Cookie banners are not a fad, a bad design choice, or a mistake the internet will eventually correct. They are the visible result of a specific legal obligation that has existed in EU law since 2009 and shows no sign of weakening. If anything, enforcement is intensifying.
The Legal Foundation: Article 5(3) of the ePrivacy Directive
The obligation to show a cookie banner traces back to a single provision: Article 5(3) of the ePrivacy Directive (Directive 2002/58/EC, as amended in 2009). It states that storing information on, or accessing information already stored in, a user's device requires prior consent - unless the storage is strictly necessary to deliver a service the user has requested.
That rule is technology-neutral. It covers HTTP cookies, local storage, session storage, tracking pixels, browser fingerprinting, and any other mechanism that reads from or writes to a visitor's device. The EDPB confirmed this broad scope in its Guidelines 2/2023, explicitly bringing tracking links, IoT reporting, and certain forms of IP tracking within scope.
Each EU member state transposed Article 5(3) into national law, which is why the specific rules differ slightly between France, Germany, and Spain. But the core principle is identical everywhere: no non-essential cookie without informed, prior consent.
How the GDPR Reinforces the Consent Requirement
The ePrivacy Directive tells you that consent is needed. The GDPR tells you what valid consent looks like.
Under Article 4(11) of the GDPR, consent must be freely given, specific, informed, and unambiguous. Article 7 adds further conditions: you must be able to prove consent was given, and withdrawing it must be as easy as giving it. Pre-ticked boxes, scrolling, and continuing to browse a site do not count - the EDPB's Guidelines 05/2020 on Consent state this explicitly.
Recital 30 classifies cookie identifiers as personal data where they can identify a natural person. Since almost every analytics or marketing cookie carries a unique identifier, the GDPR applies to the data collected. You need a lawful basis under the GDPR (typically consent) and compliance with the ePrivacy Directive's device-access rules. A cookie banner satisfies both.
Enforcement Is Getting Stricter, Not Softer
Regulators across Europe are not winding down cookie enforcement. They are scaling it up.
The French CNIL fined Google EUR 325 million in 2025 for cookie consent violations related to Gmail, and SHEIN received a EUR 150 million fine in September 2025 for a reject button that appeared functional but did not actually stop tracking cookies from loading. The Belgian DPA took action against Mediahuis in September 2024 for deceptive button colours and a missing first-layer reject option across four news websites.
The UK's ICO announced in January 2025 that it would expand its cookie compliance reviews to the top 1,000 UK websites as part of its strategy document "Taking control: online tracking strategy." The ICO had already issued formal warnings to 53 sites in a previous round of reviews, and it sent compliance warnings to 134 UK websites in 2025 for consent walls and transparency failures.
| Regulator | Action | Year | Key Issue |
|---|---|---|---|
| CNIL (France) | EUR 325M fine - Google | 2025 | Cookie consent violations in Gmail |
| CNIL (France) | EUR 150M fine - SHEIN | 2025 | Non-functional reject button |
| CNIL (France) | EUR 150M fine - Google | 2022 | Dark pattern cookie banners |
| Belgian DPA | Enforcement - Mediahuis | 2024 | Deceptive button colours, no first-layer reject |
| ICO (UK) | 134 compliance warnings | 2025 | Consent walls, transparency failures |
These are not fringe actions. They represent a coordinated trend across multiple jurisdictions, with the EDPB driving consistent interpretation of what constitutes valid consent and what counts as a dark pattern.
Why Browsers Cannot Replace Cookie Banners
Google abandoned its plan to deprecate third-party cookies in Chrome in July 2024 after years of delays, opting instead for a user-choice model. Safari and Firefox already block third-party cookies by default. None of this removes the need for a banner.
Browser-level blocking addresses third-party cookies only. First-party analytics cookies, persistent functional cookies, and server-side tracking that writes to the device still require consent under Article 5(3). A browser cannot present the specific, informed disclosure about each cookie's purpose, duration, and third-party involvement that the GDPR demands - nor can it record timestamped proof of consent for regulators.
The EU's Digital Omnibus proposals from late 2025 discuss centralised, browser-based preference management. Even those proposals acknowledge that the underlying legal requirement stays. The banner might change form, but a consent interface must exist.
The UK's Data Use and Access Act 2025: Proof That Banners Survive Reform
The UK's Data Use and Access Act 2025 (DUAA) received Royal Assent on 19 June 2025, with key provisions taking effect on 5 February 2026. It amends the Privacy and Electronic Communications Regulations (PECR) - the UK's implementation of the ePrivacy Directive - and introduces five new exemptions to the consent requirement for cookies.
Under the new rules, consent is no longer required for cookies whose sole purpose is collecting aggregate statistics to improve a service, adapting how a site looks based on user preferences, ensuring security of the user's device, preventing or detecting fraud, or automatically authenticating the user. These exemptions are narrow and purpose-limited: drift beyond the stated purpose, and you are back in consent territory.
