PolicifyAI
Back to Blog

PolicifyAI

Published January 2026 · 7 min read

Cookies

Cookie Consent in 2026: What's Changed and What You Need to Do

The ICO and CNIL have both issued new guidance on cookie consent banners. Here is what it means for your website and how to stay compliant.

The state of cookie consent in 2026

Cookie consent has become one of the most litigated areas of EU and UK privacy law. The French data protection authority (CNIL) has fined Google, Facebook, and numerous publishers hundreds of millions of euros for non-compliant consent banners. The ICO has issued formal reprimands to UK organisations and signalled enforcement is increasing.

What the new guidance says

The key principle remains unchanged: non-essential cookies require freely given, specific, informed, and unambiguous opt-in consent. What has changed is the enforcement emphasis on dark patterns — consent banners that make "accept all" easy and "reject all" hard.

The ICO's 2025 updated guidance specifically calls out: pre-ticked boxes, consent bundled with terms of service, no obvious "reject" option, and using confusing language like "I agree to personalised experiences" instead of plain "Accept cookies."

What counts as a non-essential cookie?

Essential cookies (authentication, session management, security) do not require consent. Non-essential cookies do. This includes: Google Analytics (yes, even GA4), advertising pixels, social media embeds, A/B testing tools, and heatmap tools like Hotjar.

The compliant consent banner in 2026

A compliant banner must: appear before non-essential cookies are set, offer "Accept" and "Reject" options equally prominently, allow granular control by cookie category, be easy to withdraw consent later, and not use dark patterns (pre-selected toggles, confusing wording, etc.).

What you need to do

First, audit which cookies your website sets and classify them. Tools like Cookiebot's scanner can help. Second, implement a compliant consent management platform (CMP) — Cookiebot, Axeptio, and Usercentrics are popular options. Third, update your cookie policy to list every cookie accurately. Fourth, test your implementation: try rejecting all cookies and verify that GA and other tools do not load.

The cost of getting it wrong

Individual fines from the ICO for cookie consent violations have ranged from formal reprimands (free) to significant monetary penalties for larger organisations. For small businesses, the primary risk is reputational and the cost of remediation. Start with a compliant CMP — it costs far less than a fine.

Need a policy for your business?

Generate a legally-formatted, AI-reviewed policy in under 60 seconds.

Generate your policy →
All articles