Eight Years of Stalled Negotiations
The European Commission first proposed the ePrivacy Regulation in January 2017 as a replacement for the ePrivacy Directive (Directive 2002/58/EC). The goal was straightforward: upgrade the Directive into a directly applicable Regulation that would sit alongside the GDPR and harmonise rules on electronic communications privacy, cookies, and direct marketing across all EU member states.
That upgrade never happened. The Council of the EU struggled to reach a common position, cycling through multiple presidency drafts between 2017 and 2024. Member states disagreed on fundamental points - the scope of cookie consent exemptions, the treatment of metadata, and whether cookie walls should be permitted.
On 11 February 2025, the Commission included the ePrivacy Regulation in its list of withdrawn legislative proposals, citing "no foreseeable agreement" as the reason.
Why the Proposal Failed
Three issues proved impossible to resolve.
First, the advertising industry and several member states pushed hard for broader consent exemptions. They argued that requiring opt-in consent for all non-essential cookies - the position of the European Parliament - would cripple digital advertising and harm media publishers who rely on programmatic revenue. The programmatic advertising ecosystem lobbied intensively against strict consent requirements.
Second, the metadata provisions split opinion. The original proposal treated communications metadata (location data, connection timestamps, device identifiers) with protections approaching those for content data. Telecom operators and law enforcement agencies resisted this, wanting broader access for security and investigative purposes.
Third, the cookie wall question remained unresolved. Could a publisher refuse access to users who declined tracking cookies, provided a reasonable alternative existed? The Parliament said no. Several Council drafts said yes, under conditions. No compromise held.
What Stays in Force: The ePrivacy Directive
With the Regulation withdrawn, the 2002 ePrivacy Directive (as amended in 2009) remains the governing law for cookie consent in the EU. Article 5(3) of the Directive still requires prior informed consent before storing or accessing information on a user's device, unless that storage is strictly necessary to provide a service the user has requested.
Each member state has transposed this Directive into national law differently, which creates the fragmented landscape the Regulation was meant to fix. French law (transposed via the Loi Informatique et Libertes and enforced by CNIL) imposes specific requirements around consent mechanisms that differ in detail from Germany's TTDSG or Ireland's SI 336/2011.
For website owners, this means the practical rules depend on where your visitors are located, not just where your business is based.
The Digital Omnibus: Cookie Rules Move Into the GDPR
Rather than revive a standalone ePrivacy Regulation, the Commission took a different approach. On 19 November 2025, it published the Digital Omnibus package - a set of proposals that would fold cookie consent rules directly into the GDPR through a new Article 88a.
This is a significant architectural shift. Instead of maintaining two parallel legal instruments (the GDPR for personal data processing and the ePrivacy Directive for device access), the proposal creates a single framework. Article 88a would govern when storing information on, or accessing information from, a user's device is permitted.
| Aspect | Current ePrivacy Directive | Proposed GDPR Article 88a |
|---|---|---|
| Legal form | Directive (national transposition) | Regulation (directly applicable) |
| Consent default | Opt-in for non-essential cookies | Opt-in retained for non-essential cookies |
| Analytics exemption | No explicit exemption | Narrow exemption for first-party audience measurement |
| Re-consent limit | No specified interval | Six-month minimum before re-prompting |
| Machine-readable signals | Not addressed | Controllers must support automated consent signals |
| Enforcement | National DPAs under national law | National DPAs under GDPR mechanisms |
The Analytics Exemption
One of the most discussed provisions is the proposed exemption for audience measurement. Under Article 88a, storing or accessing device information without consent would be permitted for generating aggregated statistical data, provided the data is used solely by the service provider and not shared with third parties or used for cross-site tracking.
This could exempt basic, first-party analytics cookies from consent requirements - but only if they meet strict conditions. Tools like privacy-preserving analytics platforms operating in cookieless mode would likely qualify. Standard Google Analytics 4 deployments, which involve data transfer to Google and cross-property measurement, almost certainly would not.
