Data protection authorities are no longer waiting for complaints before checking how websites handle cookies. In 2025, the French CNIL sanctioned 21 organisations for cookie violations and issued fines totalling over 486 million euros. The UK ICO reviewed the top 1,000 UK websites and found that 564 needed changes after initially failing. The Dutch DPA now scans around 10,000 websites every year using automated tools. Cookie consent is a frontline enforcement priority.
Pre-Consent Cookie Behaviour: The First Thing Regulators Check
Every enforcement action starts with the same question: does the website set non-essential cookies before the visitor makes a choice? This is the single most common violation found in regulatory reviews across every jurisdiction that requires opt-in consent.
The CNIL's 2025 investigation into SHEIN discovered that advertising cookies were deposited on visitors' devices the moment they arrived on shein.com, before anyone had a chance to interact with the consent banner. That finding alone contributed to a 150 million euro fine. The same issue appeared in the CNIL's action against Vanity Fair France in November 2025, where cookies subject to consent were placed as soon as users landed on the site. Article 82 of the French Data Protection Act, which implements Article 5(3) of the ePrivacy Directive, requires that no non-essential cookie is read or written until the user has given affirmative consent.
Regulators test this technically. They examine HTTP requests, script execution order, and cookie storage to see what fires before the banner appears. A banner that looks compliant means nothing if _fbp, _ga, or advertising pixels load on page render.
Banner Design and Equal Choice
The second major area of scrutiny is how the consent choice is presented. Regulators across Europe have converged on a clear standard: refusing cookies must be as easy and as visible as accepting them.
The ICO's 2025 review focused on four areas: deceptive or missing choice, uninformed choice, undermined choice, and irrevocable choice. Of the first 200 websites assessed, 134 failed - many used pre-ticked boxes, vague language, or designs where the reject option was visually subordinate to the accept button.
The CNIL has been equally specific about what fails. In a December 2024 enforcement round, the authority issued formal notices to websites where the refusal option appeared as a small clickable link rather than a button, where colour and font choices made acceptance far more prominent, or where the refusal option was placed so close to informational text that users could not easily distinguish it from surrounding content.
| Design Practice | Regulator View | Enforcement Example |
|---|---|---|
| No "Reject All" on the first layer | Non-compliant in most EU jurisdictions | CNIL formal notices (Dec 2024) |
| Pre-ticked consent boxes | Invalid consent under GDPR and UK GDPR | ICO warnings to 134 websites (Jan 2025) |
| "Accept" as large button, "Reject" as text link | Asymmetric design - considered misleading | CNIL fined Google 90 million euros (prior action) |
| Cookie wall with no free alternative | Consent not freely given | Dutch DPA warnings (Apr 2025) |
| Multiple clicks needed to refuse | Refusal must be equally simple | Dutch DPA, CNIL, ICO - consistent position |
Consent Withdrawal and Post-Refusal Tracking
Giving consent is only half of the equation. Regulators also check whether websites respect a user's decision to withdraw consent or refuse cookies altogether.
The CNIL's 2024 action against Orange found that the company continued to read cookies after users withdrew consent. The regulator held this violated Article 82 regardless of whether the data was subsequently used - reading the cookie at all was the infringement.
The Vanity Fair France case went further. When visitors clicked "Refuse all", new consent-dependent cookies were still being placed and existing ones continued to be read - a technical gap where the CMP sends the right signal but third-party scripts ignore it.
The ICO's compliance framework includes "irrevocable choice" as one of its four pillars. Websites must offer a persistent mechanism - such as a floating icon or accessible preferences link - through which visitors can change their mind at any time. Under Article 7 of the GDPR, withdrawing consent must be as easy as giving it.
Transparency and Cookie Information
Regulators expect the first layer of a consent banner to contain meaningful information, not just buttons. The minimum standard across EU DPAs includes a clear statement of what cookie categories are in use and what purposes they serve.
The SHEIN decision highlighted two separate information failures. The first banner had three buttons but contained no information about the advertising purpose of cookies. A second pop-up offered only an accept button with no purpose information at all. At the second level - accessible through a "Cookie settings" button - no information was provided about which third parties might place cookies on the user's device.
The Dutch DPA's updated guidance from late 2025 reinforced this point: if a website uses cookies that collect personal information, the banner's first layer must state what data is collected and whether it is shared with third parties.
Consent must be specific. A single "Accept all tracking" toggle does not meet the standard. Regulators expect separate controls for distinct purposes - typically necessary, functional, analytics, and marketing cookies. Each category should explain what it does in plain language and state how long the cookies last.
Cookie Classification Accuracy
Regulatory reviews do not just check that categories exist - they verify that cookies are classified correctly. Misclassifying an analytics or marketing cookie as "strictly necessary" to avoid the consent requirement is a specific violation that DPAs actively look for.
