What is the main difference between GDPR and CCPA regarding cookies?

The GDPR imposes an opt-in model where no non-essential cookie can be activated without the user's explicit prior consent. The CCPA (and its successor CPRA) adopts an opt-out model: cookies can be activated by default, but users must have a clear and accessible way to refuse their use. This fundamental divergence forces international companies to deploy consent interfaces adapted to geolocation.

What is Google Consent Mode V2 and why is it important?

Google Consent Mode V2, deployed in March 2024, is a technical evolution that allows sites using Google services (Analytics, Ads) to comply with GDPR while retaining analytical capability. It introduces two new consent parameters (ad_user_data and ad_personalization) and activates a "degraded" mode with algorithmic modeling when the user refuses cookies, thus preserving some marketing insights without individually identifying visitors.

What are the penalties for non-compliance with GDPR?

The GDPR provides for fines of up to 20 million euros or 4% of the annual global turnover, whichever is higher. These sanctions particularly concern the absence of valid consent, difficulty in withdrawing consent, or lack of transparency on processing purposes. Several companies have already received significant fines, reinforcing the need to invest in robust compliance solutions.

How to manage data transfers outside the European Union?

To legally transfer personal data to third countries, companies must rely on approved mechanisms: standard contractual clauses (SCCs), binding corporate rules (BCRs) for multinational groups, or the new EU-US Data Privacy Framework for transfers to the United States. CMPs must document these guarantees and precisely map data flows to third-party tools, identifying their geographical location.

What criteria should be prioritized when choosing a Consent Management Platform?

A high-performing CMP for an international company must support TCF 2.3 for programmatic advertising, offer automatic geolocation to adapt banners according to jurisdiction, allow fine granularity of consents by purpose, ensure full traceability with timestamps, integrate natively with major marketing tools (Google Consent Mode V2, Facebook, etc.), and offer a customizable multilingual interface. IAB certification and customer references are also indicators of reliability.

GDPR and CCPA: The Evolution of Cookie Policies in 2026

Web & Marketing • written by Orion

5 min read 02/25/2026

GDPR CCPA cookie consent banner on computer screen with privacy preference management interface

A Parisian e-commerce site sells to the United States. A Californian publisher distributes in Europe. A Canadian advertiser targets multiple continents. What do they have in common? All must navigate a fragmented regulatory landscape where the European GDPR requires explicit consent, while the Californian CCPA – now replaced by the CPRA – favors the right to refuse. This duality turns cookie management into a real strategic headache for international businesses.

Since the GDPR came into force in May 2018, the regulatory framework has continuously evolved. Data protection authorities are refining their interpretations, tech giants are adapting their tools – Google Consent Mode V2 in March 2024 is a prime example – and penalties are becoming more deterrent. Simultaneously, American legislations are multiplying with their own logic.

For marketing managers, developers, and legal directors, understanding these divergences and their technical implications has become essential. This article deciphers recent regulatory updates and their concrete impact on cross-border consent management.

GDPR: A strengthened and scrutinized European framework

The General Data Protection Regulation (GDPR) has imposed a strict opt-in consent model since 2018: no non-essential cookies can be activated without explicit user action. Pre-checked boxes are prohibited, and refusal must be as simple as acceptance. For more details on GDPR requirements for cookies, consult Consentmanager.

National authorities – CNIL in France, ICO in the UK, Garante in Italy – are increasing controls and guidelines. The CNIL thus clarified its recommendations on consent banners in 2020 and 2021, requiring that the "refuse" button be as visible and accessible as the "accept" button.

Penalties: Fines that make an impression

Penalties under the GDPR can reach up to 20 million euros or 4% of the annual global turnover (whichever is higher). This dual scale ensures that even tech giants are not immune. Several companies have received major fines for breaches related to cookies or personal data processing.

The most sanctioned infringements concern:

Absence of valid consent before placing cookies
Difficulty in withdrawing consent
Lack of transparency on the purposes and recipients of data

These sanctions have pushed companies to invest heavily in compliant Consent Management Platforms (CMP), capable of documenting each consent and ensuring its traceability.

Regulation Type	Consent Model	Geographic Scope
GDPR	Explicit Opt-in	European Union
CCPA/CPRA	Opt-out by default	California, United States

Illustration: GDPR and CCPA: the evolution of cookie policies in 2025 - Web & Marketing

CCPA and CPRA: The Californian opt-out approach

More than 9,000 kilometers from Brussels, California adopted the California Consumer Privacy Act (CCPA) in 2018, which came into force in January 2020. Unlike the GDPR, the CCPA is based on an opt-out model: companies can collect data and activate trackers by default, but must offer users a clear way to refuse this collection.

In 2023, the California Privacy Rights Act (CPRA) took over, strengthening certain rights – notably the creation of a dedicated authority (California Privacy Protection Agency) and the introduction of categories of sensitive data benefiting from increased protections. Google's updates on data privacy for the United States reflect this, as explained by Uniconsent.

Major divergences with the GDPR

While both regulations share common objectives – transparency, individual rights, corporate accountability – their mechanisms differ profoundly:

Default consent: opt-in (GDPR) vs opt-out (CCPA/CPRA)
Scope: any organization processing data of European residents (GDPR) vs companies exceeding certain revenue or data thresholds (CCPA/CPRA)
Sanctions: administrative fines (GDPR) vs possible private lawsuits (CCPA/CPRA)

For an international company, this dual requirement necessitates deploying consent interfaces adapted to the user's geolocation, with distinct technical and legal logics.

