GDPR Consent Management for SaaS: CMPs, Cookie Banners, and Legitimate Interest in 2026

Why consent management is still a mess in 2026

Despite being in force since 2018, GDPR and the ePrivacy Directive's consent requirements remain among the most widely violated and most actively enforced areas of data protection law. In 2025 and into 2026, supervisory authorities across Europe ramped up enforcement on cookie banners, tracking technologies, and consent management practices — with fines ranging from €5,000 symbolic penalties to multi-million euro decisions against large platforms.

For SaaS founders, the stakes are lower than for consumer platforms but the obligations are identical. This guide explains what you actually need to do.

The legal framework: GDPR + ePrivacy Directive

Cookie consent sits at the intersection of two laws:

GDPR (Regulation 2016/679): governs the processing of personal data. Consent under GDPR must be freely given, specific, informed, and unambiguous (Art. 7). Pre-ticked boxes, bundled consent, and consent buried in privacy policies are all invalid.
ePrivacy Directive (2002/58/EC): governs the placing of cookies and similar technologies on a user's device. Article 5(3) requires prior informed consent for any non-strictly-necessary cookies. This applies regardless of whether the cookie processes personal data.

The two instruments are complementary: ePrivacy covers the act of setting the cookie; GDPR covers any personal data processing that follows. Both require consent in most cases, but the triggers are slightly different.

The ePrivacy Regulation was supposed to replace the Directive and clarify the rules — it's still stuck in EU legislative process as of 2026. The Directive continues to apply in its nationally transposed forms (PECR in the UK, TTDSG in Germany, etc.).

Strictly necessary vs non-necessary cookies

The one exception to the consent requirement: cookies that are strictly necessary for a service explicitly requested by the user. These can be set without consent. Everything else requires prior consent.

Cookie type	Examples	Requires consent?
Strictly necessary	Session authentication, load balancing, CSRF protection, consent record storage	No
Functionality / preferences	Language preference, theme setting, remembered form fields	Usually no (but borderline — document your reasoning)
Analytics / measurement	Google Analytics, Mixpanel, PostHog, Plausible (if using cookies)	Yes (unless anonymous/cookieless)
Marketing / advertising	Meta Pixel, Google Ads, LinkedIn Insight Tag, HubSpot	Yes — always
Third-party embeds	YouTube embeds, Intercom, Hotjar, Crisp	Yes — if they set tracking cookies

Important note on analytics: Cookieless analytics tools (Plausible, Fathom, Umami when configured without user-level cookies) may not require consent because they don't set cookies or create persistent identifiers. Check your tool's documentation. Server-side analytics are generally safer.

What valid consent looks like

Under GDPR Art. 4(11) and Art. 7, valid consent must be:

Freely given: the user must not be penalised for refusing. Access to a service cannot be conditional on accepting non-necessary cookies ("cookie walls" are illegal in most EU member states).
Specific: consent must be given for each purpose separately. Blanket "accept all" without category breakdown is insufficient.
Informed: users must know what they're consenting to — which cookies, which companies, for what purpose.
Unambiguous: a clear affirmative action is required. Pre-ticked checkboxes and "continued use implies consent" are both invalid.
Withdrawable: users must be able to withdraw consent as easily as they gave it. A withdrawal button that is hard to find violates this requirement.

Dark patterns in cookie banners — making the "reject" button smaller, greying it out, using confusing language, or requiring multiple clicks to reject while accept is a single click — are increasingly the focus of enforcement. The French CNIL has issued significant fines specifically for this. In 2026, the Digital Services Act (DSA) also applies to platforms and prohibits deceptive design patterns.

Consent Mode v2 and Google's requirements

If you use Google Analytics, Google Ads, or any Google measurement product, you must implement Google Consent Mode v2 (released February 2024, mandatory for existing integrations). Consent Mode v2 requires two additional consent signals: ad_user_data and ad_personalization, in addition to the existing analytics_storage and ad_storage signals.

Without Consent Mode v2, Google's measurement products may not work correctly for EU users and your integration is non-compliant. Most modern CMPs support Consent Mode v2 natively — check your CMP documentation and verify the implementation with Google's Tag Assistant.

Choosing a Consent Management Platform (CMP)

A CMP handles the cookie banner UI, consent storage, and signal passing to your analytics/advertising tools. For most SaaS, you don't need to build this yourself — a third-party CMP is faster, cheaper, and reduces legal risk.

