What is the ePrivacy Directive?
A quick summary of everything you should know about the EU cookie law.
What the EU Digital Omnibus Proposal means for Cookie Banners
Compliance sucks.
We make it simple.
Create a GDPR-ready Privacy Policy, Terms & Cookie Banner in under 5 minutes.
Something interesting is brewing in the EU, and it could save you some compliance stress. It’s called the Digital Omnibus Proposal, and it’s expected to save the European economy an estimated EUR 820 million per year by relaxing consent banner requirements introduced with the ePrivacy Directive. Don’t delete your cookie banner yet! It’s only a proposal and there’s more to the picture, however, if successful, the Digital Omibus Proposal could be the reason 60% of website’s can say goodbye their consent banner.
Compliance doesn't have to be hard or expensive!
Try our Cookie Banner GeneratorWhy the proposed changes?
As almost everyone in the European Economic Area is aware, the ePrivacy Directive missed the mark. It made compliance expensive, time consuming, and has led to the only time people have complained about ‘too much consent’. The Digital Omnibus Proposal aims to tone things down, implementing the learnings from the ePD’s over-regulation. The key takeaway is that the EU wants to reduce time spent interacting with cookie banners for consumers, and bring back meaning to user-consent.
Is this the end of cookie banners and consent platforms?
Not at all! In our opinion, the Commission might be underestimating the complexity behind the cookie banner. Cookie banners are just the tip of the iceberg. They’re the user interface for much more complicated consent management software, which enables far more functionality than a simple pop-up. User-consent is still required for marketing cookies, and service providers will still need a mechanism to listen to the users consent signals, interpret them, and block specific cookies accordingly, while also integrating these signals with APIs like Google consent mode and Microsoft Clarity.
When you probably wont need a cookie banner
The proposal has outlined some specific purposes it feels should be reclassified as low-risk, for which you can lawfully store data on a user’s device (e.g. cookies) without consent. Most importantly, you would no longer need consent to use cookies for the purposes of performing statistical analysis on your website or online service, if it is being carried out by you (the data controller), for your own use.
The proposed purposes that may be considered lawful without requiring consent are:
- Creating aggregated information about the usage of an online service to measure the audience of that service, when carried out by the controller solely for its own use.
- Carrying out the transmission of an electronic communication over an electronic communications network.
- Providing a service explicitly requested by the data subject.
- Maintaining or restoring the security of a service requested by the data subject or the terminal equipment used for the service provision.
If you use cookies exclusively for these low-risk purposes, you won’t need to display a cookie banner.
The EUs very own Global Privacy Controls
Next on the list of proposed changes is something the European Commission is calling ‘Automated and Machine-Readable Indications’. The objective is to allow users to set their preferences once in their browser and never interact with another cookie banner. All online services (with some exemptions) are required to listen to these consent settings and adjust their cookie implementation accordingly. If this sounds familiar, it’s probably because it is almost identical to what the US dubbed Global Privacy Controls, which allow users to opt out of the selling and sharing of their personal information through a browser extension.
Exemptions for media services
The proposed Automated and Machine-Readable Indications has some big implications, particularly for media service providers (e.g. publication companies) that rely on advertising revenue to fund their content. If users are opted-out by default of all cookies online, there’s next to 0 chance of ad revenue for certain services. For this reason, it is proposed that media service providers are specifically exempted from the new obligations regarding automated, machine-readable privacy signals, even when they rely on user consent for data processing.
While they will still need to obtain consent for activities like personalized advertising, they can continue to control how that consent is solicited on their own platforms without being automatically overridden by general settings chosen by the user in their browser.
The Commission appears mindful that further shrinking the revenue available to online creators would be harmful, and acknowledges that device use is closely tied to consuming content and online services, many of which depend on advertising. Further eliminating the incentives that support this ecosystem would be counterproductive to consumers.
Further reduction of dark signals
While the proposed changes above focus on reducing the sheer number of cookie banners on the internet, the Commission has also suggested measures to reduce dark patterns for any that remain – dark patterns being design elements intended to sway users’ consent choices.
Single-Click Refusal
It will be mandated that consent banners provide the option to reject all cookies on the first layer of the banner. Users must be able to consent to or object to cookies in a single click. While this is already the recommendation for all cookie banners in the EU, it has always been a point of contention.
Remembering consent preferences for at least 6 months
Service providers will need to remember users’ consent choices and refrain from asking for consent for the same purpose for a period of at least six months. While this is already possible, and widely used by most consent platforms, some services don’t save the users consent preferences, forcing them to either consent to cookies or be constantly faced with a consent banner each time they use the service.
When you’ll need a cookie banner
Under the proposed amendments, you will still need a cookie banner if you plan to set cookies or tracking technologies on your users browser for purposes that are not included in the proposed list of low-risk exceptions. For these cases you’ll need a method for listening to the user’s consent choices stored in their browser and adjusting your cookie implementation accordingly, or presenting a cookie banner if no preferences are stored.
Consent is still required for activities that pose a higher privacy risk:
- Personalized advertisement.
- Tracking an individual’s behavior and interaction with different online services beyond what is necessary for low-risk functions.
- Tracking and profiling individuals on a large scale
- Processing high-risk categories of data on a large scale
Related Articles
Does the GDPR apply to businesses outside the EU?
Find out whether the GDPR applies to your business, even if you're not in the EU.
Responding to a GDPR Data Subject Access Request (DSAR)
Steps for responding to a Data Subject Access Request (DSAR) Once you receive a data subject access request, you (the…
