Limitations Against CNIL Requirements

Legitimate interest. TCF allows ad tech vendors to invoke legitimate interest as a legal basis for certain purposes. CNIL does not accept this for cookies: only consent is valid. This is a fundamental divergence between the industry standard and French regulatory requirements.

Granularity. TCF lists dozens, even hundreds of partners. CNIL requires information to be clear and understandable. A list of 500 partners doesn’t necessarily meet this criterion — it may even render consent non-”informed” under the GDPR, since the user cannot reasonably evaluate the implications of each partner.

Proof. TCF encodes choices in a technical string (TC String) stored client-side in a cookie. CNIL requires demonstrable server-side proof. A local cookie, modifiable and deletable, does not constitute proof under Article 7 of the GDPR.

Effective blocking. TCF signals user choices to advertising partners but does not technically block script execution. It’s up to partners to respect the transmitted preferences. CNIL expects real technical blocking, verified at the network traffic level, not mere signaling.

The Pragmatic Position

TCF is a useful tool if you work with the programmatic advertising ecosystem. But it does not replace CNIL obligations. A compliant CMP must go beyond TCF: real script blocking, server-side proof, respect for acceptance/refusal symmetry in design. Consider TCF as a complement to CNIL compliance, not a substitute.

Choosing a CMP: The Criteria That Matter

A CMP (Consent Management Platform) is the tool that concretely implements your consent management. The choice is structural: it determines your actual compliance level, not just your apparent compliance. Here are the criteria to evaluate, in order of priority.

1. Effective Script Blocking

The CMP must technically block third-party script execution until the user has consented. Not symbolic blocking — real blocking, verifiable by network traffic inspection. This is CNIL’s number one checkpoint.

How to verify: open your browser’s developer tools (Network tab), clear all cookies, reload the page, and observe network requests before interacting with the banner. If you see calls to third-party domains (Google Analytics, Facebook, ad services), your CMP is not effectively blocking scripts.

Consent proof (Article 7 GDPR) must be stored server-side, with a unique identifier and timestamp. A local cookie containing “consent=true” does not constitute proof. During an audit, you must be able to provide proof that a specific user consented to specific purposes on a specific date, with the banner version they were shown.

3. Data Location

Where is consent data stored? With a US provider subject to the Cloud Act? On European servers? On your own servers? The question is not theoretical: consent data is itself personal data (it’s linked to a user identifier). Hosting it with a non-European third party raises GDPR Chapter V compliance questions regarding international data transfers.

4. Performance

The consent widget loads on every page, for every visitor. A heavy script degrades Core Web Vitals (LCP, FID, CLS), penalizes your SEO, and damages the user experience. Widget weight and its impact on initial rendering are non-negligible technical criteria. A CMP that adds 200 KB of JavaScript and delays page rendering by 500ms has a real cost in terms of organic traffic and conversion rates.

5. Actual Regulatory Compliance

A CMP can be IAB TCF certified and still non-compliant with CNIL requirements. Check: is the “Refuse All” button present by default on the first screen? Does the design respect symmetry? Are cookies actually blocked before consent, or merely flagged as needing to be? The distinction between apparent and actual compliance is exactly what CNIL tests during audits.

6. Autonomy and Maintainability

Is the CMP configurable without provider dependency? Are regulatory updates integrated quickly? Can you adapt the design to your brand guidelines without violating legal requirements? A CMP that requires consultant intervention for every modification is a recurring cost and a compliance delay risk.

Market Solution Comparison

Tarteaucitron

French open source solution, free. Strengths: free, active community, script blocking by tags, total code control. Weaknesses: no native server-side consent proof, default design requires integration work, technical configuration needed (no admin interface), maintenance entirely your responsibility, no support during a CNIL audit. Suited for autonomous technical teams with limited budgets.

Axeptio

French solution, polished interface. Strengths: refined and original UX (conversational format), good integration with major CMS (WordPress, Shopify). Weaknesses: data hosted on Axeptio’s servers (no self-hosting option), pricing that scales with traffic (per-visitor model), no server-side proof with correlation IDs. Suited for mid-sized sites seeking a turnkey solution with good design.

Didomi

Enterprise-oriented solution. Strengths: TCF 2.2 compatible, advanced reporting interface, multi-country and multi-language support, centralized management for multi-site groups. Weaknesses: complex configuration often requiring support, high cost (several thousand euros/year), data hosted on Didomi’s servers, approach centered on the advertising ecosystem rather than strict CNIL compliance. Suited for large enterprises with complex advertising needs.

