Skip to content

GDPR Audit: what to check in 2026, from cookie consent to the EU AI Act

In 2026, the question has shifted from “do you have a cookie banner?” to “does your banner actually block tracking until consent, without dark patterns, and can you prove it?”. A 2026 technical checklist, from Consent Mode v2 to the new AI layer (EU AI Act).

Dan Cristian Alexandrescu9 min read
Notă

This is informational material, not legal advice. Websem is not a law firm. For compliance with legal weight, work with a specialized lawyer / DPO. Our audit covers the technical and marketing side (tracking, consent, configuration), not legal opinions.

A GDPR audit checks whether the way your site collects, stores and processes personal data — especially through cookies, tracking and marketing tools — complies with the regulation: valid consent before collection, transparency, genuine user control and documentation.

In 2026, the central question has shifted from “do you have a cookie banner?” to “does your banner actually block tracking until consent, without dark patterns, and can you prove it?”.

TL;DR · what to remember
05
  • €1.2bn in fines in 2024 alone (€5.88bn cumulative). Cap: €20M or 4% of global turnover.
  • A banner ≠ compliance. What matters is prior blocking, granularity, “Reject” equal to “Accept” and the proof (a log).
  • Consent Mode v2 mandatory in the EEA since March 2024 — without it you lose both data and compliance.
  • New in 2026: the EU AI Act (August 2026 deadline) — it requires explainability for automated decisions that affect users.
  • Compliance done right keeps more data, not less — through Consent Mode v2 + server-side + modeling.

Why it matters now (even more than in 2018)

Enforcement is aggressive: €1.2 billion in fines in 2024 alone, over €5.88 billion cumulatively since GDPR took effect. Cookie consent violations can reach €20 million or 4% of global turnover. On top of that, 2026 adds two new layers: Consent Mode v2 (mandatory in the EEA since March 2024) and the EU AI Act deadline in August 2026, which requires explainability for automated decisions that affect users.

In Romania, the supervisory authority is ANSPDCP (the National Supervisory Authority for Personal Data Processing), which has issued local fines consistently.

— 2026 Checklist

What a GDPR audit checks

06
  • 01

    Valid consent (cookie banner)

    Tracking (analytics, ads, pixels) blocked until consent (prior blocking), not fired from the start; granular consent (separate for analytics and marketing); “Reject” as easy as “Accept”, no dark patterns; renewal and the option to withdraw at any time.

  • 02

    Consent Mode v2 (Google)

    Mandatory for EEA traffic since March 2024. It requires separate granular signals (analytics_storage, ad_storage). We verify it’s implemented correctly — otherwise you lose data and are non-compliant at the same time.

  • 03

    Consent logging

    Proof of who consented, when and to what. Without a log, you can’t demonstrate compliance when a complaint comes in.

  • 04

    Data and tooling inventory (RoPA)

    Records of Processing Activities: what data you collect, through which tools (GA4, Meta Pixel, GTM, CRM, chat), on what legal basis, how long you keep it, who you share it with.

  • 05

    Policies and legal bases

    Privacy and cookie policies that are up to date, accurate and easy to find; a clear legal basis for each processing activity; processor contracts (DPA) and transfer clauses (SCC) for non-EU tools.

  • 06

    The AI layer (EU AI Act — August 2026 deadline)

    If you use personalization, dynamic pricing, AI targeting or automated decisions that affect the user, the tracking layer has to be documentable and auditable, with explainability. More and more 2026 audits include a “legitimate interests” assessment for AI processing.

How it’s done (methodology)

The technical audit follows the user’s real journey: you load the site with a clean profile → check what fires before any click on the banner (no tracking should fire) → test granular “Reject” and “Accept” → inspect the console/network to see which requests go out and to whom → verify Consent Mode v2 → cross-check against the RoPA and policies. Then: a report with risks classified (critical / major / minor) and prioritized remediation.

Common findings (and the riskiest ones)

Tracking that fires before consent (the most common and most heavily fined); a banner with a colorful “Accept” and a hidden “Reject” (a dark pattern); Consent Mode v2 missing or badly configured (you lose both data and compliance); GTM loading tags without respecting the consent signal; copy-pasted, outdated privacy policies; non-EU tools without SCCs; the lack of a RoPA and of consent logging.

The real tension: compliance vs. data

Many people think GDPR “kills” marketing data. The technical truth: a correct setup (Consent Mode v2 + server-side + well-designed granular consent) keeps more useful data than a bad banner that blocks everything, or than an illegal one that exposes you to fines. Compliance done right is both legal protection and data recovery through modeling. That’s what we check.

What you get (deliverable)

A report with risks classified by severity (critical/major/minor) and references, a prioritized remediation checklist, verification of Consent Mode v2 and the consent flow, plus recommendations for the AI layer (AI Act). For the strictly legal part (policies, legal bases, DPA), we recommend validation with a lawyer/DPO.

— FAQ

Întrebări frecvente

04
  • I have a cookie banner. Am I compliant?

    Not automatically. What matters is whether it blocks tracking before consent, whether “Reject” is as easy as “Accept”, whether it’s granular and whether you have the proof (a log). A cosmetic banner that lets the pixels fire from the start is exactly what gets fined.

  • What is Consent Mode v2 and why does it matter?

    It’s Google’s mechanism (mandatory in the EEA since March 2024) that passes consent signals granularly to Google Ads/Analytics. Without it, you’re non-compliant and you lose data too.

  • What changes with the EU AI Act in 2026?

    The August 2026 deadline requires explainability for automated decisions that affect users. If you use AI personalization or targeting, the data layer has to be documentable and auditable.

  • Do you handle the legal side too?

    We cover the technical and marketing side (tracking, consent, configuration, documentation). For opinions and documents with legal weight, we work with / point you to a lawyer or DPO.

Your next step

Want a technical GDPR audit of your site and tracking?

We check the consent flow, Consent Mode v2 and which requests go out before “Accept” — with classified risks and prioritized remediation. The technical side, not the legal one.