Cookie Consent in 2026: What Changed and Which Tools Actually Comply

Cookie consent has been a moving target since the GDPR took effect in 2018. Every year brings updated guidance, new enforcement actions, and shifting expectations from DPAs. In 2026, the landscape looks materially different from even two years ago.

Here's what changed, what regulators are actually enforcing, and which European consent management tools meet the current requirements.

What Changed in Cookie Consent

CNIL's Updated Guidelines (2024–2025)

France's CNIL has been the most active DPA on cookie enforcement. Key updates:

Cookie walls are conditionally allowed, but only if a genuine free alternative exists (e.g., an ad-supported version vs. a subscription)
Consent withdrawal must be as easy as giving consent. A "reject all" button must be equally prominent as "accept all" on the first layer
Analytics cookies are not exempt. Even privacy-focused tools that set cookies require consent unless they meet strict conditions for audience measurement exemption

CNIL fined several companies in 2024 for dark patterns in cookie banners, including burying the reject option or using misleading color contrast to steer users toward acceptance.

Germany's TDDDG (Telekommunikation-Digitale-Dienste-Datenschutz-Gesetz)

Germany replaced the old TTDSG with the TDDDG in 2024, consolidating rules on cookies and similar technologies. The practical impact:

Consent requirements remain strict for non-essential cookies
The law explicitly covers fingerprinting and similar tracking techniques, not just cookies
Single Consent Services (PIMS) are recognized as a valid consent mechanism, though adoption remains limited

The ePrivacy Regulation: Still Pending

The ePrivacy Regulation was supposed to replace the 2002 ePrivacy Directive and harmonize cookie rules across the EU. As of March 2026, it remains stalled in trilogue negotiations. This means cookie consent is still governed by a patchwork of national implementations of the ePrivacy Directive, layered on top of GDPR.

The practical consequence: consent requirements vary by country, and businesses operating across Europe need tools that can handle these differences.

Google Consent Mode v2

Since March 2024, Google requires Consent Mode v2 for any website using Google services (Analytics, Ads) in the EEA. This means your consent management platform must:

Send consent signals to Google in the required format
Support ad_storage, analytics_storage, ad_user_data, and ad_personalization parameters
Default to denied state for EEA users

If you're still running Google services, your CMP must support Consent Mode v2. Most European CMPs now do.

What Regulators Are Actually Enforcing

DPA enforcement patterns in 2024–2026 reveal clear priorities:

Dark patterns: Misleading consent interfaces are the #1 enforcement target. Pre-ticked boxes, confusing "legitimate interest" toggles, and reject buttons hidden behind multiple clicks all trigger fines.
Missing reject option on the first layer: Multiple DPAs (CNIL, CJEU, Italian Garante) have ruled that "reject all" must be available on the first screen, not buried in settings.
Cookie scanning accuracy: DPAs are checking whether the cookies actually set on a page match what's declared in the consent banner. Miscategorized cookies (e.g., marketing cookies labeled as "functional") result in enforcement.
Consent storage and proof: GDPR requires you to demonstrate valid consent. DPAs are increasingly asking for proof that consent was freely given, specific, and recorded with a timestamp.
Third-party cookie syncing: Even with consent, some DPAs are scrutinizing the practice of sharing consent signals with dozens of ad-tech vendors through frameworks like TCF.

The Compliance Checklist

Before evaluating tools, verify your consent setup meets these baseline requirements:

European Consent Management Tools That Actually Comply

Cookiebot (Usercentrics)

Danish-origin, now part of the German Usercentrics group. Cookiebot was one of the first consent management platforms built specifically for GDPR. It remains one of the most widely deployed CMPs in Europe.

Automatic cookie scanning and categorization
Consent Mode v2 support
IAB TCF 2.2 certified
Geo-targeting for country-specific rules
Consent storage with full audit trail
EU-hosted data processing

Cookiebot was acquired by Usercentrics in 2021, creating one of the largest European CMP providers. The combined platform covers both the self-service segment (Cookiebot) and enterprise (Usercentrics).

Pricing starts free for websites under 50 subpages, with paid plans from €12/month.

View Cookiebot on EuropeanMartech →

Usercentrics

German company, headquartered in Munich. Usercentrics focuses on enterprise-grade consent management with strong compliance features.

App SDK for mobile consent management
Google-certified CMP partner
Consent Mode v2 and IAB TCF 2.2 support
Smart Data Protector for automatic script blocking
DPS (Data Processing Services) scanner
Full audit log and consent analytics

Usercentrics is the go-to choice for larger organizations that need consent management across web, app, and connected TV. It's one of Google's recommended CMPs for the EEA.

View Usercentrics on EuropeanMartech →

Borlabs Cookie

German company, built specifically for WordPress. If your site runs on WordPress, Borlabs Cookie is the most comprehensive European consent plugin available.

Content blocker for iframes, scripts, and embedded content
Automatic script management
Consent Mode v2 support
Multi-language support with WPML/Polylang integration
Cookie scan with categorization
One-time license fee (no monthly subscription)

Borlabs stands out with its one-time pricing model, starting from €49 for a single site. For WordPress-based businesses, it's significantly cheaper than SaaS alternatives over time.

View Borlabs Cookie on EuropeanMartech →

How They Compare

Feature	Cookiebot	Usercentrics	Borlabs Cookie
HQ	Denmark/Germany	Germany	Germany
Platform	Any website	Any website + apps	WordPress only
Auto cookie scan	Yes	Yes	Yes
Consent Mode v2	Yes	Yes	Yes
IAB TCF 2.2	Yes	Yes	No
Geo-targeting	Yes	Yes	Limited
Pricing	Free / from €12/mo	Custom pricing	From €49 one-time
Best for	SMBs, any platform	Enterprise, multi-platform	WordPress sites

Which Tool Should You Choose?

Running WordPress? Borlabs Cookie is the most cost-effective option. One-time payment, tight WordPress integration, and solid compliance features.

Running a SaaS, custom site, or multi-domain setup? Cookiebot offers the best balance of features, price, and ease of implementation. The free tier covers small sites.

Enterprise with apps, multiple properties, or complex requirements? Usercentrics provides the most comprehensive consent management across platforms, with enterprise support and Google CMP partner status.

All three are European companies with EU data processing. None require you to trust a non-European vendor with your consent data, which itself is personal data under GDPR.

What's Next for Cookie Consent

The ePrivacy Regulation will eventually replace the current directive, likely in 2027 or 2028 based on current legislative progress. When it does, expect:

Harmonized cookie rules across all EU member states (no more country-specific variations)
Possible browser-level consent mechanisms reducing the need for per-site banners
Stricter rules on tracking walls and cookie walls
Clearer exemptions for privacy-preserving analytics

Until then, the current approach holds: implement a compliant CMP, keep your cookie declarations accurate, and make consent as transparent and easy as possible.

Browse all European consent management tools in our directory, with verified GDPR compliance data and EU hosting information.