European rulemakers in 2009 revised a law called the e-Privacy Directive to require websites to get consent from users before loading cookies on their devices, unless the cookies are “strictly necessary” to provide a service. Fast forward to 2025 and the internet is full of consent banners that users have long learned to click away without thinking twice.
“Too much consent basically kills consent. People are used to giving consent for everything, so they might stop reading things in as much detail, and if consent is the default for everything, it’s no longer perceived in the same way by users,” said Peter Craddock, data lawyer with Keller and Heckman.
Cookie technology is now a focal point of the EU executive’s plans to simplify technology regulation. Officials want to present an “omnibus” text in December, scrapping burdensome requirements on digital companies. On Monday, it held a meeting with the tech industry to discuss the handling of cookies and consent banners.
A note sent to industry and civil society attending a focus group on Sept. 15, seen by POLITICO, showed the Commission is pondering how to tweak the rules to include more exceptions or make sure users can set their preferences on cookies once (for example, in their browser settings) instead of every time they visit a website.
EU countries have floated similar ideas. Denmark (currently presiding over meetings in the Council of the European Union) suggested in May to drop consent banners for cookies collecting data “for technically necessary functions” or “simple statistics.”
They said these kinds of cookies are “harmless,” unlike ones used for marketing, advertising or sharing data with third parties.