Skip to main content

Cookie Consent Reform: The End of Banner Fatigue

The EU Digital Omnibus proposes the most significant reform to cookie consent rules since the ePrivacy Directive of 2009. By moving cookie consent under the GDPR framework, the regulation promises to eliminate cookie banners for an estimated 60% of websites while maintaining strong privacy protections.

The Current Problem

A Broken System

The current Article 5(3) of the ePrivacy Directive, dating from 2009, has created a system that frustrates users and burdens businesses without delivering meaningful privacy protection:

Economic costs:

  • €1.64 billion annually spent on cookie banners by businesses
    • 10 million websites × 41% with banners × €400/year average cost
  • €820 million/year in business compliance costs
  • €320 million/year in public sector costs

User burden:

  • 334 million hours per year spent by EU users clicking through cookie banners
  • Average user encounters multiple banners daily
  • €500 million/year in lost productivity

Undermined protection:

  • 54% of users randomly accept cookie banners without reading
  • 26% randomly reject without understanding implications
  • "Consent fatigue" means users make uninformed decisions
  • The very goal of informed consent is defeated

Why the Current System Fails

The 2009 ePrivacy Directive predates modern web analytics, programmatic advertising, and today's data ecosystem. Its blanket consent requirement for any terminal storage has created:

  1. Banner overload: Nearly half of all websites show cookie banners
  2. Dark patterns: Pressure to accept through design manipulation
  3. Compliance complexity: Different rules from GDPR create confusion
  4. Poor user experience: Constant interruptions with no real choice

The Solution: GDPR Integration

Article 5(3) ePrivacy Repealed

The Digital Omnibus repeals Article 5(3) of the ePrivacy Directive for processing of personal data. This eliminates the separate cookie consent regime that has run parallel to GDPR since 2018.

New Article 88a GDPR: Unified Rules

Cookie and terminal storage processing is brought under GDPR's comprehensive framework through new Article 88a:

Default rule (Article 88a(1)):

"Storing of personal data, or gaining of access to personal data already stored, in the terminal equipment of a natural person is only allowed when that person has given his or her consent, in accordance with this Regulation."

Consent must meet GDPR standards: freely given, specific, informed, and unambiguous.

The breakthrough comes in Article 88a(3), which identifies processing activities that do NOT require consent:

1. Carrying Out Transmission (Article 88a(3)(a))

Necessary for transmitting electronic communication over a network. This covers:

  • Session cookies
  • Load balancing
  • Network routing data
  • Communication delivery mechanisms

2. Service Explicitly Requested (Article 88a(3)(b))

Providing a service the user specifically asked for, such as:

  • Shopping cart functionality
  • User authentication and login
  • Payment processing
  • Form completion and preferences
  • Language selection

3. Aggregated Audience Measurement (Article 88a(3)(c))

This is the game-changer for web analytics:

"Creating aggregated information about the usage of an online service to measure the audience of such a service, where it is carried out by the controller of that online service solely for its own use"

Requirements:

  • Must be aggregated (not individual tracking)
  • By the controller (website owner)
  • For the controller's own use only (cannot be shared or sold)

What this means:

  • First-party analytics: NO CONSENT NEEDED
  • Basic traffic measurement: NO CONSENT NEEDED
  • Understanding your own audience: NO CONSENT NEEDED

What still needs consent:

  • Third-party tracking networks
  • Cross-site user profiling
  • Selling analytics data to advertisers
  • Individual user tracking beyond aggregation

4. Security Maintenance (Article 88a(3)(d))

Maintaining or restoring security of services and terminal equipment:

  • Fraud prevention
  • DDoS protection
  • Security logging
  • Malware detection

When consent IS required, Article 88a(4) strengthens user rights:

Single-Click Refusal (Article 88a(4)(a))

"The data subject shall be able to refuse requests for consent in an easy and intelligible manner with a single-click button or equivalent means"

  • No more buried "reject all" options
  • Equal prominence to "accept"
  • Cannot be harder to refuse than accept

No Re-Asking During Valid Consent (Article 88a(4)(b))

If a user gives consent, controllers cannot ask again for the same purpose during the consent validity period. This prevents:

  • Repeated consent requests
  • Consent fatigue from same-site re-prompting
  • Dark patterns that wear users down

6-Month Cooldown After Refusal (Article 88a(4)(c))

If a user declines consent, the controller cannot ask again for at least 6 months for the same purpose.