CookieBot (Usercentrics)

Danish solution, widely used in Europe. Strengths: automatic cookie scan, large database of known scripts, intuitive admin interface. Weaknesses: data hosted outside France (Microsoft Azure servers), sometimes heavy widget impacting performance, limited design customization, per-page pricing. Suited for sites seeking a standardized solution with automatic scanning.

Cookilio (DPLIANCE)

French solution, specifically designed for CNIL compliance. Strengths:

Zero scripts before consent: real technical blocking, verified by network inspection
Server-side proof: each choice recorded server-side with a unique correlation ID, timestamp, and purpose details
Self-hosted: consent data stays on your own servers. Total sovereignty — no transit through third-party services
Ultra-lightweight widget: built with Preact, minimal impact on performance and Core Web Vitals
Multi-step banner: wizard that guides the user without dark patterns, with perfect symmetry between acceptance and refusal
Simple pricing: EUR 9 excl. tax/month + EUR 250 excl. tax setup. No traffic-based cost, no surprises

Discover Cookilio

The Proof Obligation: What CNIL Concretely Expects

Article 7 of the GDPR states that “where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented.” This is not a recommendation — it’s a legal obligation whose non-compliance results in sanctions.

What Proof Must Contain

An identifier: who consented? Not necessarily a name, but a technical identifier allowing retrieval of a given user’s choice (cookie ID, pseudonymized session ID).
A timestamp: when was consent collected? Precision must be sufficient (date, hour, minute, second).
Detailed choices: which purposes were accepted, which were refused? Detail by category is necessary.
Banner version: what information was presented to the user at the time of choice? The texts, proposed categories, partner list.
Technical context: which page was the user on? What device were they using? (Particularly relevant since the December 2025 cross-device update.)

What Proof Must Not Be

A local cookie containing “consent=accepted” is not proof. The user can delete it, a script can modify it, and crucially the publisher cannot present it to CNIL as proof of anything. Similarly, a server log that simply records “user clicked Accept” without a unique identifier or purpose detail is insufficient.

Concrete Implementation

At DPLIANCE, Cookilio generates a unique correlation ID for each consent interaction. This correlation ID is recorded server-side with the timestamp, detailed choices per purpose, and banner version. During an audit, you can provide CNIL with the complete history of collected consents, with certainty that the data has not been altered.

Consent is not an obstacle to work around. It’s a commitment to uphold.

Discover Cookilio — starting at EUR 9 excl. tax/month.

FAQ

Is a CMP mandatory?

Technically, no. The GDPR and CNIL don’t mandate using a CMP as such. They mandate collecting compliant consent, blocking scripts before consent, and retaining proof. In practice, these obligations are nearly impossible to fulfill without a dedicated tool. Manual implementation is risky, expensive to maintain, and difficult to audit.

Is TCF 2.2 mandatory?

No. TCF is an advertising industry standard (IAB Europe), not a legal obligation. It’s relevant if you work with programmatic advertising partners. But being TCF-compliant doesn’t mean being CNIL-compliant. CNIL requirements go further, particularly on effective script blocking and server-side proof.

How frequently does CNIL audit sites?

CNIL has intensified its online audits since 2021. It uses automated tools to analyze website network traffic. In 2024, it issued formal notices to several publishers for dark patterns. In 2025, it pronounced major sanctions (Google, Shein, Conde Nast, American Express). There’s no fixed frequency, but audit risk is increasing, especially for high-traffic sites and those subject to user complaints.

Can legitimate interest be used for analytics cookies?

CNIL does not recognize legitimate interest as a legal basis for cookies. For analytics cookies, a consent exemption exists, but under strict conditions: strictly anonymous data, exclusive use by the publisher, no transfer to third parties, lifespan limited to 13 months. If all conditions aren’t met, consent is mandatory.

How to verify that my CMP actually blocks scripts?

Open your browser’s developer tools (Network tab), clear all cookies, reload the page, and observe network requests before interacting with the banner. If you see calls to third-party domains (Google Analytics, Facebook, ad services), your CMP is not effectively blocking scripts. This is exactly what CNIL does during audits. You can also use specialized tools like browser extensions or dedicated online scanners.

A cookie banner is the visual interface presented to the user to collect consent. A CMP (Consent Management Platform) is the complete tool managing the consent lifecycle: banner display, script blocking, choice recording, consent proof, consent withdrawal. A simple cookie banner without a CMP doesn’t meet legal obligations — it displays a message but doesn’t technically block cookies and doesn’t retain proof.

Sources: CNIL, Cookie recommendations of September 17, 2020 — CNIL, Dark patterns in cookie banners — CNIL, Google EUR 325M sanction — CNIL, Shein EUR 150M sanction — CNIL, Vanity Fair EUR 750K sanction — CNIL, American Express EUR 1.5M sanction — CNIL, 2025 actions