Europe’s cookie law messed up the internet. Brussels wants to fix it.

BRUSSELS — In a bid to slash red tape, the European Commission wants to eliminate one of its peskiest laws: a 2009 tech rule that plastered the online world with pop-ups requesting consent to cookies. 

It’s the kind of simplification ordinary Europeans can get behind.

Cookies are a foundation of the internet that allow website holders to collect information about visitors — everything from whether they’ve logged in with a password to what items they’re looking to buy and therefore, might want to see advertising about.

European rulemakers in 2009 revised a law called the e-Privacy Directive to require websites to get consent from users before loading cookies on their devices, unless the cookies are “strictly necessary” to provide a service. Fast forward to 2025 and the internet is full of consent banners that users have long learned to click away without thinking twice.

“Too much consent basically kills consent. People are used to giving consent for everything, so they might stop reading things in as much detail, and if consent is the default for everything, it’s no longer perceived in the same way by users,” said Peter Craddock, data lawyer with Keller and Heckman.    

Cookie technology is now a focal point of the EU executive’s plans to simplify technology regulation. Officials want to present an “omnibus” text in December, scrapping burdensome requirements on digital companies. On Monday, it held a meeting with the tech industry to discuss the handling of cookies and consent banners.

A note sent to industry and civil society attending a focus group on Sept. 15, seen by POLITICO, showed the Commission is pondering how to tweak the rules to include more exceptions or make sure users can set their preferences on cookies once (for example, in their browser settings) instead of every time they visit a website. 

EU countries have floated similar ideas. Denmark (currently presiding over meetings in the Council of the European Union) suggested in May to drop consent banners for cookies collecting data “for technically necessary functions” or “simple statistics.” 

They said these kinds of cookies are “harmless,” unlike ones used for marketing, advertising or sharing data with third parties.

Meanwhile, the industry suggested that cookie rules could be incorporated into the EU’s General Data Protection Regulation. The e-Privacy Directive has strict consent requirements, whereas the GDPR adopts a “risk-based approach,” allowing companies to adjust their privacy safeguards according to the level of risk associated with data processing.

Privacy, the third rail of EU politics

The Commission’s opening gambit to reform cookie rules sets up Brussels for a fierce lobbying showdown: industry versus the privacy community.

From the General Data Protection Regulation to more recent tech laws, Brussels lobbyists have fiercely debated privacy issues, leaving previous attempts to reform the cookie law half-baked.

Some of these ideas to streamline consent banners were included in a proposal for an e-Privacy Regulation presented in 2017. But it was withdrawn in February of this year — a prized scalp of Commission President Ursula von der Leyen’s deregulation agenda — as EU institutions struggled to find compromise on the unwieldy proposal covering everything from online advertising to national security.

Franck Thomas, policy director at advertisers’ lobby IAB Europe, said the e-Privacy Directive takes a “very rigid” view on consent and that rules could be simplified by moving cookie regulation to the GDPR, which takes a more flexible, risk-based approach. This would allow businesses to rely on more appropriate legal bases, such as legitimate interest, he said.

However, “our call for simplification should not be confused with a light touch approach on data protection, but everyone agrees we need to maintain this balance between safeguarding privacy rights and preserving the competitiveness of the European tech industry,” Thomas added.

Any new moves to tamper with cookie consent will face stiff opposition from Brussels’ fierce privacy lobby, which is wary of cookies being used for targeted advertising.  

“Focusing on cookies is like rearranging deckchairs on the Titanic, the ship being surveillance advertising,” said Itxaso Domínguez de Olazábal⁩, policy adviser at European Digital Rights.

She said the law already makes an exception for cookies that are necessary to deliver a service people explicitly expect, such as remembering items in a shopping cart. “Expanding that category to include [other kinds of] ‘essential’ tracking is misleading, because it risks smuggling in analytics or personalization for adtech,” she added.

Fighting is expected to flare up again next year, when the Commission wants to present an advertising-focused piece of legislation called the Digital Fairness Act. The executive has stated that the rulebook will help protect consumers online, including from manipulative design or unfair personalization.