Impact:

  • Stops repeated harassment
  • Makes "no" mean "no"
  • Reduces consent fatigue
  • Protects user autonomy

Article 88b: Machine-Readable Preferences

Article 88b(1)-(2) requires controllers to:

  • Accept automated, machine-readable consent signals
  • Accept automated consent refusal and objections (Article 21(2))
  • Respect user choices communicated through browsers

Media Service Provider Exemption

Article 88b(3): Media service providers (news sites, publishers) are EXEMPT from accepting browser signals. They can still show consent dialogs.

Rationale:

  • Publishers rely on advertising revenue
  • Need flexibility for funding models
  • Allows industry-specific solutions

Standards Development

Article 88b(4): The European Commission will request European standardisation bodies to develop standards for:

  • Format of machine-readable signals
  • Interpretation protocols
  • Interoperability requirements

Think of this as a European alternative/complement to initiatives like Global Privacy Control (GPC).

Implementation Timeline

For websites (Article 88b(5)):

  • Must support browser signals: 24 months after entry into force
  • Gives businesses 2 years to update systems

For browsers (Article 88b(7)):

  • Non-SME browser providers must offer consent controls: 48 months after entry into force
  • Gives browser vendors 4 years to implement

What this means:

  • Phase 1 (2027-2028): Websites prepare infrastructure
  • Phase 2 (2029-2030): Browsers deploy user controls
  • Users will eventually set privacy preferences once in their browser
  • Those preferences will be automatically respected across websites

Cost Savings and Benefits

Business Savings

€820 million annually from cookie banner elimination:

  • No banner implementation costs
  • No consent management platform (CMP) fees
  • No legal review of cookie policies
  • No A/B testing of consent designs
  • No engineering time maintaining banner code

60% of cookies no longer need consent, meaning:

  • 50% of private websites won't need banners
  • 80% of public sector websites won't need banners

User Benefits

€500 million annually in productivity gains:

  • 200 million users × fewer hours on banners
  • Faster website loading
  • Reduced interruptions
  • Better user experience

334 million hours/year currently wasted on cookie banners will be reclaimed.

Public Sector Savings

€320 million annually:

  • Government websites can drop most banners
  • Universities and research institutions benefit
  • Public services become more accessible
  • Compliance burden reduced

Practical Implications

What Changes for Website Operators

If you only do first-party analytics for your own use:

  • ✅ No cookie banner needed
  • ✅ No consent required
  • ✅ Direct cost savings
  • ⚠️ Must be aggregated data
  • ⚠️ Only for your own use (no data sharing)

If you use third-party tracking or advertising:

  • ⚠️ Still need consent
  • ✅ Better consent UX requirements
  • ✅ 6-month refusal protection
  • 📅 Prepare for browser signals (24 months)

If you're a media service provider:

  • ℹ️ Exempt from browser signal requirement
  • ⚠️ Can still ask for consent directly
  • ✅ Flexibility for publishing business models

What Changes for Users

Fewer cookie banners:

  • Many sites won't need them anymore
  • Simpler web browsing experience
  • Less interruption

Better consent when required:

  • Equal "reject all" buttons
  • No re-asking after refusal
  • Clearer choices

Future browser controls (2029+):

  • Set preferences once in browser
  • Automatic application across sites
  • Granular control if desired

Timeline

Entry into force: Expected 2026-2027 (after legislative process)

Article 88a applies: 6 months after entry into force

Article 88b (browser signals):

  • Websites: 24 months after entry into force
  • Browsers: 48 months after entry into force

Comparison with Current Rules

AspectCurrent (ePrivacy 2009)New (Article 88a)
Legal basisArticle 5(3) ePrivacy DirectiveArticle 88a GDPR
First-party analyticsConsent required (with exemptions)No consent if aggregated, own use
Third-party trackingConsent requiredConsent required
Consent refusalNo specific UX requirementsSingle-click button required
Re-asking after refusalAllowedBlocked for 6 months
Browser signalsNot addressedMust be supported (24 months)
Functional cookiesExemption exists but unclearClear exemption (88a(3)(b))
FrameworkSeparate from GDPRUnified with GDPR

Key Takeaways

  1. 60% of cookie banners will disappear thanks to consent exemptions
  2. First-party analytics for own use = no consent needed
  3. Third-party tracking still requires consent
  4. Better consent UX when consent is required
  5. Browser signals coming in 24-48 months
  6. €1.64 billion annual savings from banner elimination
  7. Unified GDPR framework replaces fragmented rules

The cookie consent reform represents a pragmatic evolution: preserving privacy protections while eliminating the consent fatigue that undermined them. By distinguishing between invasive cross-site tracking and benign first-party measurement, Article 88a promises a better web for users and businesses alike.