One-Click Rejection and the Six-Month Rule
Article 88b of the Digital Omnibus proposal introduces two practical requirements. Rejecting cookies must be as straightforward as accepting them - a direct response to years of dark pattern enforcement by DPAs including CNIL and the Austrian DSB. And once a user refuses consent, the controller cannot ask again for the same purpose for at least six months.
The six-month rule would end the practice of showing a cookie banner on every visit to users who have already declined. For publishers concerned about consent fatigue, this could reduce banner friction - but it also means fewer opportunities to convert a refusal into acceptance.
Browser-Level Consent Signals
The Digital Omnibus foresees machine-readable consent mechanisms that allow users to express preferences through their browser or device settings rather than responding to individual banners on each website. This echoes the approach already taken by Global Privacy Control (GPC) in US state privacy laws.
If adopted, this would require controllers to detect and respect automated consent signals. The Commission would set technical standards for these signals, potentially creating an EU-specific protocol or recognising existing ones like GPC.
For website owners running a CMP, this means future-proofing involves ensuring your consent solution can detect and respond to browser-level signals - not just display a banner.
Timeline and What to Expect
The Digital Omnibus is a Commission proposal, not law. It must pass through the European Parliament and the Council of the EU before adoption. Given the scope of the changes - which extend well beyond cookies to include GDPR simplification, NIS2 alignment, and AI Act adjustments - the legislative process is expected to take at least 18 to 24 months.
Amendments are likely. The analytics exemption, the six-month re-consent rule, and the browser-signal mandate will all face scrutiny from industry groups, privacy advocates, and member state delegations.
The EDPB and EDPS have already published a joint opinion supporting the simplification goals while raising concerns about weakening consent protections.
What You Should Do Now
The withdrawal of the ePrivacy Regulation and the uncertain timeline of the Digital Omnibus mean that the current rules - the ePrivacy Directive as transposed nationally, enforced alongside the GDPR - will govern cookie consent for at least another two years.
Practical steps worth taking now:
- Ensure your cookie banner offers equal prominence to accept and reject options - this is already enforced by multiple DPAs
- Audit your analytics setup to understand whether your tracking could qualify for a future first-party exemption
- Review your CMP's ability to detect browser-level opt-out signals such as GPC
- Document your consent records thoroughly - enforcement continues regardless of legislative uncertainty
Frequently Asked Questions
Is the ePrivacy Regulation still happening?
No. The European Commission formally withdrew the ePrivacy Regulation proposal in February 2025 after eight years of failed negotiations. The existing ePrivacy Directive remains in force. Cookie-related rules may instead be integrated into the GDPR through the Digital Omnibus proposal.
What law currently governs cookie consent in the EU?
Article 5(3) of the ePrivacy Directive (2002/58/EC, amended 2009) requires prior consent before placing non-essential cookies on a user's device. Each EU member state has transposed this Directive into national law, which is why specific requirements vary by country.
Will analytics cookies become exempt from consent under the Digital Omnibus?
The Digital Omnibus proposes a narrow exemption for first-party audience measurement that generates aggregated data solely for the service provider. Standard third-party analytics tools involving data transfers to external companies would likely still require consent.
What is the six-month re-consent rule in the Digital Omnibus?
Under the proposed Article 88b, if a user refuses cookie consent, the website controller cannot ask again for the same purpose for a minimum of six months. This aims to reduce consent fatigue and repeated banner prompts.
How does the Digital Omnibus affect cookie banners?
The proposal requires that rejecting cookies must be as easy as accepting them, codifying what DPAs like CNIL have already been enforcing. It also introduces support for browser-level consent signals, which could eventually reduce reliance on individual website banners.
When will the Digital Omnibus become law?
The Digital Omnibus was published as a Commission proposal in November 2025. It must pass through the European Parliament and Council, a process expected to take 18 to 24 months at minimum. Significant amendments are anticipated during negotiations.
Take Control of Your Cookie Compliance
Whether cookie rules remain under the ePrivacy Directive or shift into the GDPR, one thing stays constant: you need to know what cookies your site sets and manage consent properly. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
