GDPR Cookie Banner 2026: What is Mandatory?

Cookie banners remain a daily annoyance in 2026 – for users clicking constantly and for site owners juggling tightening rules. Confusing fact: things allowed two years ago are now subject to cease-and-desist letters.

Legal basis

• GDPR – EU-wide. Regulates personal data processing.
• TKG 2021 (AT) / TTDSG (DE) – implements ePrivacy directive. Regulates access to terminal devices (cookie setting/reading) – even without personal data.
• DSG (AT) – Austrian companion law to GDPR.

For cookies, § 165 TKG (AT) / § 25 TTDSG (DE) is central: cookies not strictly required for site operation may only be set with active consent.

What is "active consent"?

Unambiguous affirmative action. Pre-ticked boxes are invalid (CJEU C-673/17 "Planet49"). Continued scrolling is invalid. "By using this site you agree" is invalid. Only a deliberate click on a clearly labelled button counts.

What the banner must do

1. Appear before cookie setting – no statistics/marketing cookies before user decides.
2. Reject equally easy as Accept – mandatory after CNIL and AT DPA decisions.
3. Categorised choice – at minimum "Necessary / Statistics / Marketing".
4. Inform about purposes and providers – which tools, who provides them, whats stored.
5. Transparency about third-country transfer – name when data goes to USA (GA4, Meta), with EU-US Data Privacy Framework reference.
6. Withdrawal anytime – persistently visible reset button (footer or floating icon).
7. Document consent – timestamp, banner version, choice. You must prove consent in disputes.

Dark patterns – why theyre risky in 2026

• Big green "Accept" button vs. tiny grey "Reject" link
• "Reject" hidden behind "Settings" → 2 clicks vs 1 click to accept
• Pre-ticked boxes for non-necessary categories
• Banner reappears after each reload despite rejection
• Cookie wall ("cant read until you accept all") – unless paid alternative

3 tiers or 1?

Not strictly three, but proven in practice. Most banners separate Necessary / Statistics / Marketing. With more tools, finer division possible (e.g. "Functional", "Personalisation"). More than 5 categories overwhelms and gets generally rejected.

Penalties

• Complaints to data protection authority (proceedings, conditions, fines)
• Cease-and-desist letters from consumer protection associations (DE) or competitors (AT/DE)
• GDPR fines up to € 20M or 4 % of revenue – realistically four/five-figure for SMBs
• Damages claims by individuals – since 2023 CJEU even without proven material damage

Which CMP?

• Cookiebot, Usercentrics, Borlabs Cookie – established CMPs with IAB-TCF support, auto-scanner, multilingual. € 9–199/month.
• Custom lightweight setup – if using only 2–3 tools (GA4, Meta, maybe chat). 100 lines of JavaScript suffices. We use this on this site.
• CMP with IAB-TCF v2.2 – mandatory if using AdTech with Real-Time-Bidding.

Practical recommendation

For a typical SMB site or small shop: 3-tier banner with equal buttons ("Accept all" / "Necessary only" / "Settings"), detail list of tools used, persistent withdrawal in footer, documented localStorage with timestamp. Covers 95 % of cases compliantly.

Bottom line

A good cookie banner in 2026 is transparent, fair and rejectable. The dark patterns of the past dont work anymore and are increasingly sanctioned. Fair banners get 50–70 % acceptance, manipulative ones 80–90 % but with high legal risk.