Skip to main content
CompliantHQ
Blog

Cookies without consent — what the law actually says in 2026

Published 25 April 2026

TL;DR

  • If your site sets any cookies beyond strictly necessary ones before the visitor clicks "accept", that's a breach of the ePrivacy Directive (in force across the EU).
  • This includes Google Analytics, Meta Pixel, hotjar, and anything else commonly described as "analytics cookies".
  • You can check this yourself in five minutes with an incognito window — instructions further down.

What the law requires — in one sentence

Before your site sets a cookie or loads a third-party script that collects information about the visitor, the visitor must have given active consent.

This isn't a national specialty. It follows from Article 5(3) of the ePrivacy Directive, which applies across the EU and is implemented in each member state's national law. Continued browsing, scrolling, or "ongoing use of the site" is not consent. Pre-ticked checkboxes are not consent. A "we use cookies, click to dismiss" banner is not consent.

There are only two exemptions:

  1. Strictly necessary cookies — session cookies, shopping cart, login state, CSRF tokens, language preference. These can be set without consent because they're needed for the service to work.
  2. Cookies the visitor explicitly requested — e.g. a "remember my username" checkbox they actively ticked.

Everything else — tracking, analytics, retargeting, A/B testing, heatmaps — requires consent before the script runs.

What counts as "tracking cookies"?

In practice: nearly anything not on the exemption list above. Concretely, the following require consent before they load:

  • Google Analytics (including GA4 — the myth that GA4 is "consent-free" doesn't hold up)
  • Google Ads, Google Tag Manager when it loads anything else
  • Meta Pixel / Facebook tracking
  • LinkedIn Insight Tag
  • TikTok Pixel
  • Hotjar, Microsoft Clarity, FullStory, other session replays
  • HubSpot, Marketo, Pardot tracking scripts
  • Intercom, Drift and similar chat widgets when they load identifying information
  • A/B testing tools (Optimizely, VWO)

A typical company website has 5–15 such scripts wired in. An e-commerce site usually more. Each one that loads before the visitor clicks "accept" sits outside what the law allows.

The most common gotcha: "but we have a cookie banner"

Most sites have a cookie banner. Plenty of them are still wrongly implemented. Three recurring failure modes:

1. Scripts load before the banner appears

This is the most common issue we see in scans. The cookie banner provider (Cookiebot, CookieScript, OneTrust, Cookie Information, etc.) is correctly installed, but somewhere — developer or agency — the GA snippet has been pasted directly into <head> as well. So Google Analytics fires whether the visitor consents or not.

Quick test: open the site in an incognito window, open devtools on the Network tab, reload. Before clicking anything in the banner, search for google-analytics, googletagmanager, facebook, clarity. If you get hits, they're loading without consent.

2. "Continued use = consent" framing

The infamous "by continuing to use this site you accept our cookies" text. It was never valid under GDPR and still isn't. Consent must be active.

The combination "X to dismiss" + tracking scripts that fire anyway is the same — the banner is decorative, the consent is fictional.

3. Pre-ticked checkboxes

Some banners show checkboxes for cookie categories (analytics, marketing, etc.) that are pre-ticked. That doesn't qualify as consent under the EDPB's 2020 guidelines. Consent must be an active action — the user must tick the box themselves, not un-tick something already filled in.

Enforcement

In each EU member state two regulators are typically relevant:

  • The telecom / ePrivacy regulator (in Sweden: PTS) supervises whether consent was actually obtained before cookies were set.
  • The data-protection authority (in Sweden: IMY) supervises how the resulting personal data is processed under GDPR.

Both can be relevant for the same case — one for setting the cookie, the other for what's done with the resulting data.

Cookie-consent enforcement is most active in France, where CNIL has issued substantial fines against Google, Amazon and others for pre-consent tracking specifically. Sweden's PTS has been less active on cookie cases to date.

On the GDPR side Sweden's IMY issued well-known orders in 2023 against four companies (Coop, Dagens Industri, CDON, Tele2) to stop using Google Analytics without additional safeguards. Those rulings were not about cookie consent though — they concerned international data transfers to the US under GDPR Chapter V (the Schrems II doctrine). Tele2 also received a 12 million SEK penalty for its handling, CDON 300 000 SEK.

The largest cost when enforcement does happen is often not the fine itself — it's the cleanup work afterwards: switching tools, reworking integrations, handling customer questions.

Updated 2026-04-25: an earlier version conflated cookie-consent enforcement with GDPR data-transfer enforcement, and incorrectly identified IMY (rather than PTS) as the cookie supervisor in Sweden. Corrected via fact-check by Cowork.

What to do next

Three concrete steps, in order of priority:

  1. Check your own site. Open an incognito window, devtools, the Network tab, load the site. Before clicking in the banner: search for google, facebook, linkedin, clarity — any hits? Then you have the problem. This takes five minutes and costs nothing.

  2. Ask whoever builds or maintains the site for a cookie audit. That might be a web agency, an in-house developer, a consultant, or your IT team — whoever actually has hands on the tech. Not "how many cookies do we set" — ask specifically: which scripts load before consent, and why. Most have this on their cleanup list but don't pick it up until someone asks.

  3. Decide how you want to monitor it ongoing. A cookie audit is a snapshot. Developers add new scripts, marketing integrates new tools, integrations come back — the site drifts away from compliance continuously if no one's watching. You can:

    • Re-run the manual check (step 1) monthly
    • Ask your agency to monitor it as part of their contract
    • Use a tool that runs scans automatically

For the last option we built CompliantHQ — we list every script loading before consent, categorised by what it does and where it comes from, and track the site over time. You can run the first scan without registering payment details, if it's an option you want to try.

Run a free scan of your site →