BG Beter Geregeld ICT
AVG & privacy · 2 min leestijd · 25 October 2025

Cookie Consent in 2026: What's Changed, What's Allowed, What Has to Go?

Cookie legislation has been actively enforced since 2023. Many legacy cookie banners no longer comply. Here are the current rules and the three-column model.

The rules around cookies have tightened significantly since the enforcement wave of 2023–2024. The old "set everything to accept" banners simply don't cut it anymore.

The Three-Column Model

  1. Necessary cookies: no consent required. Session cookies, shopping cart, login.
  2. Functional cookies: essential for user experience (language preference, dark mode). Consent is often not required, as long as they genuinely don't track.
  3. Analytics / marketing: consent is MANDATORY. Opt-in, not opt-out. "Reject all" must be just as prominent as "Accept all".

What Cookie Banners Can No Longer Do

  • Show only an "Accept" button.
  • Treat scrolling as consent.
  • Pre-tick marketing categories.
  • Apply unlimited "legitimate interest" to tracking cookies.
  • Place cookies BEFORE consent has been given.

What Must Be in the Cookie Banner

  • Categories clearly explained.
  • Choice per category (minimum: necessary always on, marketing/analytics separate).
  • "Accept All", "Reject All", and "Manage" with equal visual prominence.
  • Link to the full cookie statement.
  • Option to change consent later (e.g. via a footer link).

Tools

Google Analytics 4, Meta Pixel, LinkedIn Insight — all require consent. Use Google Consent Mode V2 if you're running GA4.

Risk of Fines

The Dutch Data Protection Authority (AP) issued multiple fines for non-compliant cookie banners in 2023–2024. Typical amounts: €25,000–€100,000 for SMBs that came to their attention. This is no longer something you can afford to ignore.

See also: GDPR pillar, privacy statement.

Onderwerpen

#avg #website #cookies #consent

Volledige gids: Cumplimiento GDPR para pymes: el mínimo práctico

Dit artikel is onderdeel van onze uitgebreide AVG & privacy-gids. Lees de pillar voor het complete plaatje.

Lees de pillar →

Verwant leesmateriaal

AVG & privacy

GDPR Compliance for SMBs: The Practical Minimum

GDPR doesn't require a €10,000 project or a DPO for most small businesses. Here's what every SMB actually needs — based on what the Dutch DPA really checks for.

2 min
AVG & privacy

Logging IP addresses under GDPR: pseudonymous, personal data, and what's allowed?

An IP address is personal data under GDPR. Security logs often need to retain them for weeks or months. How do you reconcile that with data minimisation principles?

2 min
AVG & privacy

Data Retention Periods by Category for SMBs

How long should you keep customer data, job applicants, invoices, or CCTV footage? Here are the key categories in a clear overview table, with the source for each retention period.

2 min
AVG & privacy

Marketing consent: email, WhatsApp, retargeting — what are you still allowed to do?

Your newsletter, promotional emails, retargeting pixels — they all need a valid consent basis. Here are the concrete rules per channel.

2 min
AVG & privacy

Data subject rights: access, rectification, erasure — a workable procedure

A customer wants to see their data — or have it deleted. You have 30 days. Here's the procedure that gets it done without each request eating up half a week.

2 min
AVG & privacy

Sub-processors outside the EU: what Schrems II still requires

Using AWS, Google, or Microsoft? Then some of your data flows through the US. Since Schrems II, that's no longer a given. Here's what actually works today.

2 min
← Alle artikelen in "AVG & privacy"