A cookie qualifies as strictly necessary only if it carries out a communication over a network or provides a service the user explicitly requested. Session identifiers like PHPSESSID meet this test. Google Analytics cookies like _ga do not, regardless of how useful they are to the site operator.
The Dutch DPA's investigation found incorrect classification was among the most common issues. Some sites labelled analytics cookies as necessary, others bundled functional and marketing cookies into a single toggle, and a few had no categorisation at all.
Consent Logging and Audit Trails
Consent records are what turn a visual banner into legally defensible compliance. If a regulator asks for proof that a specific user consented, the website operator needs to produce it.
A compliant consent log records the timestamp, the categories accepted or rejected, the banner version displayed, and a session identifier. The Dutch DPA's 2025 enforcement actions noted that absent or incomplete logging made it impossible for some organisations to demonstrate compliance.
The ICO's compliance letters explicitly required operators to demonstrate that consent mechanisms actually controlled cookie behaviour - not just that a banner appeared. This means regular testing to confirm that rejecting consent prevents scripts from firing.
US Opt-Out Enforcement: A Different Model, Same Scrutiny
While EU and UK regulators focus on opt-in consent, the CCPA and CPRA in California require an effective opt-out mechanism for the sale or sharing of personal information. The California Privacy Protection Agency demonstrated in May 2025 that this requirement has real teeth.
The CPPA took enforcement action against Todd Snyder, Inc. after finding that misconfigured cookie preference tools prevented users from opting out of third-party tracking. The site also failed to honour the Global Privacy Control (GPC) signal, which Colorado has required since July 2024.
The practical takeaway: regulators check whether opt-out mechanisms actually work at the technical level, not just whether a "Do Not Sell" link exists on the page.
Automated Scanning and Proactive Enforcement
Multiple regulators now run automated scanning programmes that check cookie behaviour at scale.
The Dutch DPA monitors approximately 10,000 websites annually and plans to warn around 500 organisations per year. The UK ICO completed its review of 1,000 websites by December 2025, with 979 ultimately passing - but 564 only after direct regulatory engagement, including 17 preliminary enforcement notices.
The CNIL sanctioned 21 entities for cookie violations in 2025 alone. Five years after publishing its cookie guidelines, the restricted committee noted that organisations could not plausibly claim ignorance of the rules.
For website operators, the implication is straightforward. Periodic self-auditing is no longer a nice-to-have. Run a cookie scan, verify that scripts respect consent states, and check that your banner meets the design standards outlined above - before a regulator does it for you.
Frequently Asked Questions
What is the most common cookie consent violation found by regulators?
Setting non-essential cookies before the user interacts with the consent banner. The CNIL, ICO, and Dutch DPA have all identified pre-consent cookie placement as the single most frequent infringement in their 2025 enforcement rounds.
Can my website use a cookie wall that blocks content until the user accepts cookies?
In most EU jurisdictions, cookie walls are considered non-compliant because they do not allow consent to be freely given. The Dutch DPA flagged cookie walls in its April 2025 warnings. The ICO has stated that cookie walls are rarely lawful unless a genuine, cost-free alternative route to the content exists.
How does the ICO decide which websites to review for cookie compliance?
The ICO started with the top 200 most-visited UK websites in 2024, then expanded to the top 1,000 in 2025. By December 2025, 979 of those sites met compliance checks, with 564 having improved after ICO engagement. The ICO has indicated it will continue monitoring and expand to apps and connected TVs.
Do US websites need cookie consent banners?
Federal US law does not require opt-in cookie consent. The CCPA and CPRA require businesses to offer an opt-out for the sale or sharing of personal information, including through third-party cookies used for cross-site tracking. A visible "Do Not Sell or Share" link and recognition of the Global Privacy Control signal are the key requirements.
What fine can a website receive for non-compliant cookie consent?
Under the GDPR, fines for cookie violations can reach 20 million euros or 4 percent of global annual turnover. The CNIL's 2025 fines against Google (325 million euros) and SHEIN (150 million euros) show that regulators are prepared to impose penalties at the higher end for large-scale non-compliance.
Is it enough to have a cookie banner if my scripts still load before consent?
No. Regulators specifically test whether non-essential scripts execute before consent is given. A banner that appears but does not actually block tracking scripts is considered non-compliant. The CNIL calls this gap between appearance and technical reality a key enforcement target.
How often should I audit my website's cookie compliance?
At minimum, run a cookie scan after every significant site update, plugin change, or third-party script addition. The Dutch DPA recommends treating cookie compliance as ongoing monitoring rather than a one-off check. Weekly scans are advisable for e-commerce sites or those running frequent marketing campaigns.
Audit Your Consent Setup Before a Regulator Does
Regulatory cookie reviews are no longer rare or random. If your site serves visitors in the EU, UK, or California, assume that your consent mechanism will be tested - by automated tools, by complaint-driven investigations, or by both. Kukie.io's free scanner checks which cookies your site sets and whether they fire before consent, giving you the same view a regulator would get.
