The EU wants you to click on fewer cookie consent banners
If you’re tired of constantly clicking on cookie consent banners, the EU claims it has a solution to your “cookie fatigue.” But would fewer banners translate into better data protection?
-
The EU Digital Omnibus package proposes rules to reduce “cookie fatigue,” caused by constant engagement with cookie banners.
-
It proposes a browser-level consent mechanism that would allow users to grant or refuse consent to all websites with a single click.
-
If the user refuses, websites would be prohibited from asking them for their consent again for 6 months.
-
Experts say the proposal could bring greater transparency to data privacy, but it doesn’t account for emerging tracking technologies.
The proposal, which comes as part of the Digital Omnibus package, aims to address “a substantial burden for business” and “cookie consent fatigue” among users, who are flooded with banners in their daily online interactions, according to the European Commission.
Consent banners are required by the ePrivacy Directive, adopted in 2002, which mandates that websites obtain informed consent before storing or accessing information on users’ devices.
However, the Commission says that the design and frequency with which the banners are displayed “make it hard, if not impossible, for individuals to understand what will happen to their data.”
Its Digital Omnibus package, aimed to simplify a wide range of bloc’s digital rules, proposes a mechanism that would require users to give or refuse consent via a single click. In the event of refusal, websites would be prohibited from asking the user again for 6 months.
Moreover, the proposal, which still has to be approved by the European Parliament, moves data protection under the General Data Protection Regulation (GDPR), the EU’s comprehensive data privacy and security law.
Because current rules require constant consent requests, the Commission says, this creates an incentive to collect consent for intrusive processing, such as location data, and to use that data for further monetization.
And with one in four (24%) of internet users generally agreeing to all cookie and tracking settings because they don't want to deal with them, according to a Bitkom survey, many may be potentially putting their data privacy at risk.
Will browser-level consent benefit users?
Cristiana Santos, an assistant professor in law and technology at Utrecht University, and Harshvardhan Pandit, a research fellow at the AI Accountability Lab at Trinity College Dublin, say the proposal would replace the online interface with an automated mechanism.
In a written joint commentary shared with Cybernews, they explain the proposal envisions the website making a request, and the browser or device automatically managing consent and objections based on users’ saved choices or preferences.
“It has the potential to increase the transparency, as the browser or device can now automatically detect when requests are missing critical information or when they are incomplete, or maybe even warn users when there is a risk of sharing sensitive or excessive data,” they say.
A study co-authored by Santos found that 74% of websites notified third parties about consent acceptance but failed to inform all of them about consent revocation.
This suggests that other dark patterns may appear to circumvent consent rejection, which could revolve around the user interface or language.
As third-party cookies are increasingly being phased out due to privacy concerns, new techniques are emerging, such as server-side tracking (SST), which shifts tracking from the user's device to an external server.
Santos and Pandit say the EU proposal doesn’t account for the risks of SST technologies, which are not easily detectable because they rely on very specific event data, as well as, in some cases, browser fingerprinting and first-party cookies.
Businesses aren’t happy
The Commission estimates that cookie banners cost around €1,200 ($1,390) per website over the lifespan of 3 years, suggesting the Digital Omnibus would also help local businesses cut costs.
However, the European Tech Alliance, a non-profit representing the continent’s technology companies, warned that the economic costs of the proposal would be “severe.”
“Browser-level consent could cut consent rates across the EU by 60-65%, at least two in three users declining cookies by default, shrinking European digital advertising revenues by an estimated €40-50 billion, a 30-35% decline,” its statement reads.
Meanwhile, Santos and Pandit say the proposal would make compliance easier by eliminating the need to manage interfaces, while individuals could have greater trust in and access to services without worrying about oversharing.
But it is not only revenues that worry European businesses.
The European Tech Alliance says the proposal further entranches the gatekeepers – Google and Apple, which account for over 80% of global browser usage – handing “them the consent architecture for Europe’s entire digital ecosystem.”
And this may pose problems for the continent, which seeks ways to reduce its digital dependence on US technology giants.
Exceptions raise doubts about privacy
The proposed mechanism foresees exceptions, including for media outlets and for analytics conducted solely for the website controller’s use.
Itxaso Domínguez de Olazábal, an expert in data protection and privacy, writes for Tech Policy Press that these exceptions widen the space for non-consensual access to device data, making it harder for people to control how they are tracked online.
While browser or device-based signals can enable people to refuse tracking globally, Olazábal argues that “the Omnibus leaves major gaps in scope and delays that must be corrected.”
Unlock more exclusive Cybernews content on YouTube.
