Country-by-Country: A Working Map of EU Cookieless Analytics Rules in 2026

This is privacy research, not legal advice. See the footer for the full disclaimer.

TL;DR

Eleven jurisdictions, four enforcement-signal tiers, two anchors. France is the most operator-friendly (Sheet 16 carve-out); Germany is the strictest (no carve-out, server-side-only).
Configure for Germany; the rest of the EU composes upward. A configuration that survives § 25 TDDDG survives France’s Sheet 16, Italy’s Garante 2021 guidelines, Spain’s AEPD guide, and the Netherlands AP position by construction.
2026 enforcement is intensifying, not relaxing — Italy Garante: 40+ inspections H1 2026 supported by Guardia di Finanza; Netherlands AP: monitoring 10,000 websites/year + “mass surveillance” reclassification of online tracking; CNIL: €475M of cookie sanctions on record.
The “OTHER-EU” bucket follows the strictest baseline by default. Operators with traffic from Member States not specifically modelled deploy the Germany-grade architecture and rely on the no-Article-5(3)-trigger framing.
IR / OTHER-NON-EU is configurable, not certified. Statnive does not claim PIPL / LGPD / PDPA / DPDP / PIPEDA / CCPA compliance out of the box — those are operator-specific configurations requiring local-counsel review.

How to read this map

The 2026 EU/UK position on consent-free analytics is not a single rule but a patchwork — eleven jurisdictions with eleven different ways of interpreting the same underlying ePrivacy Directive and GDPR. This post is the operator’s reference. One row per jurisdiction, one column per regulatory layer, one honest answer per cell. The companion posts in the series — the pillar playbook, the France CNIL Sheet 16 deep-dive, the Germany § 25 TDDDG deep-dive, the DSAR endpoint post, the GPC and hybrid-mode post, and the Digital Omnibus news angle — cover the specifics this map collapses into a single line.

Before the table, a reminder of the two-layer rule. ePrivacy Article 5(3) governs storage and access on terminal equipment. GDPR Article 6 governs the lawful basis for any subsequent personal-data processing. The two layers compose and do not substitute. Per EDPB Opinion 5/2019 and reaffirmed by the UK ICO’s April-2026 Storage and Access Technologies guidance, ePrivacy Article 5(3) is lex specialis over GDPR for any storage/access on terminal equipment. Legitimate interest under GDPR Article 6(1)(f) cannot substitute for ePrivacy Article 5(3) consent.

A jurisdiction’s position on consent-free analytics is therefore the product of (a) how that Member State has transposed ePrivacy Article 5(3) into national law, (b) whether the national regulator has published a specific audience-measurement carve-out interpretation, and (c) the regulator’s enforcement record signalling how strictly the position is held in practice.

