The European Commission wants to eliminate the need for cookie consent banners across the web, seeking to replace them with browser-level consent signals.
The proposal aims to streamline how privacy choices are expressed and respected, tackling one of the most widely criticized aspects of digital privacy regulation in the EU.
The details come from an analysis by privacy researcher Dr. Lukasz Olejnik, who has closely followed and advised on European privacy legislation, including the previously unsuccessful ePrivacy Regulation overhaul. His insights are based on a leaked draft proposal, which remains subject to change, but offers a significant glimpse into what the Commission may be planning.
Under the proposed changes, a new Article 88a of the GDPR would define a closed list of four narrowly scoped purposes for which personal data processing on or from terminal equipment, such as web browsers or mobile devices, would not require explicit consent. These purposes include:
- Purely transmitting data
- Delivering a service explicitly requested by the user
- Aggregated audience measurement carried out by the controller for internal use only
- Maintaining or restoring the security of the service or user device
If a processing activity falls strictly within one of these categories, cookie banners and consent dialogs would no longer be required, as the operation would be considered lawful without further user interaction. However, the data collected for these purposes cannot be repurposed for anything else, drawing a clear line to prevent misuse.
This update would effectively replace the notorious “cookie law” (Article 5 of the ePrivacy Directive) with more practical and user-friendly rules. Crucially, the proposal introduces legally binding support for automated, machine-readable consent and refusal signals. That means browsers, operating systems, or platforms like the EU Digital Identity Wallet would be able to act as privacy agents for the user, transmitting their preferences directly to websites in a standardized format.
Websites would be legally obligated to interpret and respect these signals, enabling users to configure their privacy preferences once, in their browser or device, and have those respected across all compliant websites. If consent is required, the proposed regulation mandates a one-click interface to either grant or refuse consent. Furthermore, websites will be barred from requesting the same consent again for at least six months.
While this change would likely eliminate much of the friction in user interactions with websites, it does include carve-outs. For instance, media service providers are exempted from these obligations when delivering media content, potentially allowing continued consent prompts in some streaming or news platforms.
Session cookies used for shopping carts or for measuring a site's own traffic using aggregated data would no longer require user consent. Conversely, any use of third-party analytics, tracking, or advertising technologies, particularly those that profile users across services, would fall outside the scope of Article 88a, thus still requiring consent. In such cases, the websites must recognize and honor standardized opt-out or consent signals if they've been set by the user.
If adopted, the changes would mark a decisive shift in how privacy is handled online in the EU, reducing consent dialogs for users and pushing browser developers to implement stronger privacy controls.
Leave a Reply