Sicurezza & Normativa
GDPR and Cookie Compliance 2026: The Regulator Is Checking, and Fines Are No Longer Theory

A badly built cookie banner is not a cosmetic detail. In 2026 it is the first thing an inspector looks at, and the easiest to penalise. If your site drops a tracker before consent, or if the "reject" button is less visible than "accept", you are already non-compliant. No complaint is needed: the check can arrive at random.
In recent years the Italian Data Protection Authority (Garante per la protezione dei dati personali, GPDP), the independent administrative authority tasked with protecting rights, has intensified checks on Italian websites and how they manage users' privacy and data, entrusting inspections to the Special Privacy and Technological Fraud Unit of the Guardia di Finanza. The result is a landscape where "carelessness" on the privacy front, especially regarding cookies, is increasingly paid for in fines, reputational damage and litigation.
Why GDPR Compliance Can No Longer Be Ignored
The GDPR has been in force since 2018, but many companies continue to neglect privacy obligations, treating them as a bureaucratic, low-priority exercise. Lately this attitude has proven increasingly risky, for several reasons.
Inspections are no longer occasional and rare: for some years now the GPDP and similar bodies across Europe have carried out specific checks on cookie usage within their periodic inspection plans on publicly accessible sites. Any company with an online presence can be subject to a check, at random or following a user report.
Fines vary widely and change significantly depending on the severity of the violation. In the most recent period alone, several significant measures have been recorded: for example, Enel Energia was fined 563,000 euros for the improper use of managerial contacts for telemarketing purposes; MLU, the Netherlands-based company that operates the Yango ride-hailing app in Europe, was fined 100 million euros by the Dutch Data Protection Authority for transferring user and driver data to affiliated companies based in Russia without adequate safeguards; Autostrade per l'Italia S.p.A. was fined 420,000 euros for unlawful processing of personal data linked to employee monitoring.
Managing data today is far from simple, also because the regulatory framework has been enriched with new pieces alongside the GDPR: since 12 September 2025 the Data Act has been fully applicable, governing data accessibility and sharing with a governance-focused approach rather than privacy in the strict sense, while the AI Act and the so-called "Chat Control" remain open fronts.
The Consequences and Risks of Poor Compliance
Beyond fines, which can reach up to 4% of annual turnover, a non-compliant company would expose itself to several other risks:
Binding corrective measures, such as the obligation to modify banners, disclosures or consent-collection methods within tight deadlines, with the resulting cost of urgent intervention on systems.
Compensation claims from users: courts have recently clarified that if someone violates your privacy, monetary compensation is not automatic. To obtain it, the user must prove they suffered real, concrete and documentable harm. This leads to multiple disputes and further economic costs, if only for the legal management of the controversies.
Reputational damage, often more costly than the fine itself, given that the regulator's measures are published and picked up by both specialist and general press.
What's New on Cookies in 2026
The regulatory basis for online privacy management remains firmly anchored to the Guidelines on cookies and other tracking tools published by the regulator in 2021. In recent years, however, the practical application of these rules has become decidedly stricter, enriched with precise clarifications that define a very high standard of compliance.
No Tracking Before Consent
The fundamental pillar of the discipline establishes that there can be no tracking before consent. On first access to a site, no cookie other than strictly technical ones may be installed. This preventive block applies both to active tracking techniques (such as third-party cookies) and to passive ones (such as fingerprinting).
Banners Without Tricks
To collect that consent, sites must use banners free of tricks. The regulator has repeatedly reaffirmed the illegitimacy of so-called dark patterns, the design tricks used on sites and apps to deceive and manipulate the user, pushing them to make purchases or hand over personal data they would not want to share. Also prohibited are reject buttons less visible than accept buttons, as well as the use of colours or sizes designed to steer the user's choice. All banner controls must have equal visual prominence.
Clear Language, Not Just Formally Correct
Transparency is not a cosmetic detail but a genuine criterion of legal compliance. The most recent measures stress that the banner must adopt clear language and not merely formally correct wording. Vague or ambiguous descriptions, such as the generic label "experience cookies", are considered insufficient and punishable, even if the company acted in complete good faith.
No Cookie Walls
Another firm point concerns cookie walls, meaning the total blocking of a website that forces the user to accept tracking cookies in order to read the content, denying access if they refuse: this practice remains prohibited. Blocking access to the site for anyone who does not accept tracking is unlawful, unless the user is offered an equivalent alternative structured without profiling purposes.