The map

Jurisdiction	National ePrivacy transposition	Audience-measurement exemption	Penalty ceiling	Enforcement signal
France (CNIL)	Article 82 Loi 78-17	Yes — Sheet n°16 + 4 July 2025 self-assessment + 16 January 2026 Consolidated Cookie Recommendation	Up to 4% global turnover (Art 83 GDPR)	€475M of cookie sanctions 2020-2025; €3.5M fine published 22 January 2026 (coordinated with 16 European DPA counterparts); legacy evaluation programme retired 1 January 2026 — self-assessment regime operative
Germany (DSK)	§ 25 TDDDG	No	€300,000 per § 28(1) No. 13; GDPR fines in parallel	DSK November-2024 v1.2 guidance: legitimate interest does not substitute for § 25
Italy (Garante)	DLgs. 196/2003 art. 122	Yes — Cookie Guidelines of 10 June 2021 (in force 10 January 2022)	Up to 4% global turnover (Art 83 GDPR)	9 June 2022 Caffeina Media decision banning GA EU→US transfer; 2026 inspection plan: 40+ targeted inspections H1 2026 supported by Guardia di Finanza; Italy ranks 2nd in EU by enforcement count
Spain (AEPD)	LSSI Article 22.2 + LOPD-GDD	Yes — Audience-measurement guide (2024)	€30,000 cookie fines (LOPD-GDD); GDPR fines for personal data	Cookie guide updated July 2023, enforced 11 January 2024
Netherlands (AP)	Article 11.7a Telecommunicatiewet	Yes — “Analytical cookies … do not require consent if they are used solely for counting visitors”	€900,000 or 1-10% turnover (Art 15.4 Telecom Act)	AP automated-scan monitoring of 10,000 sites/year; 2026-2028 strategic priorities reclassify online tracking as “mass surveillance”; €600,000 Kruidvat fine 16 July 2024; April 2025 warning round to 50 organisations
Belgium (APD)	Loi du 13 juin 2005	No — “audience measuring cookies are not exempt from the consent requirement under the current legal framework”	Up to 4% global turnover (Art 83 GDPR)	Decision 85/2022 €50,000 against Roularta Media Group; APD/GBA Strategic Plan 2026-2028: shift to proactive large-scale enforcement
Ireland (DPC)	SI 336/2011	No published exemption	Up to 4% global turnover (Art 83 GDPR)	2020 Guidance Note aligns with EDPB Guidelines 5/2020
United Kingdom (ICO)	PECR 2003 (as amended by DUAA 2025)	No — “low enforcement priority” for first-party, low-intrusiveness analytics	£17.5m or 4% global turnover	ICO Storage and Access Technologies guidance 29 April 2026
Austria (DSB)	TKG 2021 § 165	No standalone exemption	Up to 4% global turnover (Art 83 GDPR)	NetDoktor decision 22 December 2021 (file 2021-0.586.257, D155.027)
OTHER-EU (remaining 19 Member States)	National transpositions of 2002/58/EC	Mixed — see notes	Member-State-specific	Operator should consult the national regulator’s specific guidance
OTHER-NON-EU (incl. IR)	National law applies	No EU exemption applies	Member-State-specific	Operator should consult local counsel

The map collapses a lot of detail into single cells. The remaining sections of this post pull each row apart and explain what an operator deploying in that jurisdiction has to do.

France — the most operator-friendly EU regulator

The CNIL’s Sheet n°16, with its 4 July 2025 self-assessment update and 1 January 2026 compliance deadline, is the most operator-facing audience-measurement exemption in the EU. The conditions are cumulative and narrow: single-site scope, maximum three event types (page presence, feature interaction, timing), IPv4 last-octet truncation, User-Agent reduced to major versions, host-only referrer, no session replay, no cross-domain identifier, 13-month tracker lifespan, 25-month data retention, aggregation to nearest 10.

The CNIL’s enforcement record is heavy on cookie-consent UX. €100M against Google (December 2020), €150M against Google + €60M against Facebook (January 2022), €325M against Google + €150M against Shein (1 September 2025). All on consent-banner UX failures, not the ad-tech downstream.

The legacy evaluation programme — the pre-2026 pathway where the CNIL would assess and list specific analytics tools — is being retired on 1 January 2026. The replacement is operator self-assessment: the provider publishes a dated attestation using the CNIL-recommended wording, and the operator deploying the tool documents its own configuration against the Sheet 16 conditions.

For the full Sheet 16 walk-through and the Statnive Live configuration that qualifies, see the CNIL deep-dive.

Germany — the binding constraint

§ 25 TDDDG forecloses legitimate interest as a basis for terminal-equipment storage or access. The Datenschutzkonferenz’s Orientierungshilfe of 20 November 2024 (Version 1.2) is unambiguous: an Article 6(1)(f) LIA covers the GDPR processing layer but does not unlock a § 25 carve-out. Penalties up to €300,000 per violation under § 28(1) No. 13; GDPR fines under Article 83 in parallel.

