Published on Feb 24, 2026
The European Commission’s plan to relieve internet users of much-hated cookie consent banners is generating intense and, in some cases, conflicting opposition from a variety of interests, throwing its future – and at the very least its objective – into doubt.
As parliamentarians and member states hash out amendments, this element of the commission’s fast-track deregulation spree is teeing up a lobbying faceoff between privacy hawks and business groups, echoing disputes that stalled previous cookie banner cleanup efforts. Whether this measure succeeds or not, experts warn the proposal ultimately won’t achieve what it’s advertised to do: meaningfully combat “consent fatigue.”
“It’s a bit sad there was no broader impact assessment” – as is normally required for EU legislation, a step officials are skipping with these deregulation measures – said Tasos Stampelos, Mozilla’s head of EU policy. “The commission could’ve had a good opportunity to reduce the banners.”
The EU executive’s proposal targets the banners by moving rules governing websites’ ability to store or access cookies – text files that help sites remember users’ visits – on consumers’ devices into the EU’s landmark data protection regulation, giving websites more legal bases to avoid the consent requirement. It also includes a centralized system for users to indicate their cookie preferences internet-wide, mirroring a nearly decade-old plan to lessen consent fatigue that the commission discarded last year.
Depending on whom you ask, it either puts users’ fundamental rights at risk or doesn’t go far enough to right years-old regulatory wrongs – not unlike that earlier proposal.
“There are going to be a lot of different tensions between the different interests,” said Mathilde Fiquet, an advisor at the European Publishers Council, whose members depend in large part on targeted advertising for revenues, making the tracking technology highly valuable. Still, she said she doesn’t expect the proposal to impact consent banners as it preserves the article of the directive that first required cookie consent, “which is the root of the problem.”
The commission didn’t respond to a request for comment.
The banner situation is decades in the making. The ePrivacy Directive, adopted in 2002 as mobile phones and internet use proliferated, required member states to ensure websites only stored or accessed cookies on consumers’ devices if users were given clear information on what the files were for and their right to refuse. A 2009 update revised the directive so that users had to opt in rather than opt out. Existing exemptions for “strictly necessary” cookies became much more valuable.
The banners’ spread escalated following the 2018 rollout of the General Data Protection Regulation, which came with a broad definition of personal data that courts and regulators understood to cover cookies, and introduced a strict consent standard for processing such data. Fines from GDPR violations – up to 4% of the defendant’s global revenues – dwarfed member state-determined ePrivacy Directive penalties. That sent businesses scrambling to add or beef up cookie banners.
Officials have been trying for years to address “cookie fatigue.” The commission in 2017 proposed repealing and replacing the directive with a regulation, clarifying exceptions to the consent requirement and offering users a browser- or device-level consent option, like the latest proposal. But amid disagreements among industry, civil society and lawmakers, the commission in February 2025 put the proposal on the chopping block.
In 2023, as that proposal languished, the commission announced a voluntary “cookie pledge” encouraging businesses to simplify consent banners. It didn’t gain traction.
Now the commission is trying again. As during the debate around the 2017 proposed regulation, some warn the current proposed web-wide opt-out mechanism could be interpreted as steering users toward allowing cookies universally – a likely breach of the GDPR, which requires specific, informed consent to particular uses of personal data.
Members of European Digital Rights’ network of civil society groups have been debating whether this is the case, “so it’s not clear,” said Itxaso Dominguez de Olazábal, an EDRi policy advisor focused on data protection and privacy.
The advertising lobby makes this argument too. But they primarily oppose this system because it could limit ad-funded websites’ ability to request users’ data directly, rather than creating more ways for them to legally avoid having to ask.
Advertisers are among many interests that worry the mechanism would give browsers and operating systems too much power. In a Council of the EU document compiling member states’ reactions last month, seen by The Capitol Forum, Polish diplomats wrote that this system could “lead to a competitive advantage for the largest technology entities.”
Tech giants have their own complaints.
