Cookie banners in 2026: what must they be capable Of and Is reform on the horizon?

Why cookie banners are becoming increasingly burdensome

Cookie banners have long become part of everyday digital life. Hardly any website can do without them. Yet what is supposed to strengthen transparency and self-determination is perceived by many users as an annoyance.

Data protection is an important issue for the vast majority of people. At the same time, there is a clear knowledge gap: many people cannot explain precisely what cookies do technically or what data is processed in the process.

The result:

• a large proportion of users would prefer to reject cookies altogether;
• settings are rarely adjusted consciously;
• banners are often clicked away quickly;
• consent is given routinely rather than in an informed manner.

This phenomenon is referred to as consent fatigue. Constant exposure to consent requests leads to decisions no longer being made reflectively.

This raises a central question: do cookie banners still fulfill their original purpose?

What are cookies and why are they legally relevant?

Cookies are small data packets that a website stores on a user’s device via the browser and later reads again.

Typical purposes include:

• storing login information;
• shopping cart functionality;
• language settings;
• analysis of user behavior;
• marketing and personalized advertising.

Cookies are legally relevant because they:

1. access information stored on the user’s device or store information there, and
2. often concern or generate personal data.

Even if only a technical identifier is stored, it may become relatable to a person when combined with other data: for example, through recognition or profiling.

What types of cookies exist?

For legal assessment, classification is decisive. Cookies can be distinguished in particular according to the following criteria:

1. Duration

• Session cookies: deleted when the browser is closed.
• Persistent cookies: remain stored until a defined expiration date.

2. Origin

• First-party cookies: set by the website being visited itself.
• Third-party cookies: set through integrated third-party providers.

3. Purpose

• Strictly necessary cookies: indispensable for functionality (e.g. shopping cart, login).
• Functional cookies: convenience and preference settings.
• Analytics cookies: audience measurement and usage statistics.
• Marketing and tracking cookies: profiling, retargeting, and personalized advertising.

Tracking and marketing cookies in particular are legally sensitive, as they often enable extensive user profiling and transfer data to third parties.

The legal basis: two Levels, two Assessments

In Germany, the use of cookies is typically assessed on two levels.

1. Access to the User’s Device (Section 25 TDDDG)

As a general rule, storing information on a user’s device or reading information from it requires consent.

Exceptions apply only where the access:

• serves exclusively to transmit a message, or
• is strictly necessary in order to provide a service expressly requested by the user.

Typical examples of what is considered “strictly necessary” include:

• shopping cart functionality;
• login sessions;
• security functions.

2. Processing of personal data (GDPR)

As soon as cookies are used to process personal data (for example online identifiers, tracking information, or profiling data) the GDPR also applies.

In practice, the following legal bases are particularly relevant:

• Consent (Article 6(1)(a) GDPR): the standard basis for tracking and marketing.
• Performance of a contract (Article 6(1)(b) GDPR): for functionally necessary processing.
• Legitimate interests (Article 6(1)(f) GDPR): only in limited scenarios and following a balancing of interests.

In addition, the GDPR principles apply, including transparency, purpose limitation, data minimization, and storage limitation.

Is the consent banner only about cookies?

No. It is not only about cookies. Section 25 TDDDG is formulated in a technology-neutral manner and covers any storage of information on the user’s device or any access to information already stored there.

In this article, cookies are referred to primarily because they are the best-known technology. What is meant, however, is all methods covered by the provision.

In particular, the following technologies must also generally be taken into account, where they are used, and controlled via the consent banner:

Local storage / session storage

• HTML5 storage
• browser IndexedDB

Tracking pixels

• Facebook Pixel
• LinkedIn Insight Tag
• Google Ads Conversion Pixel

Device fingerprinting

• browser fingerprinting
• canvas fingerprinting

SDKs in apps

• mobile tracking SDKs
• advertising identifiers (IDFA, GAID)

When Is consent valid?

Consent must be given through a clear affirmative act.

In particular, the following are not permitted:

• pre-ticked boxes;
• mere continued browsing;
• inactivity.

In order to be valid, consent must:

• be given in advance (tracking only after opt-in);
• be informed (purposes, providers, storage duration, third-country transfers);
• be freely given (no pressure, no deception);
• be specific (for example by category);
• be revocable (as easily as it was given).

Important in practice: the option to reject must be equivalent and easily noticeable. Hiding the rejection option is legally problematic.

Cookie walls, PUR models and alternatives

A particularly sensitive area concerns so-called cookie walls. In such cases, access to the website is granted only if users accept tracking.

The problem is that the consent often cannot be regarded as freely given.

As an alternative, so-called PUR models are being discussed. Under these models, users can choose between:

• consenting to tracking, or
• paying for tracking-free access.

Such models may be legally permissible, but they are organizationally and technically demanding.

Third parties and third-country transfers: often underestimated

Anyone using third-party cookies must assess more than just the banner.

In particular, the following must be clarified:

• Is the third party a processor or an independent controller?
• Is joint controllership a possibility?
• Are data transferred to third countries?
• Are appropriate safeguards in place (e.g. standard contractual clauses)?

The allocation of roles directly affects:

• contractual arrangements;
• liability risks;
• information obligations;
• internal compliance structures.

What companies should review now in concrete terms

Data protection-compliant cookie implementation requires structure.

A practical checklist:

• create a complete cookie inventory;
• classify cookies properly (necessary, functional, statistics, marketing);
• design the banner in a legally compliant manner;
• document consent;
• make withdrawal technically easy;
• review third-party and third-country scenarios.

Documentation and ongoing review in particular are often underestimated in practice.

Looking ahead: is reform of the cookie regime coming?

Reforms are being discussed at European level. As part of the so-called Digital Omnibus, the following are among the ideas currently being considered:

• browser-based or device-wide consent solutions;
• standardized privacy signals;
• privacy-friendly default settings.

The aim is to reduce the burden caused by constant individual requests while at the same time improving technical compliance.

Whether and when concrete changes will come remains to be seen. However, even under the current German provision in Section 25 TDDDG, there have been no major changes to cookie banners.

Conclusion

Cookie banners sit at the intersection of legal necessity and practical overload. The main problem is the gap between high sensitivity to data protection and low levels of informed decision-making, compounded by consent fatigue.

The key takeaway is this: valid consent is demanding and requires more than a formally compliant banner.

Companies should review their cookie implementation holistically, from a technical, legal, and design perspective. Those that are well positioned in this regard not only reduce the risk of fines but also strengthen user trust.