The only consent-free architecture in Germany is one where no storage or access on terminal equipment happens — pure server-side processing of HTTP request data the browser sends by default. A documented LIA still has to exist for the GDPR processing layer on top.

For the full TDDDG analysis, the verbatim § 25 text, the German-language privacy-policy block and the Statnive Live hard-rule validator that prevents permissive DE deployments, see the TDDDG deep-dive.

The Italian Garante’s Cookie Guidelines of 10 June 2021 (in force 10 January 2022) recognise an analytics-cookie carve-out where four conditions are met cumulatively:

Direct identification of the visitor is impossible.
The cookie is structured so the same cookie can relate to several devices (achieved by masking at least the last octet of IPv4 or analogous IPv6 truncation).
The cookies are used solely for aggregated single-site statistics.
No combining with other data and no transmission to third parties.

The Garante’s decision n. 224 of 9 June 2022 against Caffeina Media banned the use of Google Analytics for unlawful US transfer. The Garante found that Google’s IP-anonymisation feature was pseudonymisation, not anonymisation — a finding that has implications well beyond Google Analytics for any operator relying on hashed IPs.

The Garante is explicit that legitimate interest is not a valid basis for cookies and tracking mechanisms — a position stricter than the CNIL’s. Italian operators have a narrower path: the cookie carve-out exists, but Article 6(1)(f) cannot be invoked to evade the cookie-consent rule when the rule applies.

A Statnive Live consent-free deployment with IT jurisdiction satisfies the Garante’s four conditions by construction. The cookieless architecture sidesteps the cookie-versus-not-a-cookie analysis entirely; the daily-rotating BLAKE3-HMAC signature is the multi-device-compatible identifier the Garante’s condition (2) requires.

Spain — AEPD audience-measurement guide

The AEPD’s Guide on the use of cookies was updated in July 2023 and enforced from 11 January 2024. The 2024 follow-up Guide on audience-measurement cookies aligns closely with the CNIL Sheet 16 approach: single-site, anonymous aggregate statistics, no cross-referencing, retention ≤ 25 months, tracker lifespan within 13 months, user information mandatory.

LSSI Article 22.2 is the underlying provision. Maximum fines for cookie breaches under LOPD-GDD reach €30,000 — lower than the GDPR Article 83 ceiling but applied in parallel with it for the personal-data-processing layer.

The Spanish operator’s configuration is essentially the French operator’s configuration with localised disclosure language. A Statnive Live deployment in consent-free mode with ES jurisdiction satisfies the AEPD guide by construction.

The Dutch Autoriteit Persoonsgegevens is explicit: “Analytical cookies, which provide insight into the functioning of a website, do not require consent if they are used solely for counting visitors.” Legal hook: Article 11.7a of the Telecommunicatiewet.

The AP enforcement signal is sharp. The €600,000 fine on AS Watson (Health & Beauty Continental Europe) B.V., parent of Kruidvat, on 16 July 2024 was for tracking cookies placed without consent including pre-checked consent boxes. Maximum fines under Article 15.4 Telecom Act reach €900,000 or 1-10% of turnover. The AP has built an automated scanning system that structurally monitors 10,000 Dutch websites per year for cookie compliance — a scale 20× larger than the previous 500-site commitment. The Dutch government has allocated €500,000 per year for cookie enforcement specifically, with a permanent €350,000/year increase from 2027. In April 2025 the AP warned 50 organisations (online retailers, media companies, insurers) about misleading cookie banners; by late 2025 three-quarters of the 200+ warned websites had adjusted. The AP’s 2026-2028 strategic priorities reclassify online tracking as “mass surveillance” — a major positioning shift that signals continued enforcement intensification.

The Netherlands sits in the operator-friendly cluster with France, Italy and Spain on the audience-measurement carve-out itself, but the AP’s enforcement appetite — especially against pre-ticked boxes and against tracking cookies deployed without an exemption analysis — is among the highest in the EU. A consent-free deployment with NL jurisdiction is the safe default; a consent-required deployment must have a Reject UX that is as easy as Accept.

