Your Cookie Banner Is Still Illegal and You Know It

It has been eight years since the General Data Protection Regulation entered into force. Eight years of guidance documents, enforcement actions, and consultancy engagements. Eight years for the technology industry to figure out how to ask permission before storing files on a users computer.

The result is a cookie banner that is deliberately designed to be incomprehensible, with a "Reject All" button that requires three additional clicks and the visual prominence of a disclaimer on a pharmaceutical advertisement.

This is not a compliance failure. It is a compliance theater. And the regulators have finally noticed.

The State of Play in 2026

The ePrivacy Regulation, which was supposed to replace the cookie directive and harmonize enforcement across the EU, remains in legislative purgatory. But the absence of new legislation has not prevented aggressive enforcement of existing rules.

The Irish Data Protection Commission, historically criticized for its reluctance to sanction the American technology companies headquartered in Dublin, has levied fines exceeding two billion euros in the past eighteen months. The French CNIL has automated its enforcement process, using crawlers to scan websites for non-compliant consent mechanisms and issuing fines algorithmically.

Your cookie banner is almost certainly non-compliant. Here is why.

Violation 1: Implied Consent

Your banner says, "By continuing to browse this site, you accept the use of cookies." This is the digital equivalent of "by entering this building, you agree to be photographed and your image sold to advertisers."

Consent under GDPR must be unambiguous and involve a clear affirmative act. Continuing to scroll is not an affirmative act. It is the default behavior of a web browser. You cannot infer consent from inaction.

The Fix: Remove implied consent mechanisms entirely. Require an explicit button click before setting non-essential cookies. This is not negotiable. The European Court of Justice has ruled on this repeatedly.

Violation 2: The Deceptive Reject Button

Your banner presents "Accept All" as a prominent, styled button. The "Reject All" option is a text link in gray font located in the top corner of the banner, styled to resemble legal boilerplate.

This is a dark pattern. It is also a clear violation of the transparency requirement. Recital 32 requires that consent be given by a clear affirmative act. Making rejection difficult is functionally equivalent to making rejection impossible.

The Fix: Present "Accept" and "Reject" options with equal visual prominence. Both should be buttons. Both should be the same size. Both should be immediately visible without scrolling.

Violation 3: Legitimate Interest Abuse

Your cookie banner claims that certain tracking cookies are "necessary for the functioning of the website" or are based on "legitimate interest" rather than consent.

A cookie that remembers a users shopping cart is necessary. A cookie that tracks a users behavior across thousands of websites for advertising profiling is not necessary. Recital 47 explicitly states that legitimate interest cannot serve as the legal basis for processing where the data subjects interests override the controllers interests.

The Fix: Audit every cookie your domain sets. Categorize them honestly. Marketing cookies, analytics cookies, and personalization cookies require consent. There is no exception for "we really want the data."

Violation 4: Consent Without Granularity

Your banner offers a binary choice: accept all or reject all. There is no mechanism to select specific categories of cookies, nor to withdraw consent after it has been granted.

Article 7(3) requires that consent be as easy to withdraw as to give. If you provide a "Reject All" button on the initial banner, you must also provide a mechanism on subsequent pages to reopen that choice.

The Fix: Implement a preference center that allows users to toggle individual cookie categories on and off. Ensure this preference center is accessible from every page, typically via a link in the footer labeled "Cookie Settings" or equivalent.

The Technical Implementation

1. Consent Management Platforms

There are dozens of consent management platforms available, ranging from open-source libraries to enterprise SaaS solutions. The market has consolidated significantly, and the remaining players generally produce compliant implementations if configured correctly.

The critical factor is configuration. A CMP is not a set-it-and-forget-it solution. You must configure the banner presentation, the consent categories, and the blocking scripts. Most compliance failures with commercial CMPs are configuration errors, not platform deficiencies.

2. Tag Blocking

Consent is meaningless if tags fire before consent is obtained. Many websites load Google Analytics, Facebook Pixel, and other tracking scripts synchronously on page load, then ask for consent in a banner that appears three seconds later.

Tags that require consent must be blocked from executing until after consent is received. This typically requires a tag management solution with consent-aware loading capabilities. Google Tag Manager offers consent mode. Most other tag managers offer similar functionality. You must use it.

3. The Consent Audit Trail

Article 7(1) requires that you be able to demonstrate that consent was given. This is not a suggestion. If the CNIL audits your organization and asks for proof of consent for the 500,000 users who visited your site in the past month, what will you produce?

Store consent records. Include timestamp, IP address, user agent, and the specific choices made. Retain these records for the duration of the processing activity. This is your evidence in the event of an investigation.

The Honest Assessment

Your current cookie banner is not compliant. You know this because you have read the guidance, compared your implementation to the requirements, and identified the gaps. You have not fixed them because fixing them would reduce the volume of tracking data available to your marketing team, and the marketing team has convinced the executive team that reduced tracking data equals reduced revenue.

This is a business decision, not a compliance decision. But it is a decision with consequences. The fines are real. The enforcement is accelerating. And the excuse of "we didnt understand the requirements" expired approximately seven years ago.

Fix your banner. Then fix your data processing practices. The banner is just the interface. The underlying problem is that you are collecting data you do not need and storing it indefinitely. But that is a topic for another article.