Critically, advertising, marketing, behavioural targeting, and ad measurement cookies still require consent under UK GDPR and PECR. The DUAA also raised the maximum fine for PECR breaches from GBP 500,000 to GBP 17.5 million or 4% of global annual turnover - aligning penalties with UK GDPR levels. So while the Act relaxes requirements for a handful of low-risk cookie categories, it simultaneously increases the consequences of getting it wrong.
The ICO's own summary is direct: cookie banners are not going away. The regulator has committed to publishing further guidance on storage and access technologies in spring 2026, and it is exploring a risk-based approach to advertising cookies - but no outright exemption is on the table.
The ePrivacy Regulation: Still Stalled After Nine Years
The EU has been attempting to replace the ePrivacy Directive with a directly applicable ePrivacy Regulation since 2017. As of early 2026, it remains stuck in trilogue negotiations between the European Parliament, the Council, and the Commission. Fundamental disagreements persist over browser-based consent mechanisms, the scope of the strictly necessary exemption, and metadata processing rules.
Early drafts do not eliminate the consent requirement for non-essential cookies - they aim to harmonise it. The ePrivacy Directive, and with it the cookie banner, stays in force until a replacement is finalised and implemented.
What About Regions Without Banners?
Not every jurisdiction mandates a European-style opt-in banner. The CCPA and CPRA in California use an opt-out model, requiring a "Do Not Sell or Share My Personal Information" link rather than a pre-access consent prompt. Over 20 US states now have comprehensive privacy laws, most following a similar opt-out pattern.
Brazil's LGPD requires consent as one of ten legal bases for processing, and its enforcement authority ANPD has been issuing guidance that increasingly aligns with European expectations. PIPEDA in Canada requires meaningful consent for collection and use of personal information, though its approach to cookies is less prescriptive than the EU's.
For any website with a global audience, the strictest applicable standard tends to set the floor. If even a fraction of your traffic comes from the EU or UK, you need a consent mechanism that meets GDPR and ePrivacy requirements. Running separate banners per jurisdiction adds complexity, which is exactly why consent management platforms with geo-detection exist.
Consent Fatigue Is Real - But It Does Not Remove the Obligation
Europeans collectively spend an estimated 575 million hours per year clicking through consent prompts. Consent fatigue is a genuine UX problem, and regulators acknowledge it.
The response is not to remove the consent requirement but to make it less repetitive. The Global Privacy Control (GPC) header provides a machine-readable opt-out signal already recognised under California law. The EU's Digital Omnibus proposals explore browser-level preference settings honoured across websites. These developments may reduce how often a banner appears, but they will not eliminate the obligation to obtain, record, and enforce consent. A website running WordPress, Shopify, or a custom stack still needs a mechanism to satisfy Article 5(3).
Frequently Asked Questions
Are cookie banners legally required or just best practice?
They are legally required under EU and UK law. Article 5(3) of the ePrivacy Directive mandates prior consent before setting non-essential cookies, and the GDPR defines what valid consent must look like. Failing to show a consent mechanism exposes your site to fines of up to EUR 20 million or 4% of global turnover.
Will browsers eventually replace cookie banners?
Browser-level controls handle third-party cookie blocking but cannot present the specific, informed disclosure required by the GDPR. Regulators expect proof of consent tied to individual users and purposes, which browsers alone cannot provide.
Does the UK still require cookie consent after the Data Use and Access Act 2025?
Yes. The DUAA introduced narrow exemptions for analytics and functionality cookies, but advertising, marketing, and behavioural targeting cookies still require consent. PECR fines have also increased to GBP 17.5 million or 4% of global turnover.
Can I use legitimate interest instead of consent for cookies?
The ePrivacy Directive requires consent specifically for storing or accessing information on a user's device. Multiple DPAs - including the CNIL, Austrian DSB, and the EDPB - have ruled that legitimate interest cannot replace consent for analytics or marketing cookies.
What happened to the ePrivacy Regulation that was supposed to replace the Directive?
It has been in negotiation since 2017 and remains in trilogue as of early 2026. Disagreements over browser-based consent, the strictly necessary exemption, and metadata rules have stalled progress. The current ePrivacy Directive remains in force until a replacement is adopted.
Do US websites need cookie banners?
US privacy laws like the CCPA and CPRA use opt-out rather than opt-in models, so a European-style consent banner is not required for US-only traffic. If your site receives visitors from the EU or UK, you need a banner that meets those regions' consent requirements.
Take Control of Your Cookie Compliance
If your website sets any non-essential cookies - analytics, marketing, social media embeds - you need a consent mechanism that holds up under regulatory scrutiny. Kukie.io scans your site, categorises every cookie it finds, and gives your visitors a clear, compliant choice before anything fires.
