Cookie Consent Guide 2026
Complete requirements for GDPR, CCPA, and cookie consent compliance
Cookie consent requirements continue to evolve as privacy regulations tighten and browser technologies change. This guide covers what you need to know to ensure your website complies with GDPR, ePrivacy Directive, CCPA, and emerging privacy laws in 2026.
GDPR Cookie Requirements
1. Prior Consent Required
Under GDPR and the ePrivacy Directive, you must obtain explicit consent before setting non-essential cookies. This means:
- Cookies cannot be set when a user first lands on your site
- Consent must be obtained before any non-essential cookies are placed
- Users must be able to reject cookies as easily as accept them
- The default must not have pre-checked checkboxes
2. Granular Consent Options
GDPR requires consent to be granular. Users must be able to:
- Accept all cookies
- Reject non-essential cookies
- Select specific cookie categories (analytics, marketing, functional)
- Change their preferences at any time
3. Clear Cookie Information
Your cookie banner and policy must include:
- Purpose of each cookie category
- Types of data collected by cookies
- Third parties who receive cookie data
- Retention period for cookie data
- How to withdraw consent
4. Consent Records
You must maintain records of consent:
- What the user consented to
- When consent was given
- How consent was obtained
- User's preferences at that time
- Ability to demonstrate consent if challenged
CCPA/CPRA Cookie Requirements
Opt-Out Rights
California's CCPA and CPRA focus on the right to opt out of "sale" or "sharing" of personal information, which includes cookies used for advertising:
- Must provide a clear "Do Not Sell My Personal Information" link
- Must honor opt-out requests within 15 days
- Cannot require account creation to opt out
- Must stop selling/sharing upon opt-out request
- Must disclose cookie use in privacy policy
Important
CCPA applies to for-profit businesses meeting revenue thresholds ($25M+), data thresholds (100k+ consumers), or deriving 50%+ revenue from selling data. CPRA applies to businesses meeting modified thresholds including 100k+ household data.
Consent Best Practices
Cookie Banner Design
- Keep it non-intrusive but noticeable
- Use clear, jargon-free language
- Provide easy access to full policy
- Include clear Accept/Reject buttons
- Offer preference center link
Cookie Categories
- Essential/Strictly Necessary
- Analytics/Performance
- Functional/Preferences
- Advertising/Targeting
- Social Media
Consent Management
- Store consent with timestamp
- Respect consent across sessions
- Allow easy preference changes
- Re-prompt after 12 months
- Document all consent changes
Third-Party Cookies
- Disclose all third-party vendors
- Require consent for each category
- Review vendor privacy policies
- Monitor for policy updates
- Maintain vendor agreements
Cookie Compliance Checklist
Implementation
- Cookie banner implemented
- Consent management in place
- Cookie policy created/updated
- Cookie categories defined
- Preference center built
- Third-party vendors documented
Legal
- GDPR requirements met
- CCPA opt-out in place
- Consent records maintained
- Policy linked in banner
- 12-month re-consent cycle
- Right to delete honored
Technical
- Cookies blocked until consent
- Consent stored properly
- Preference changes working
- Opt-out signals honored
- Cookie audit completed
- Server-side consent option
Pro Tip
Consider implementing a consent management platform (CMP) that supports multiple regulations and provides automatic updates as laws change. Many CMPs also handle Google's evolving third-party cookie phase-out requirements.
Frequently Asked Questions
Are analytics cookies GDPR compliant?
Analytics cookies can be considered essential or non-essential depending on how they're implemented. If they collect IP addresses or create pseudonymous profiles, they typically require consent. Anonymized analytics without consent may be permissible in some jurisdictions.
Can I use a cookie wall that blocks content?
Cookie walls that block all access until consent are generally not GDPR compliant because consent must be freely given. Users must be able to access your site without accepting non-essential cookies. Consider a warning rather than a hard block.
How often do I need to re-request consent?
GDPR guidance suggests refreshing consent at least every 12 months or when your data processing changes significantly. CCPA doesn't require re-consent but does require disclosure if purposes change.
What about cookie banners on mobile apps?
Mobile apps require consent for the same reasons as websites. In-app tracking consent (iOS App Tracking Transparency) is required for apps distributed through the App Store meeting certain thresholds.
Check Your Cookie Compliance
PolicyLens can audit your website for cookie consent compliance and identify issues with your banner, policy, and tracking implementations.
Run Free Cookie Audit