Belgium — no exemption recognised

The Belgian APD/GBA’s Consolidated Cookie Guidance of April 2020 and Cookies Checklist of 20 October 2023 do not recognise an analytics-cookie consent exemption: “audience measuring cookies are not exempt from the consent requirement under the current legal framework.”

Enforcement record: APD Decision 85/2022 fined Roularta Media Group €50,000 for placing statistical cookies without consent. A 2019 decision fined a legal-news website €15,000. Both are smaller absolute numbers than the CNIL’s record but signal that the APD audits the cookie layer and assigns specific fines.

The Belgian operator’s consent-free path is the server-side-only architecture — same baseline as Germany. The configuration that survives in DE survives in BE; an audience-measurement-exemption configuration tuned to Sheet 16 does not.

Ireland — no published exemption

The Irish Data Protection Commission’s 2020 Guidance Note on cookies and other tracking technologies requires opt-in consent for non-essential cookies and aligns with EDPB Guidelines 5/2020. There is no published audience-measurement carve-out equivalent to France’s Sheet 16 or the Netherlands AP position.

Irish enforcement is dominated by the DPC’s cross-border lead-supervisory-authority role for large international controllers headquartered in Ireland (Meta, Google, TikTok). For domestic Irish operators, the cookie-specific enforcement signal is quieter than the CNIL, AP or Garante. The robust position is still the server-side-only baseline — the absence of a recognised carve-out means the burden of proof for any “consent-free” claim falls on the operator’s own LIA and the absence of terminal-equipment storage/access.

United Kingdom — “low enforcement priority” is not a legal exemption

The UK Information Commissioner’s Office finalised its Guidance on the use of Storage and Access Technologies on 29 April 2026 following two consultations and the Data (Use and Access) Act 2025. PECR (Privacy and Electronic Communications Regulations 2003) as amended by the DUAA 2025 is the underlying provision.

Verbatim ICO position: “Analytics cookies do not fall within the ‘strictly necessary’ exemption. This means you need to tell people about analytics cookies and gain consent for their use.”

The ICO concedes that “the ICO cannot rule out the possibility of formal action in any area, this may not always be the case where the setting of a first-party analytics cookie results in a low level of intrusiveness and low risk of harm to individuals” — a low enforcement priority for first-party low-intrusiveness analytics. This is not a legal exemption; it is a stated enforcement deprioritisation. UK operators should still implement consent or migrate to a strictly-essential configuration if they want zero banner.

The DUAA 2025 added narrow exemptions (security cookies, age verification) but did not create an analytics exemption. The ICO’s January 2025 compliance review of the top 1,000 UK websites — and the resulting communications to 134 organisations setting out clear regulatory expectations — confirms that the ICO is auditing the layer even where formal enforcement is rare.

A consent-free deployment with UK jurisdiction relies on the server-side-only architecture (no PECR trigger because no storage/access on terminal equipment) plus a GDPR Article 6(1)(f) LIA. The operator gets the ICO’s low-enforcement-priority benefit but does not get the legal certainty a recognised exemption would provide.

Austria — NetDoktor and the Schrems-II line

The Austrian Datenschutzbehörde’s NetDoktor decision of 22 December 2021 (file 2021-0.586.257, D155.027) was the first NOYB-coordinated decision finding that an operator’s use of Google Analytics violated Chapter V GDPR because IP addresses, unique identifiers and browser parameters were transferred to Google in the US without adequate safeguards. SCCs and Google’s supplementary measures (including IP anonymisation) were held insufficient because Google qualifies as an electronic communications service provider under 50 USC § 1881(b)(4) (FISA 702).

No fine was imposed (Austrian procedural separation between the finding and any subsequent fine), but the decision set the precedent that subsequent CNIL (10 February 2022) and Garante (9 June 2022 Caffeina Media) decisions extended.

