GDPRPrivacy NewsEnforcementCookie ConsentBy Gregor Emm· 4 min read

GDPR News Today — Cookie Consent Enforcement Updates (2026)

The latest GDPR enforcement actions, cookie consent rulings, and privacy regulation updates. This page is updated regularly — bookmark it for the most current privacy enforcement news.

April 2026

Enforcement Trends

The European Data Protection Board (EDPB) continues to coordinate enforcement across member states, with a particular focus on cookie consent and legitimate interest claims. Key themes in early 2026:

  • Cookie consent enforcement expanding — National DPAs are moving beyond large tech companies to audit mid-market websites and e-commerce platforms
  • Google Consent Mode v2 compliance — DPAs have signaled that improperly implemented GCM v2 does not satisfy consent requirements
  • Cross-border enforcement streamlining — The EDPB's new dispute resolution procedures are reducing case backlogs

What This Means for Your Website

If you operate a website with EU visitors, these enforcement trends have practical implications:

  1. Your CMP configuration matters. Having a consent banner installed isn't enough — it must actually block tracking before consent. Scan your site to verify.
  2. Google Consent Mode must be properly implemented. Simply adding the GCM snippet doesn't guarantee compliance if the default consent state allows tracking.
  3. Mid-market sites are now targets. The era of "only big companies get fined" is over.

Understanding how DPAs enforce cookie rules helps you anticipate and avoid violations:

Who Enforces

Each EU member state has its own Data Protection Authority (DPA):

  • France: CNIL — historically the most active on cookie enforcement
  • Ireland: DPC — handles cases for companies headquartered in Ireland (Meta, Google, etc.)
  • Italy: Garante — active on cookie consent and marketing rules
  • Spain: AEPD — active enforcement, especially on consent banners
  • Germany: State-level DPAs plus the BfDI at federal level

The EDPB coordinates cross-border cases and issues binding guidance.

What Triggers an Investigation

  • Complaints from individuals — anyone can file a complaint with a DPA
  • Coordinated sweep actions — DPAs periodically audit websites in specific sectors
  • NGO complaints — organizations like noyb file systematic complaints across borders
  • Media attention — high-profile data breaches or privacy scandals prompt investigations

Fine Calculation

GDPR fines can reach up to 4% of global annual revenue or 20 million euros, whichever is higher. Factors that influence the amount:

  • Severity and duration of the violation
  • Number of affected individuals
  • Whether the violation was intentional or negligent
  • What the company did to mitigate the damage
  • History of previous violations

For cookie consent violations specifically, fines have ranged from a few thousand euros for small sites to hundreds of millions for major platforms.

CNIL Cookie Enforcement (France)

France's CNIL has been the most aggressive enforcer on cookies. Notable cases include:

  • Fined Google 150 million euros and Facebook 60 million euros (2022) for making cookie rejection harder than acceptance
  • Fined Microsoft 60 million euros (2022) for setting advertising cookies without consent on bing.com
  • Issued hundreds of smaller fines to French websites for pre-consent tracking

CNIL's enforcement principle: rejecting cookies must be as easy as accepting them. Dark patterns in cookie banners — like hiding the reject button in settings — trigger enforcement.

ICO Cookie Guidance (UK)

The UK's ICO has taken a softer approach, preferring guidance over fines for cookie issues. However, their November 2024 guidance update made clear:

  • Analytics cookies are not strictly necessary and require consent
  • Cookie walls (blocking content until consent) are not compliant
  • Consent must be freely given — pre-selected checkboxes don't count

noyb Cookie Complaints

The privacy NGO noyb (led by Max Schrems) has filed over 800 cookie-related complaints across Europe since 2021. Their targets include:

  • Websites with "Accept All" but no equally prominent reject option
  • Cookie banners that default to all categories selected
  • Sites that ignore reject signals and continue tracking

Staying Compliant: Practical Steps

Based on current enforcement trends:

  1. Audit your website regularly — new scripts get added, CMP configurations change, and compliance can break silently
  2. Ensure reject is as easy as accept — CNIL's enforcement makes this clear
  3. Implement Google Consent Mode v2 correctlycheck your GCM implementation with a free scan
  4. Document your consent mechanism — if audited, you'll need to demonstrate how consent works
  5. Monitor enforcement in your key markets — a fine in France signals what other DPAs will follow

Resources

This page is updated regularly with the latest GDPR enforcement actions and cookie consent news. Last updated: April 2026.

Share

Frequently Asked Questions

Where can I find the latest GDPR news?

This page is updated regularly with the latest GDPR enforcement actions, cookie consent rulings, and data protection guidance. You can also follow the European Data Protection Board (EDPB) at edpb.europa.eu and individual national DPAs like France's CNIL, the UK's ICO, and Ireland's DPC.

How much have GDPR fines totaled?

Since GDPR took effect in May 2018, data protection authorities across Europe have issued over 5 billion euros in fines. The largest single fine was Meta's 1.2 billion euro penalty from Ireland's DPC in 2023 for unlawful data transfers.

What is the most common GDPR violation?

The most common violations involve insufficient legal basis for data processing, non-compliant cookie consent (firing tracking before consent), inadequate transparency in privacy notices, and failure to honor data subject access requests.

Does GDPR enforcement apply to non-EU companies?

Yes. GDPR applies to any organization that processes personal data of EU residents, regardless of where the company is based. US, UK, and other non-EU companies have been fined for GDPR violations, particularly around cookies and consent.

Related articles

Privacy Enforcement News — Latest Fines & Rulings (2026)

Track the latest privacy enforcement actions worldwide: GDPR fines, CCPA penalties, and global privacy rulings that affect your website's compliance obligations.

EU Data Privacy News — Latest GDPR Enforcement & Fines

Latest EU data privacy enforcement actions, GDPR fines, and regulatory updates from CNIL, ICO, DPC, and national DPAs. Updated regularly.

Ad Privacy Regulation News — What Marketers Need to Know

Latest advertising privacy regulation updates: Google Consent Mode v2, third-party cookie changes, Meta CAPI, and how privacy laws affect your ad campaigns.

Tag Leak · Free Tool

Is your site leaking data before consent?

Paste your URL and get a full compliance report in 60 seconds — no signup required. Detects pre-consent tag firing, GCM v2 score, and security headers.

Scan your site free