Cookie consent banners are supposed to protect privacy under the GDPR and ePrivacy rules. Instead, too many still push users toward “accept” and make “reject” hard, hidden or confusing. That isn’t just bad UX. Regulators across Europe now see it as a compliance failure with real financial consequences.
Regulators Are Getting Serious About Cookie Consent
In September 2025, the French data protection authority (CNIL) imposed a €150 million fine on Shein for placing cookies without valid consent and failing to respect users’ choices, despite repeated prior warnings and investigations. The violation wasn’t theoretical. Shein continued to set cookies even when users pressed “Refuse all.”
Only a month earlier, the CNIL fined Conde Nast €750,000 for placing cookies before users made a choice. Some of these practices had been flagged for years, but repeated non‑compliance finally triggered penalties.
Meanwhile, Belgian authorities ordered news publishers to fix deceptive banners that made rejecting cookies harder than accepting them, emphasising that opaque designs and misleading colours violated the GDPR’s requirement that consent must be “freely given.”
And in the Netherlands, the Autoriteit Persoonsgegevens formally warned 50 organisations about misleading cookie banners, finding they lacked clear reject options and sometimes deployed tracking before consent was obtained at all.
These moves aren’t isolated outliers. Across the EU, regulators are signalling that asymmetric consent flows (dark patterns) and consent walls aren’t acceptable. They are examining real‑world banner behaviour, not just legal language about consent, and they are on the ‘font foot’.
Why This Trend Matters for Compliance
Regulators in the EU are making it clear that cookie selectors and Consent Management Platforms (CMPs) have to produce interfaces that are neutral, symmetrical and transparent. The days of “accept all” front and centre with a small, dull reject link are coming to an end.
Under the combination of ePrivacy and GDPR, consent must be freely given, specific and informed (GDPR Article 4(11) & Article 7). Placing cookies or tracking scripts before consent is obtained, or making rejection significantly harder than acceptance, undermines those core principles. A consent banner that nudges users into acceptance — by hiding “reject,” using less visible design, or burdening users with extra clicks — isn’t consent at all.
PS: Next post up will be the intriguing Dutch ruling about the interplay (or not) between ePrivacy and GDPR lawful bases.
Myth‑Bust: “We Have a Cookie Banner, So We’re Compliant”
This is one of the most persistent misconceptions. Having a cookie banner does not automatically mean you meet GDPR consent requirements. Two good reasons why not.
Firstly, a banner that uses dark patterns or places cookies before choice violates both the GDPR and the ePrivacy regime, as recent fines demonstrate. Secondly, poor coding that allows tag managers to ‘forget’ how they are supposed to follow the lead of the CMP introduces real risk on non-compliance
Regulators are looking at:
- Whether cookies are set before consent,
- Whether reject options are present and equally visible,
- Whether non‑essential cookies are blocked until consent,
- Whether consent choices are honoured on revisit.
Failing any of these can trigger warnings, corrective orders or fines.
Practical Takeaway: Cookie Compliance Is a Continuous Duty
To align with regulatory expectations, businesses have to treat cookie compliance as an ongoing process. Honestly, websites are like toddlers, take your eye off them for two minutes and …
- Regularly review the website ‘waterfall’ to visualise what happens with JS and other actions
- Make sure the CMP is ‘in control’ and working with tag managers. Block non‑essential cookies before consent — they should not be dropped until users have made an explicit choice.
- Audit your consent mechanism for dark patterns — ensure the reject option is prominent and as simple to select as accept.
- Log consent decisions and honour them — if a user opts out, their choice must persist, not be circumvented by other scripts.
- Don’t just stick a link to Cookies.org in you policy; we all need to know what your website does and have it explained in a way we will actually understand.
If you have ever been on a speed awareness (road safety) course – not me obviously – you will know it’s not about compliance, it’s the affect your compliance can have on others. We all have a right to privacy and protection of our personal data.
Set up a call today and get your sites independently audited; before ‘someone else’ audits them
Or drop us an email at info@icompli.co.uk