Austria does not have a standalone audience-measurement exemption equivalent to France’s Sheet 16. The Austrian operator’s consent-free path is the server-side-only architecture plus a documented LIA — essentially the same posture as the German or Belgian operator’s path.

The “OTHER-EU” bucket — the 19 remaining Member States

The remaining 19 EU Member States have national transpositions of ePrivacy Article 5(3) but, in most cases, no published audience-measurement carve-out equivalent to the CNIL Sheet 16 framework. The Statnive Live OTHER-EU jurisdiction value is the operator’s selector for sites whose primary traffic is from EU Member States not specifically modelled in the 11-jurisdiction enum.

The robust default for OTHER-EU deployments is consent-free mode with the server-side-only architecture and a documented Article 6(1)(f) LIA. The configuration survives all 27 Member States because it satisfies the strictest current cell (Germany’s § 25 TDDDG); it does not depend on any specific national carve-out being recognised.

Operators with significant traffic from a specific EU jurisdiction not in the named list should consult the national regulator’s specific guidance and confirm with local counsel. The map collapses these 19 jurisdictions into a single cell precisely because the operator’s compliance burden is bounded by the strictest cell — and that strictest cell is already modelled by the DE jurisdiction’s behaviour.

The “OTHER-NON-EU” bucket — including Iran (IR)

Statnive Live exposes IR and OTHER-NON-EU as jurisdiction values because the binary is operated by operators with non-EU deployments and because the consent-free architecture is useful — and frequently legally compatible — regardless of jurisdiction. The EU audience-measurement exemptions do not apply outside the EU/EEA. A consent-free deployment in a non-EU jurisdiction is configurable from a privacy-preserving-architecture perspective, but is not legally exempt under EU law because EU law does not apply.

The Iranian (IR) cell specifically: Statnive Live operates a dedicated Iranian-data-centre deployment path that handles air-gap requirements, no Cloudflare dependency, no ACME-from-Iran, Iranian NTP only, vendored deps, offline Ed25519 licensing, and the .ir / .ایران IDN bundle. The architecture is what it is — but the legal frame is Iranian law, not EU law. Operators serving Iranian traffic should consult local counsel for the applicable rules.

The OTHER-NON-EU bucket covers everything else: US sites under CCPA / state laws, Canadian sites under PIPEDA, Australian sites under the Privacy Act, Brazilian sites under LGPD, Indian sites under DPDP, Chinese sites under PIPL, and so on. Statnive Live does not claim PIPL / LGPD / PDPA / DPDP / PIPEDA / CCPA compliance out of the box — those are operator-specific configurations that require local-counsel review. The default consent-free architecture is configurable to qualify under many of those regimes’ equivalents (most jurisdictions recognise first-party server-side audience measurement as low-risk), but the marketing position is “configurable, not certified” — not “compliant” or “certified.”

How Statnive Live’s 11-jurisdiction enum maps to this map

The site-policy panel exposes eleven values:

DE — hard-rule validator forbids permissive; defaults to consent-free with respect_gpc = true.
FR — defaults to consent-free; Sheet 16 attestation language exposed at /legal/privacy-policy/en and /legal/privacy-policy/fr (the latter when the FR locale mirror is wired up).
IT, ES, NL — defaults to consent-free; aligns with the respective national carve-outs.
BE, IE, AT — defaults to consent-free with the server-side-only architecture; no national carve-out recognised, so operator relies on the no-Article-5(3)-trigger framing plus Article 6(1)(f) LIA.
UK — defaults to consent-free with the server-side-only architecture; ICO low-enforcement-priority does not legally exempt but the architecture survives PECR by avoiding terminal-equipment storage/access.
OTHER-EU — defaults to consent-free; same posture as BE / IE / AT.
IR — Iranian-data-centre deployment path; defaults to permissive because EU consent rules do not apply (validator allows it for this jurisdiction).
OTHER-NON-EU — defaults to permissive; operator is responsible for local-counsel review.

