GDPR and Cookie Consent in 2026: What Has Changed and What You Must Do

By /

Cookie consent has been one of the most discussed — and most misunderstood — aspects of GDPR compliance since the regulation came into force in 2018. Yet despite years of enforcement actions, millions of websites still get it wrong. In 2026, the regulatory landscape has tightened further, and both supervisory authorities and users are less tolerant of dark patterns and ambiguous consent banners than ever before.

This article breaks down exactly what GDPR requires for cookie consent, what has changed in recent years, and what practical steps you need to take on your WordPress website to stay compliant.

Under the General Data Protection Regulation (GDPR) and the ePrivacy Directive (commonly called the “Cookie Law”), storing or accessing information on a user’s device — including cookies — generally requires informed, freely given, specific, and unambiguous consent. This applies to any cookie that is not strictly necessary for the website to function.

Non-necessary cookies include analytics cookies (e.g., Google Analytics), advertising and tracking cookies, social media embed cookies, and personalisation cookies. If your WordPress site uses any of these, you need a compliant consent mechanism in place before they fire.

GDPR Article 7 and Recital 32 set out the requirements. Valid consent must be:

  • Freely given: The user must not be penalised for refusing consent. Access to the website cannot be made conditional on accepting non-necessary cookies.
  • Specific: Users must be able to consent to different purposes separately — analytics, marketing, and personalisation should each have their own toggle.
  • Informed: The consent banner must clearly explain what cookies are used, for what purpose, and by which third parties.
  • Unambiguous: A pre-ticked checkbox or a statement like “By continuing to browse you agree to our cookie policy” does not constitute valid consent. The user must take a clear, affirmative action.

What Has Changed in 2025–2026

The rules themselves have not changed dramatically — GDPR has been in force since 2018 and the ePrivacy Directive since 2002. What has changed is enforcement intensity and the emergence of clearer regulatory guidance targeting specific dark patterns.

1. Dark Patterns Are Now an Enforcement Priority

In 2023, the European Data Protection Board (EDPB) published its Guidelines 3/2022 on Dark Patterns, which specifically target deceptive design practices in cookie banners. Supervisory authorities across the EU have since used this guidance as the basis for enforcement actions. Common dark patterns that are now actively targeted include:

  • Making the “Accept All” button visually prominent while hiding the “Reject All” option in sub-menus
  • Using confusing language such as “legitimate interest” toggles that are pre-enabled
  • Requiring multiple clicks to opt out while accepting requires only one
  • Automatically scrolling past the banner to imply consent

2. “Reject All” Must Be as Easy as “Accept All”

This is now firmly established across EU member states following decisions by the French CNIL, the Belgian APD, and the Italian Garante. Your consent banner must offer a clearly visible “Reject All” or “Decline” button at the first layer — not hidden behind a “Manage Preferences” link. If accepting takes one click, rejecting must also take one click.

Consent is not permanent. Most supervisory authorities recommend re-requesting consent after 12 months. If a user’s previous consent is older than this, your consent management platform (CMP) should display the banner again and ask for a fresh decision.

Since March 2024, Google has required that websites using Google Ads, Google Analytics 4, or other Google advertising products in the European Economic Area implement Google Consent Mode v2. This involves signalling users’ consent choices to Google’s tags so that data collection is adjusted accordingly. If your WordPress site uses Google’s advertising ecosystem, your CMP must support Consent Mode v2 integration.

WordPress does not include a built-in cookie consent solution. You will need a dedicated plugin. Here is how to approach it correctly.

Step 1: Audit Your Existing Cookies

Before you can build a consent banner, you need to know exactly which cookies your site sets and why. Use a browser developer tool or a cookie scanner to list all cookies and identify their purpose and provider. Pay particular attention to third-party cookies introduced by plugins, embedded videos, fonts, or analytics scripts.

Step 2: Categorise Your Cookies

Group cookies into standard categories:

  • Strictly Necessary: Session cookies, login authentication, security tokens. No consent required.
  • Analytics / Performance: Cookies that measure how users interact with the site (e.g., Google Analytics, Matomo). Consent required.
  • Functional / Preferences: Cookies that remember user settings like language or font size. Consent required if not strictly necessary.
  • Marketing / Advertising: Third-party tracking and retargeting cookies. Consent required, and this category typically needs the most scrutiny.

Several plugins can help you implement compliant cookie consent on WordPress. The key requirements are: granular category controls, a visible “Reject All” option at the first layer, a consent log for record-keeping, automatic cookie blocking before consent is given, and support for Google Consent Mode v2 if applicable. Widely used options include CookieYes, Complianz, and Cookie Script.

A consent banner alone is not enough. You must ensure that non-necessary cookies are not set until the user has consented. Most modern CMP plugins handle this through script blocking — they intercept third-party scripts and only execute them after the relevant consent category has been accepted. Verify this is working correctly by testing your site in a browser with cookies cleared, using developer tools to inspect which cookies are set before any consent action.

GDPR Article 7(1) requires you to be able to demonstrate that a user consented. Your CMP should log the consent event including the timestamp, the user’s choices, and the version of the consent banner shown. Store these records securely and retain them for as long as is necessary to demonstrate compliance.

Common Mistakes to Avoid

  • Pre-ticked boxes: Never pre-select consent categories on behalf of the user.
  • Bundled consent: Do not ask for all-or-nothing consent. Each purpose must be separate.
  • Ignoring mobile: Test your consent banner on mobile devices — many layouts break on smaller screens, hiding important options.
  • No withdrawal mechanism: Users must be able to withdraw consent as easily as they gave it. Include a persistent link (e.g., in the footer) that reopens the consent manager.
  • Outdated cookie lists: Cookie inventories change as you add and remove plugins. Re-audit your cookies whenever you make significant changes to your WordPress setup.

Conclusion

Cookie consent compliance is not a one-time task — it is an ongoing responsibility. The good news is that the requirements are well-defined, and a properly configured consent management plugin on WordPress can handle most of the technical complexity for you. The key is to configure it correctly from the outset: block cookies before consent, offer a clear rejection option, categorise your cookies accurately, and keep a record of consent. In 2026, there is little patience from regulators — or users — for sites that still rely on ambiguous banners and dark patterns.

Scroll to Top