“The omnibus repeats the approach already tried in the failed ePrivacy Regulation,” wroteDigitalEurope, whose members include Microsoft (MSFT), Meta (META) and Google (GOOG). The limited exemptions, the group wrote, “cannot accommodate the full spectrum of legitimate uses of device data that companies must pursue.”
The commission offered publishers an exemption. This would allow them to ignore a “reject cookies” signal from a browser and prompt users again on their own sites.
But the consumer group BEUC, which recommended a ban on surveillance-based tracking altogether, said the proposal doesn’t justify the exemption.
“Access to quality information should not require more invasive tracking mechanisms,” the group wrote in a paper out today and shared exclusively beforehand with The Capitol Forum.
The bloc’s data protection authorities likewise said EU officials should reconsider, as advertising-related use of personal data on media sites is often carried out not by the publishers alone but together with third party advertising technology vendors.
Publishers don’t like the exemption either, but for different reasons, and they’re pushing for a change that risks alarming privacy advocates.
Media groups fear consumers, once accustomed to refusing cookies at a high level, will be primed to say no to tracking by publications. Instead of a free pass to override “reject cookies” signals, publishers argue they should have to ask for consent less often in the first place by relying on a GDPR justification known as “legitimate interest.” This way around requesting consent is available in cases when data use is needed for a legitimate aim that isn’t overridden by user rights and there’s no less-intrusive option. The deregulation package already proposes codifying ways for AI model developers to use it.
In a January paper submitted to the commission, one media company noted this paradox, calling the allowance for AI developers “puzzling, as this differential treatment appears poised to disproportionately benefit potentially large, often non-European, technology companies.”
“It is difficult to reconcile why this more lenient approach is not extended to European editorial media, despite our crucial role in safeguarding EU democracies,” said the paper from the publisher, which requested anonymity. Under the current proposal, the paper added, publishers can only prompt users to consent to tracking every six months, and when they ask, “we risk negative reactions from our users that generally dislike consent pop-ups.”
The data protection authorities suggested allowing advertising based on content a user is viewing on the website – as opposed to user behavior – without requiring consent, and BEUC supported the idea too. But publishers say this would be worthless compared to more personalized ads.
“This is a model that is very limited,” said Fiquet of EPC. “You could place a contextual ad, but you might not be able to measure it, which we know is something advertisers will not invest money in.”
The timeframes for companies to come up with these centralized tools have also raised eyebrows. Browsers and operating systems would have four years to develop the mechanisms for transmitting users’ cookie preferences, but the websites would have two years to let users allow or reject cookies via these signals. The system will also depend heavily on standard-setting organizations.
“We are a little bit afraid that this might be the end of privacy signals,” said EDRi’s Dominguez de Olazábal. She pointed to delayed technical standards meant to help high-risk AI developers’comply with the AI Act. “The commission keeps justifying the delay. Why wouldn’t we have the same with this?”
The proposal is marketed as simplification, but critics say it’s anything but. BEUC argues the proposed cookies provision in the GDPR may not even apply to cookies. Because the digital omnibus package would narrow the GDPR’s definition of personal data in a way that could leave out cookies, and the new cookies provision in the GDPR applies only to personal data, “then its application to cookies would be limited or largely excluded,” the group wrote, adding that this would likely result in legal fights between consumers and websites seeking their data.
The Council dropped the commission’s proposed new definition of personal data under the GDPR, however, according to a February 20 text seen by The Capitol Forum that was prepared for a meeting of diplomats this Friday. That could effectively limit how much tracking no longer needs consent, if the Council ultimately gets its way. Some member states are still undecided on the cookies proposal, and “have raised serious concerns,” though countries broadly supported new proposed exemptions from the consent requirement, according to a February 20 paper from the Council setting out discussions for this Friday’s meeting.
As for non-personal data, the omnibus would leave protections in the ePrivacy Directive, which critics say creates more complications. Data protection authorities noted that it isn’t always easy to determine whether data stored on devices is personal, so those accessing the data “may be uncertain (or disagree) as to which legal framework applies.” French diplomats echoed this concern in the January Council document, as did representatives of Croatia.
“In our view,” the Croatian diplomats wrote, “such an approach would not deliver the intended simplification.”