The hard-rule validator runs at policy save and at policy load on every ingest request. The combinations that are valid for each jurisdiction are enforced by the validator, not by operator convention. Operators who try to set a DE site to permissive mode get the explicit error and the request is rejected.

Where the map will change

A short watchlist for operators tracking the file:

Digital Omnibus Article 88a(3)(c) — if adopted intact, harmonises the audience-measurement carve-out across all 27 Member States. Status as of mid-May 2026: Commission proposal, no Parliament plenary vote. See the Digital Omnibus post for the legislative status.
Italian Garante — may publish refreshed guidance post-Digital-Omnibus. Watch for any update to the 2021 Cookie Guidelines.
UK ICO — DUAA 2025 implementation is ongoing. Watch for any narrowing or broadening of the “low enforcement priority” position.
CJEU Latombe appeal — challenges the EU-US Data Privacy Framework. If the DPF falls, the Schrems-II line tightens further; Statnive Live’s EU-only architecture is the defensive answer.
EinwV recognition (Germany) — the Consent Management Ordinance recognition path may expand to recognised PIMS that simplify the consent UX for consent-required deployments.
National DPA inspection reports — the Hamburg DPA’s 1,000-site sweep, the AP’s 500-site monitoring, the CNIL’s audit programme — all publish periodically and may shift the enforcement priority signal per jurisdiction.

This map carries an updatedDate field — refer to that timestamp for the version of the map you are reading. We re-publish on material change to any cell.

What this gives the operator

The practical operator outcome from consulting this map:

A single-page reference for the 11 jurisdictions Statnive Live’s enum models, with the underlying national transposition, the audience-measurement-exemption position, the penalty ceiling and the enforcement signal in one line each.
A configuration decision tree. Configure for Germany; the configuration survives the rest of the EU. Configure for the operator’s primary jurisdiction; document that decision and the LIA backing it.
A pre-deployment checklist. For each jurisdiction the operator has traffic in: which national-regulator carve-out applies (if any), what the disclosure language has to look like, where the configuration is enforced (Statnive Live’s hard-rule validator does most of the work).
A forward-compatibility frame. When the Digital Omnibus moves through Parliament, the operator can re-read this map alongside the legislative status and update the configuration once the carve-out is settled.

What it does not give: legal advice for any specific deployment. The map is the operator’s starting point; the LIA, the privacy policy, the DPA review, and the per-jurisdiction counsel consultation are the operator’s finishing work.

What to do, and what to skip

Do	Don’t
Configure for the strictest cell with traffic — typically Germany — and let the rest of the EU compose upward.	Run 27 separate per-Member-State configurations. The strict baseline subsumes the rest by construction.
Document a Legitimate Interest Assessment per EDPB Guidelines 1/2024 covering the GDPR Article 6(1)(f) basis.	Rely on legitimate interest as a substitute for § 25 TDDDG consent in Germany — the DSK has explicitly closed that route.
Bound retention to the CNIL 25-month ceiling, even outside France — it satisfies every other Member State’s ceiling by composition.	Run open-ended retention. Article 5(1)(e) data minimisation + EDPB 2026 transparency focus both apply across all cells.
For Netherlands operators: the AP automated-scanning system now reaches 10,000 sites/year. Get the banner UX right.	Treat the Netherlands AP position as a soft signal. The April 2025 warning round + 2026-2028 “mass surveillance” reclassification mean enforcement is escalating.
In the OTHER-NON-EU bucket: state your jurisdiction-specific posture explicitly; consult local counsel; mark “configurable, not certified.”	Claim PIPL / LGPD / PDPA / DPDP / PIPEDA / CCPA compliance out of the box. Statnive does not, and the marketing position must reflect that.