“Companies must be aware of pending legislation and ready to adapt quickly to the changing data privacy landscape.” – Dannie Combs, Chief Information Security Officer, DFIN Solutions

Google Consent Mode V2: A technical response to European requirements

Facing European regulatory pressure, Google launched version 2 of its Consent Mode in March 2024. This technical evolution allows sites using Google Analytics, Google Ads, or other services in the Google ecosystem to better comply with GDPR requirements while retaining some analytical capability.

Operation and benefits

Google Consent Mode V2 introduces two additional consent parameters:

ad_user_data: controls the sending of user data to Google for advertising
ad_personalization: allows or disallows ad personalization

When the user refuses advertising cookies, Google switches to "degraded" mode: conversions are modeled via algorithms without individually identifying the user. This approach preserves some marketing insights while respecting explicit refusal.

For advertisers, this means less loss of conversion data and better attribution, while maintaining compliance. However, modeling remains an estimate, and some marketers point to lower accuracy compared to direct data.

Modern CMPs: Orchestrating multi-jurisdictional compliance

Consent Management Platforms have evolved to become true compliance hubs. A high-performing CMP no longer just displays a banner: it must manage several legal regimes simultaneously, adapt the interface according to location, document each consent, and integrate with major marketing and analytical tools.

Selection criteria for an international CMP

Companies operating across multiple continents must ensure their CMP meets specific technical and legal requirements:

Support for TCF 2.3 (Transparency & Consent Framework of the IAB) for programmatic advertising
Automatic geolocation to display the GDPR banner in Europe, CCPA in California, etc.
Granularity of consents: ability to consent or refuse by purpose (analytics, advertising, social networks)
Full traceability: retention of proof of consent with timestamp, policy version, expressed choices
Native integration with Google Consent Mode V2, Facebook Pixel, Matomo, etc.
Multilingual and customizable interface to respect brand identity

Several platforms stand out in the market, each with its specificities: some prioritize ease of integration, others functional richness or IAB certification.

Cross-border transfers: The challenge of data outside the EU

Beyond consent collection, international companies must also secure transfers of personal data outside the European Union. The GDPR strictly regulates these transfers, and the successive invalidation of the Privacy Shield agreements (2020) and uncertainties surrounding standard contractual clauses have complicated the situation.

Available compliance mechanisms

To legally transfer data to the United States or other third countries, companies can rely on:

Standard Contractual Clauses (SCCs): standardized contracts approved by the European Commission
Binding Corporate Rules (BCRs): for multinational groups structuring their internal flows
The new EU-US Data Privacy Framework (2023): successor to the Privacy Shield, offering a strengthened framework for transfers to certified US companies

CMPs must therefore not only manage initial consent but also document the legal guarantees surrounding each data flow. This involves precise mapping of third-party tools (pixels, tags, widgets) and their geographical location.

To better understand how to optimize data collection and analysis while respecting these constraints, discover how GA4 leverages event data for personalization, a crucial issue in a fragmented consent context.

Operational strategies for effective compliance

Faced with this complexity, companies deploy different strategies depending on their maturity, resources, and risk appetite.

Minimalist approach: less is more

Some organizations drastically reduce the number of cookies and trackers deployed, retaining only essential tools. This strategy limits regulatory exposure and simplifies consent management. It is particularly suitable for editorial or institutional sites where advertising monetization is not central.

Market-differentiated approach

Other companies adapt their technological stack according to geography: a European user will see a strict GDPR banner with mandatory opt-in, while an American visitor outside California will benefit from a smoother experience. This segmentation requires robust technical infrastructure (CDN, IP geolocation, advanced CMP) but optimizes user experience and marketing performance.

Centralized and documented approach

Large groups often favor centralized data governance: a steering committee defines the rules, a legal team validates the tools, and each implementation is documented in a processing register. This approach ensures homogeneous compliance but requires significant resources.

GA4 regulations also require adapting data retention and analysis in 2025, reinforcing the need for a consistent strategy.

The future of regulation: Towards harmonization or increased fragmentation?

The regulatory landscape continues to evolve rapidly. Several US states – Virginia, Colorado, Connecticut, Utah – have adopted their own privacy laws, each with nuances. Canada is revising its PIPEDA, Brazil is applying its LGPD, India is preparing its legislation. The impact on Canadian businesses and cookies is notably addressed by Robic.

Towards a global standard?

Some observers hope for the emergence of a de facto standard, driven by major technology platforms and sectoral frameworks (IAB TCF, W3C). Others, on the contrary, anticipate lasting fragmentation, with each jurisdiction defending its conception of privacy.

For businesses, this uncertainty requires permanent regulatory monitoring and a technical architecture flexible enough to integrate new requirements without major overhauls. Investments in CMPs, consent management tools, and team training become strategic.

Authenticity and transparency also become marketing assets: like authentic brand strategies with micro-influencers in 2026, displaying scrupulous respect for privacy builds trust and can become a competitive differentiator.

Conclusion

The evolution of cookie policies in the face of cross-border compliance challenges is reshaping the digital marketing landscape. The GDPR with its strict opt-in, the CCPA/CPRA with its pragmatic opt-out, and the proliferation of national legislations require international companies to maintain constant vigilance and make significant technological investments.

Solutions exist: certified CMPs, Google Consent Mode V2, standard contractual clauses, intelligent geolocation. But beyond the tools, it is a culture of compliance and transparency that must be embedded in organizations. Personal data protection is no longer a peripheral legal constraint: it is becoming a matter of reputation, competitiveness, and commercial performance.

Companies that transform this constraint into an opportunity – by offering respectful, transparent, and personalized experiences – build a lasting advantage over those that merely endure regulation. In this changing context, agility and anticipation make the difference.