Europe is considering an update to one of the web’s most long-standing grievances: cookie consent banners. The European Commission is considering reforms to the EU’s so-called “cookie law” that could reduce the number of pop-ups that people are confronted with online — possibly through new exemptions or by allowing user consent preferences to be set once within a browser, per POLITICO reporting. Since international sites typically adopt a one-size-fits-all approach, a move by the EU would probably be felt far beyond Europe.
Why the EU is having second thoughts on consent banners
The deluge can be traced back to the ePrivacy Directive, last revised in 2009, which mandates prior consent before non-essential cookies are placed on a device. The rule was intended to rein in intrusive tracking, but it also gave us generic, interruptive banners. Although “strictly necessary” cookies, used to power core site functions, are exempt, several publishers latched on to pop-ups as a precautionary measure in order to avoid risk — creating what regulators now characterize as “consent fatigue”.
Studies indicate that design matters. A study from Cambridge and Aarhus University presented at CHI 2020 showed that most consent banners nudge people to “accept all” while only a minority provide balanced options. Regulators have pushed back: CNIL in France has fined major platforms for making “reject all” no easier than “accept all,” and national data protection authorities are still looking closely at consent frameworks like IAB Europe’s Transparency and Consent Framework.
What could change under proposed EU cookie rule reforms
Officials are considering two main avenues. The first of those would expand exemptions — security and service continuity, or basic audience measurement, for example — so that unchanging, low-risk uses don’t prompt the user every visit. The idea that consent would not be required for “simple statistics” or what are termed in EU GDPR lingo “technically necessary actions” has been floated by Denmark and is an opinion shared by some other member states.
The second approach would offer a way for people to express consent preferences just once, at the browser or device level, and have sites comply with those settings automatically. That idea has been on the table since early ePrivacy Regulation drafts and mirrors cues such as Global Privacy Control, which is already honored under some non-EU laws. If it were to be adopted in Europe, this could render pop-ups largely a thing of the past — although it does place more power into the hands of browser makers and raises questions about cross-device consistency.
A third, more structural option cooked up by industry groups would effectively bake cookie issues into the GDPR’s overall risk-based approach, offering organizations greater flexibility to align consent with actual harm. That thinking has run into heavy resistance from privacy advocates who fear “risk-based” can easily turn into “rights-reduced.”
Privacy advocates vs. publishers on cookie consent rules
Publishers and ad-tech companies say consent pop-ups depress user experience and revenue, and don’t offer meaningful consent. Benchmarking from consent management providers often shows that acceptance rates plummet when “reject all” is just as prominent as “accept all,” according to publishers who see actual effects on ad yield and analytics coverage. They prefer more explicit exemptions for first-party analytics and a swifter, standard signal to reduce friction.
Digital rights groups like NOYB and national consumer organizations argue that the banners are a symptom, not the disease: the underlying business model of pervasive tracking. They cite enforcement moves like rulings against manipulative banner designs and scrutiny of cross-site identifiers as proof that stronger, not weaker, rules are necessary. They believe that default browser signals are good only if they implement real user choice and do not silently get overridden on the site.
What users and sites can expect if EU reforms advance
Should the EU broaden exemptions for low-risk cookies, people are not expected to see as many pop-ups for basics such as load balancing or aggregated audience measurement. Sites would still require clear consent for targeted advertising and cross-site tracking, and regulators would continue to crack down on deceptive design — the lopsided buttons, the optional controls obscured behind extra clicks.
If browser-level consent takes off, expect onboarding to change: people may set preferences once — during browser installation or through a privacy dashboard — and encounter relatively few banners afterward. That would aid smaller publishers, who currently must navigate complex consent tools, and make for a more consistent experience among users. The downside is that choice shifts upstream: clarity and usability of browser settings will matter more than ever.
In any case, the resulting ripple effects will be felt around the world. Multinational sites seldom keep different consent architectures by region, and some followed EU-style banners globally after the GDPR went into effect. Local rules will still vary, however — state privacy laws in the United States, for example, focus on opt-outs of “sale” or “sharing,” which don’t neatly translate to cookie consent.
Timeline and signals to watch as EU considers cookie changes
Any formal change would take time. The Commission may go for an update of legislation, a return to ePrivacy Regulation wording or targeted advice from the European Data Protection Board. In the short term, watch for national regulators’ statements on analytics exemptions, pilot projects that test browser-based consent and additional enforcement against misleading banners.
For now, the way is clear: work for fewer prompts and smarter ones, as much meaningful control in one place as possible. If Brussels can thread the needle — preserving privacy while dialing back banner fatigue online — the web might finally feel just a little less like the world’s most endless consent form.