๐Ÿ“‹
GDPR March 10, 2026 ยท 7 min read ยท By CookieConsent Team

GDPR in 2025: What's Changed and What You Need to Know

A comprehensive overview of recent GDPR enforcement trends, notable fines, and what businesses must update in their consent flows.

The General Data Protection Regulation turned seven years old in 2025, and regulators across Europe have made it clear that the grace period is over. Enforcement actions are no longer limited to the largest tech companies โ€” SMEs, SaaS platforms, and e-commerce sites are increasingly finding themselves in the crosshairs of Data Protection Authorities (DPAs).

Key Enforcement Trends

In 2024 and early 2025, several patterns emerged in how DPAs are prioritising their investigations:

  • Consent as a legal basis. Regulators are scrutinising whether consent was truly freely given, specific, informed, and unambiguous. Pre-ticked boxes, bundled consent, and "consent walls" (forcing users to consent to access content) have all been targeted.
  • Cookie banners under the microscope. The French CNIL and Belgian APD in particular have issued substantial fines for banners that made it harder to reject cookies than to accept them โ€” e.g. "Accept All" in one click but "Reject All" buried three screens deep.
  • Third-party data transfers. Using US-based analytics tools (Google Analytics, Meta Pixel) without a valid transfer mechanism continues to attract enforcement across multiple EU member states.

Notable Fines in 2024โ€“2025

While the headline Meta and Google fines of previous years still stand as records, mid-tier enforcement has accelerated:

  • Several European retailers fined โ‚ฌ50Kโ€“โ‚ฌ200K for dark patterns in consent UIs
  • A major European airline fined for using analytics without consent after the user rejected marketing cookies
  • SaaS companies operating in B2B contexts warned that end-user consent requirements apply regardless of their customer type

What Your Consent Flow Must Do in 2025

Based on updated guidance from the EDPB (European Data Protection Board), your cookie consent implementation must:

  1. Present Accept and Reject options with equal prominence
  2. Not use pre-ticked boxes for any non-necessary category
  3. Allow granular category-level choices (not just all-or-nothing)
  4. Record and store the consent decision with a timestamp and version
  5. Allow users to withdraw consent as easily as they gave it
  6. Re-present the banner if the consent version changes significantly

What to Do Right Now

If you haven't reviewed your cookie banner recently, now is the time. Check that:

  • Your "Reject All" option is as prominent as "Accept All"
  • Category toggles are genuinely off by default for non-necessary cookies
  • You're logging consent IDs with timestamps for audit purposes
  • Your consent version is bumped whenever your cookie use changes materially

CookieConsent handles all of this automatically โ€” version-based re-consent, per-category toggles, and full audit logs are built into every plan.

← Back to Blog
Start Free Trial

Ready to get compliant?

Set up your cookie consent banner in minutes. No credit card required.

Start Free Trial
More from our Blog
View All Articles