Elgarde
cookie-consent eu-regulation enforcement

Cookie consent fines in the EU: what businesses need to know in 2026

Elgarde Team · · 3 min read

The enforcement landscape has changed

Cookie consent enforcement in the EU is no longer theoretical. In the past twelve months, data protection authorities across Europe have shifted from warnings to fines — and they’re targeting businesses of all sizes.

The Dutch DPA (Autoriteit Persoonsgegevens) announced a program to scan 10,000 websites for cookie consent violations. France’s CNIL issued 69 fast-track fines in 2024 alone. Italy’s Garante fined Ediscom €300,000 for dark patterns in their consent interface.

This isn’t about mega-corporations anymore. Small and mid-sized businesses are squarely in the crosshairs.

What regulators are looking for

The ePrivacy Directive, Article 5(3), requires that websites obtain informed, specific, and freely given consent before storing or accessing information on a user’s device. In practice, regulators check for:

  1. Pre-consent tracking — Are analytics scripts, advertising pixels, or social media trackers firing before the user makes a consent choice?

  2. “Reject all” effectiveness — When a user clicks “Reject all” (or equivalent), do all non-essential trackers actually stop? Many CMP (Consent Management Platform) implementations fail here.

  3. Dark patterns — Is the “Accept” button visually prominent while “Reject” is hidden, smaller, or requires extra clicks? Regulators consider this a violation of the “freely given” requirement.

  4. Pre-ticked checkboxes — Consent categories that are pre-selected violate the GDPR’s requirement for affirmative action.

The cost of non-compliance

Recent enforcement actions show the range of penalties:

  • €600,000 — Kruidvat (Netherlands, 2024) for pre-ticked cookie checkboxes
  • €300,000 — Ediscom (Italy, 2023) for dark patterns in consent UI
  • €40,000 — Multiple small businesses in France (CNIL fast-track procedure, 2024)

Beyond fines, there’s the competitive complaint risk. In several EU countries, competitors can file complaints about cookie violations with the DPA, triggering an investigation. This is increasingly used as a business tactic.

What you can do today

  1. Scan your website — Use a tool like Elgarde that loads your site in a real browser, rejects cookies, and checks what happens. This is exactly what a regulator would do.

  2. Check your CMP configuration — The most common issue is a CMP that’s installed but misconfigured. Trackers load before consent, or they don’t stop after rejection.

  3. Audit your tag manager — Google Tag Manager, Adobe Launch, and similar tools often have scripts set to fire on “All Pages” regardless of consent state. Each of these is a potential violation.

  4. Document your compliance — If you’re ever investigated, having documented evidence that you regularly audit your consent implementation is a strong defense. Proof-grade reports with timestamps and network captures are invaluable.

The regulatory trajectory

The trend is clear: enforcement is accelerating, fines are increasing, and the scope is expanding. The proposed ePrivacy Regulation (which would replace the current Directive) is still in negotiation, but national DPAs aren’t waiting. They’re enforcing the existing Directive with increasing vigor.

The best time to check your compliance was yesterday. The second best time is now.

Check your website’s compliance — free, no registration required.

Check your website's compliance

Free scan — no registration required. See your compliance grade in 30 seconds.

Scan now
← Back to all posts