The bottom line

The 2026 EU map of consent-free analytics is a patchwork — eleven cells modelled by Statnive Live’s jurisdiction enum, with seven distinct regulatory positions and four enforcement-signal tiers. France is the most operator-friendly. Germany is the strictest and the binding constraint for any pan-European deployment. The remaining EU/EEA cells fall between those two anchors with national-regulator-specific deltas.

The configuration that satisfies Germany satisfies the rest of the EU by composition. The configuration that satisfies France’s Sheet 16 cleanly covers France, Italy, Spain and the Netherlands but still needs the Germany-grade architecture for German traffic. The robust deployment is the strictest baseline with per-jurisdiction localisations on top — which is exactly what Statnive Live’s 11-jurisdiction enum + 4-consent-mode matrix exposes.

For the broader frame, the pillar playbook is the canonical reference. For the country-specific deep-dives, the CNIL Sheet 16 and § 25 TDDDG posts walk through France and Germany. For the operator’s day-1 workflows — DSAR endpoints, GPC and hybrid mode — the linked posts cover the technical surface. For the legislative news angle, the Digital Omnibus post tracks the file through Parliament.

If something in this map is wrong, the citations above are the URLs to check against. We update the map on material change to any cell — the updatedDate at the top reflects the version you are reading.

This is privacy research, not legal advice. The map collapses cumulative-condition tests into single cells. Every Statnive customer remains the data controller and bears responsibility for its own configuration and per-jurisdiction analysis. The IR and OTHER-NON-EU cells are configurable, not certified — Statnive does not claim PIPL / LGPD / PDPA / DPDP / PIPEDA / CCPA compliance. Cross-reference with qualified counsel in each jurisdiction before publication.

Status of regulatory references as of 13 May 2026: CNIL Sheet n°16 + 4 July 2025 update + 16 January 2026 Consolidated Cookie Recommendation + 14 April 2026 Tracking Pixels Recommendation; legacy evaluation programme retired 1 January 2026; €3.5M fine published 22 January 2026 (FR); § 25 TDDDG + DSK Orientierungshilfe v1.2 of 20 November 2024 (still operative as of May 2026); continued 2024-2026 BayLDA / NRW / Berlin / Hamburg enforcement (DE); Garante Cookie Guidelines of 10 June 2021 in force 10 January 2022 + decision n. 224 of 9 June 2022 + 2026 inspection plan (40+ targeted inspections H1 2026, Guardia di Finanza) (IT); AEPD Guide on cookies (July 2023, enforced 11 January 2024) + AEPD audience-measurement guide (2024) (ES); Autoriteit Persoonsgegevens cookies position + Article 11.7a Telecommunicatiewet + €600,000 Kruidvat fine of 16 July 2024 + AP 10,000-sites/year monitoring + 2026-2028 ‘mass surveillance’ positioning + April 2025 warning round to 50 organisations (NL); APD Cookie Guidance of April 2020 + Decision 85/2022 + APD/GBA Strategic Plan 2026-2028 (BE); DPC Guidance Note (2020) (IE); ICO Guidance on the use of Storage and Access Technologies of 29 April 2026 + DUAA 2025 (UK); DSB NetDoktor decision of 22 December 2021 (AT). CCPA § 7025(c)(6) effective 1 January 2026 — visible GPC-honoured indication required (cross-cutting for OTHER-NON-EU cell). Digital Omnibus COM(2025) 837 final — Commission proposal of 19 November 2025, no European Parliament plenary vote on COM(2025) 837 as of 13 May 2026. EDPB-EDPS Joint Opinion 2/2026 of 11 February 2026; EDPB Guidelines 2/2023 v2.0 of 7 October 2024; EDPB Guidelines 1/2024 of 8 October 2024; draft EDPB Guidelines 01/2025 on Pseudonymisation (sprint team targets summer 2026 completion); EDPB Opinion 5/2019. EDPB 2026 coordinated enforcement framework focus: transparency + information obligations (cross-cutting).