What changed in 2025?
Cookie consent enforcement has accelerated. The French CNIL, German DSK, and Dutch AP have all issued record fines for consent violations in the past 12 months. The key areas regulators are focusing on:
1. Pre-ticked checkboxes are illegal
This has been the rule since 2018, but enforcement has sharpened. Any pre-selected "Accept" state โ including implied consent from banner dismissal โ is non-compliant.
2. Reject All must be as easy as Accept All
The Court of Justice of the EU (CJEU) confirmed in Case C-673/17 that a Reject All button must be as prominently displayed as Accept All. You cannot bury it behind a "Manage preferences" click.
3. Consent must be purpose-specific
Generic "I agree to cookies" checkboxes no longer pass. Each purpose (analytics, advertising, personalisation) must be individually selectable.
4. Legitimate interest is not a free pass
Many CMPs used "legitimate interest" to fire marketing trackers without consent. Post-2024 enforcement makes clear that LI cannot be used for advertising in most cases.
What you need to do
1. **Audit your current banner** โ does it have a visible Reject All? Are purposes separated?
2. **Review your vendor list** โ are any vendors firing on LI for advertising?
3. **Check your evidence layer** โ can you demonstrate consent per user if asked?
4. **Test with ConsentForge's scanner** โ our weekly crawl will flag undeclared trackers.
Conclusion
The era of "compliance theater" โ banners that look compliant but aren't โ is over. Supervisory authorities now have the budget and the tools to investigate systematically. Getting compliant isn't just a legal duty; it's a competitive advantage as cookieless tracking matures.