Cookie consent may be a familiar compliance topic, but regulatory expectations continue to evolve across Europe and the UK. For life sciences and health care companies, meeting those expectations increasingly means going beyond the banner to ensure meaningful user choice.

In the EU, the Dutch and French Data Protection Authorities (DPA) have been particularly active, scrutinizing non-compliant cookie banners and inadequate consent mechanisms. The French DPA has issued multiple fines, including two for more than €100 million. It is expected that cookie compliance will continue to be a focus topic for the CNIL. Since April 2025, the Dutch DPA has issued over 200 warnings, with roughly 25% of non-compliant companies facing enforcement if they continue to fail to update their practices. The DPA will continue its monitoring activities in 2026.

The message is clear: intrusive cookies cannot be placed before consent is given, and users must have a genuine choice. "Accept" and "reject" options must be equally accessible, and consent cannot be bundled or implied. This aligns with broader EU trends, where authorities are increasingly intolerant of dark patterns and pre-ticked boxes.

Across the Channel, the UK Information Commissioner's Office (ICO) has also ramped up scrutiny. Following its call to action for the UK's top 100 websites, the ICO contacted 1,000 sites to assess whether they are giving users meaningful choices about advertising cookies. The new Data (Use and Access) Act raises the stakes further, aligning cookie fines with UK GDPR levels (up to £17.5 million or 4% of global turnover). Helpfully, the Act will ease the compliance burden in the UK somewhat by classifying a broader range of cookies as outside of the requirements to obtain consent, including those used for fraud, security, and certain analytics purposes.

For health apps and medical websites, compliance is more than a regulatory box to tick. Regulators expect life sciences and health care organizations to embed meaningful consent into the design of their websites, apps, and digital services, rather than treating it as a cosmetic exercise. Getting cookie consent right is not only about avoiding enforcement, but about meeting user expectations and reinforcing trust in digital health services.