Preferences Must Be Remembered
Once the user has expressed their choice, preferences must be respected and not requested repeatedly. The banner must not reappear on every visit: the user's decision must be stored for at least six months, unless substantial changes to the processing occur or it is technically impossible to remember the choice, as when the user manually deletes cookies from their browser.
Even Pixels in Emails
Finally, the regulator's oversight has gone beyond the boundaries of the classic website, introducing new guidelines on connected tools too. Attention has extended to less visible but equally relevant tracking technologies, such as tracking pixels embedded in emails, tiny invisible images hidden in messages that secretly record what the user clicks, where they connect from and whether they open content, sending this data to advertisers.
"But Weren't They Supposed to Abolish Cookie Banners?"
This point needs clearing up, because it is where the most confusion circulates. In November 2025 the European Commission proposed, as part of the Digital Omnibus package, to simplify consent management and reduce the proliferation of banners. Many headlines translated this into "goodbye cookie banners". The reality is more cautious.
At the moment it is only a proposal, not a law in force: until the regulation is formally adopted, the current framework, including the GDPR, continues to apply. What's more, the mechanism that would actually have eliminated banners, an automatic consent signal managed at browser level, was shelved in the text discussed by the Council in June 2026, following opposition from several member states including Germany and France.
And even in the most optimistic version of the reform, consent would remain mandatory for advertising, profiling and third-party tracking. The only thing that would change is an exemption for low-risk cookies, such as simple visit counting, which would no longer trigger the pop-up.
Translated for business owners: today, and for the foreseeable future, a site that uses third-party advertising or analytics tracking still needs a compliant banner and a working consent-management system. Anyone who stopped worrying about it, trusting the slogan "they're getting abolished anyway", is exposing themselves to a concrete risk today, on a rule that is fully in force today.
The Impact of New Tracking Technologies
The progressive abandonment of third-party cookies by the major browsers has pushed many companies to adopt alternative solutions in order not to lose visibility over their advertising campaigns, and these solutions bring new compliance obligations.
Google Consent Mode v2 is the system that communicates to Google whether the user has accepted or rejected cookies. If the user rejects them, the system uses artificial intelligence to estimate campaign data and results anonymously, and it has become a fundamental requirement for anyone running digital advertising.
Server-side tracking, which moves data collection from the user's device to a server owned by the company, offers greater control over the data before it is sent to third-party platforms, but still requires consent management consistent with the regulator's guidelines.
How to Get (and Stay) Compliant
Bringing cookie and privacy management back in line with the rules is neither impossible nor particularly difficult: it just takes periodic measures and a minimum of constant attention.
Carrying out a periodic audit of your site, checking which cookies and trackers are actually installed before and after consent, is the first step to spotting discrepancies against what is declared in the cookie policy.
Reviewing the banner's text and design, with specific attention to the clarity of cookie category labels and the visual parity of accept and reject buttons, reduces the risk of challenges related to dark patterns.
Checking how long user preferences are stored and making sure the banner does not reappear redundantly is a technical control often underestimated, yet easily verifiable during an inspection.
Keeping accountability documentation up to date, including impact assessments where required, and involving the Data Protection Officer in decisions concerning new tracking technologies, helps demonstrate a proactive attitude that, as confirmed in some recent measures, can lead the regulator to opt for a warning rather than a financial penalty.
Not a Legal Obligation, a Business Safeguard
Checks on cookies and GDPR compliance are no longer a remote possibility, but a structured, recurring inspection activity covering all websites active online. Companies that do not invest in proper consent management and data protection expose themselves to significant financial penalties, corrective measures, disputes with users and reputational damage often harder to repair than the fine itself.
Periodically updating banners, disclosures and internal processes is no longer just a legal obligation, but a form of business protection. And here is the real point: compliance is not applied at the end of a project, it is built into the site's architecture. A site born with privacy by design, with preventive blocking of trackers and clean consent management, reaches an inspection without surprises. A site assembled on a template full of plugins, with a randomly downloaded banner, is an exposure just waiting to be found.
Would Your Site Survive a Regulator's Inspection?
Non-compliant banners, trackers firing before consent, unintentional dark patterns: these are the three reasons most Italian sites would not pass a check. At M's Works we build sites that are compliant by design, with preventive tracker blocking, clean consent management and data security built into the architecture, not stuck on afterwards.