← All guides
GDPR7 min read12 May 2026

Cookie Compliance for SaaS in 2026: GDPR, ePrivacy, and What's Changed

What cookies require consent, how the ePrivacy Directive interacts with GDPR, the difference between a cookie policy and a consent banner, and the state of enforcement in 2026.

Why cookie compliance is more complex than it looks

Cookie compliance sits at the intersection of two EU laws — GDPR and the ePrivacy Directive — with different scopes, consent standards, and enforcement bodies. Get it wrong and you're exposed to GDPR fines (up to 4% of global annual turnover), cookie-specific enforcement from national regulators, and reputational damage from privacy-focused users.

Here's what you actually need to know in 2026.

The two laws governing cookies in the EU

ePrivacy Directive ("Cookie Law")

The ePrivacy Directive (2002/58/EC, amended by 2009/136/EC) is the primary law governing cookies and similar tracking technologies. It requires:

  • Consent before setting non-essential cookies
  • Clear information about what the cookie does and how long it persists
  • Easy withdrawal of consent at any time

"Essential" cookies — those strictly necessary for the service to function — are exempt. Everything else requires opt-in consent.

GDPR

GDPR applies because cookies (especially persistent ones with unique identifiers) are personal data when they can identify or single out a user. This means:

  • Cookie data must be covered in your Privacy Policy
  • Your cookie consent must meet GDPR's standard for valid consent (freely given, specific, informed, unambiguous)
  • You must document your consent records
  • Users have the right to withdraw consent as easily as they gave it

What counts as "essential" vs non-essential?

Essential cookies (no consent needed)

  • Session cookies for authentication (logging in)
  • Shopping cart cookies for e-commerce
  • Load balancing cookies
  • Security cookies (CSRF tokens, fraud prevention)
  • User preference cookies (language, dark mode) — if they're strictly for site function

Non-essential cookies (consent required)

  • Analytics cookies — Google Analytics, Mixpanel, Amplitude, Heap, even self-hosted Plausible in some interpretations
  • Marketing cookies — Facebook Pixel, Google Ads, LinkedIn Insight Tag, any retargeting pixel
  • A/B testing cookies — Optimizely, VWO, Google Optimize
  • Chat widgets — Intercom, Drift, Crisp (they set persistent tracking cookies)
  • Social media widgets — Twitter/X embeds, LinkedIn Follow buttons
  • Heatmap tools — Hotjar, FullStory, Microsoft Clarity

The difference between a cookie policy and a consent banner

These are two separate things that work together:

DocumentWhat it isWhere it goes
Cookie PolicyA written disclosure listing all cookies, their purpose, duration, and providerStandalone page, linked from footer and consent banner
Cookie Consent BannerThe interactive UI that collects and records user consent choicesShown to new visitors before non-essential cookies fire

You need both. A cookie policy without a consent banner isn't compliant. A consent banner that links to a vague or outdated cookie policy isn't compliant either.

👉 Read: Cookie Policy vs Cookie Consent — what's the difference?

What changed in 2026

ePrivacy Regulation: still pending, still relevant

The ePrivacy Regulation — intended to replace the ePrivacy Directive and align it with GDPR — has been in draft since 2017 and remains stalled in EU legislative negotiations as of 2026. The current Directive still applies. Don't wait for the Regulation to get compliant.

DPA enforcement intensified

National data protection authorities stepped up cookie enforcement significantly in 2024-2026:

  • The French CNIL fined multiple companies for dark patterns in cookie consent (pre-ticked boxes, buried reject options)
  • The Irish DPC issued guidance requiring reject buttons to be as prominent as accept buttons
  • The Italian Garante specifically targeted Google Analytics configurations that transferred data to US servers without adequate safeguards

Google Analytics 4 and Consent Mode v2

Google's Consent Mode v2 (required from March 2024) changes how GA4 handles users who decline cookies. You must implement Consent Mode v2 correctly, or your Google Ads remarketing will stop working for EU users who opt out. This is a technical change, not just a policy one.

What your cookie policy must include

A compliant cookie policy for SaaS in 2026 should cover:

  1. What cookies you use — name, provider, type, purpose, duration
  2. Category breakdown — essential, functional, analytics, marketing
  3. Third-party cookies — for each third-party tool that sets cookies (Google, Meta, Hotjar, etc.)
  4. How to opt out — via your consent banner, browser settings, and specific opt-out links for major providers
  5. Link to your privacy policy — for GDPR compliance
  6. Last updated date — your policy should be updated whenever you add new cookies

👉 Generate your Cookie Policy free → — covers all categories, third-party tool disclosure, and GDPR/ePrivacy/UK PECR requirements.

Quick compliance checklist

  • ✅ Cookie consent banner loads before any non-essential cookies fire
  • ✅ Reject button is as easy to find as Accept button
  • ✅ Consent is granular (analytics vs. marketing separate)
  • ✅ Cookie policy lists every cookie with name, purpose, duration
  • ✅ Cookie policy is updated when you add new tools
  • ✅ Consent records are logged (timestamp, choice, version)
  • ✅ Google Consent Mode v2 implemented if you use GA4/Google Ads
  • ✅ Privacy policy references cookies and links to cookie policy

More guides