What to look for in a CMP:

IAB TCF 2.2 certification: required if you work with any IAB-member ad networks or DSPs. Optional but useful for general consent management.
Consent Mode v2 support: mandatory for Google integrations.
Geo-targeted behaviour: show consent banner in EU, different banner in California (CCPA opt-out), no banner where not required.
Consent record storage: store proof that each user consented, with timestamp and IP. This is your burden-of-proof record under GDPR Art. 7(1).
Cookie scanner: auto-detect new cookies added by third-party scripts to keep your cookie policy accurate.
Server-side consent logging: preferred over client-side for compliance purposes.

Popular options for SaaS: Cookiebot (Usercentrics), CookieYes, Osano, OneTrust (enterprise), Axeptio (French market). Prices range from free (limited) to $100+/month for enterprise features.

Legitimate interest vs consent: when to use which

Not all cookie-related tracking requires consent. Some processing can rely on legitimate interest (GDPR Art. 6(1)(f)) — but there are important limits:

Legitimate interest can cover: security logging (access logs, fraud detection), server-side analytics that don't create persistent user profiles, B2B marketing to existing contacts (soft opt-in under ePrivacy Art. 13(2)).
Legitimate interest cannot cover: placing tracking cookies (ePrivacy requires consent for the cookie itself, regardless of GDPR basis), behavioural advertising, cross-site tracking, or processing that creates user profiles without their expectation.
Children's data: consent is the only valid basis for processing children's data under Art. 8. Legitimate interest cannot be used.

If you're relying on legitimate interests, document your Legitimate Interests Assessment (LIA) — a three-part test: purpose test (is the interest legitimate?), necessity test (is processing necessary?), balancing test (does your interest override data subjects' rights?).

What you actually need to implement

Practical checklist for a compliant consent implementation:

Audit your cookies: know exactly what cookies you and your third-party scripts set. Use a tool like Cookiebot's scanner or manually inspect with Chrome DevTools.
Classify each cookie: strictly necessary / functional / analytics / marketing.
Choose and implement a CMP: with category-based consent, reject button as prominent as accept, and consent Mode v2 if using Google.
Block non-necessary cookies by default: scripts should not fire until consent is given. Implement conditional script loading.
Update your Cookie Policy: list every cookie, its purpose, provider, and whether it requires consent. Keep it in sync with your actual cookie inventory.
Add a "Manage preferences" link in your footer: users must be able to change their consent at any time.
Test with a fresh incognito session: before any analytics events fire, verify consent is actually required and working.

Enforcement trend in 2026

The enforcement pattern is clear: regulators are moving beyond the biggest platforms and starting to catch mid-size SaaS and digital publishers. The most common findings:

Analytics cookies firing before consent is given (often a CMP misconfiguration)
No way to reject non-necessary cookies without significant extra steps
Cookie policies out of sync with actual cookie inventory
Consent not properly renewed after technology changes
Missing consent records (no proof of consent when challenged)

Fines for cookie consent violations have ranged from symbolic penalties for first offences to €50,000–€100,000+ for systematic or deliberate violations. For consumer-facing products with large EU user bases, the risk is meaningfully higher.

Generate your Cookie Policy

A valid consent implementation requires a cookie policy that accurately describes every cookie you use. ComplyKit's Cookie Policy Generator lets you input your actual analytics and advertising stack and generates a cookie category table with provider disclosures, opt-out links, and ePrivacy Directive notes.

👉 Cookie Policy Generator — ePrivacy & GDPR compliant, category table included
👉 Privacy Policy Generator — covers your broader data processing, including consent management
👉 Cookie Policy vs Cookie Consent — what's the difference and what do you actually need?
👉 Cookie Compliance for SaaS in 2026 — enforcement updates and what's changed

Key takeaways

The ePrivacy Directive requires prior consent for all non-strictly-necessary cookies — before any analytics or marketing scripts fire.
Valid consent must be freely given, specific, informed, unambiguous, and withdrawable. Pre-ticked boxes and dark patterns are invalid.
If you use Google Analytics/Ads, Consent Mode v2 is mandatory for EU users.
Legitimate interest cannot replace consent for tracking cookies — ePrivacy requires consent for the cookie itself regardless of the GDPR basis for subsequent data processing.
Keep your cookie inventory up to date and your Cookie Policy in sync with it.