Will the ePrivacy Directive update put an end to cookie banners?

Why too much consent is a bad thing

When you visit a website, do you think “Am I okay with this brand using cookies to deliver me a better service?” or, are you simply ticking yes or no because you care or don’t care about your privacy. You should be thinking the former, but you’re probably not. This phenomenon of desensitization applies perfectly to what we call “cookie banner fatigue”, and it occurs because despite our smarts and perception, we humans are great at ignoring anything we’re repeatedly exposed to.

Our opinion, and the opinion of the European Commission is that consent should have meaning. It should be a front of mind decision, else can it really be deemed clear and explicit? We’ve become desensitised to consent, and we really shouldn’t be.

Peter Craddock, a data lawyer with Keller and Heckman, put it more eloquently than we could: “Too much consent basically kills consent. People are used to giving consent for everything, so they might stop reading things in as much detail, and if consent is the default for everything, it’s no longer perceived in the same way by users.”

So, will cookie banners be a thing of the past?

While it’s possible, it’s unlikely. User consent is still an essential part of online data privacy – it might just be a little overbearing in its current form.

What’s more likely is a risk-based approach, where businesses will still require cookie banners for high-risk tracking activities. This means we could see something similar to the website requirements of the CCPA, where you only need a consent mechanism if your website uses cookies for the purpose of selling or sharing personal information to advertisers.

Analytics cookies may not require a cookie banner

The Council of the European Union’s suggestion to drop consent banners for “simple statistics” could mean more relaxed consent requirements for cookies used by analytics tools. After all, the data collected from these tools is quite de-personalised already, usually only tracking data such as approximate geo-location down to the city, the user’s device type or operating system, and an anonymous user ID for page view count statistics.

The key issue regulators face with this is defining what qualifies as analytics. On one hand, analytics tools may simply be used to create aggregate, non-identifying insights rather than detailed user profiles. But where do we draw the line? And of course, how do we control analytics data collection that blurs the line between statistical purposes and targeted advertising purposes?

The Google shaped elephant in the room

There are a handful of brands that come to mind when we think of faceless corporations farming our data – Meta, Microsoft & Amazon. But Google stands alone, shoulder-deep in a much murkier tracking purposes puddle. It boils down to around six lines of code – something Google calls the ‘Google Tag’.

The Google Tag is currently installed on 55% of websites globally, responsible for setting a cookie that connects a website to Google Analytics 4. If you haven’t heard of it, Google Analytics 4 is the most widely used website analytics tool in the world, with a market share of ~90% as of early 2025. (Also, not to alarm you, but you may be living under a rock!)

Unlike most other trackers and cookies, the Google tag is used for both analytics and marketing purposes, allowing you to send data to multiple Google products. On one hand, it allows you to measure page views, clicks, scrolls and more. On the other hand, it connects your site with Google Ads for conversion tracking, targeted remarketing, and demographic reporting, which go beyond basic analytics.

Thankfully, Google does allow you to disable the collection, sharing and use of personal data for personalisation of ads by deactivating the collection of remarketing data. Even still, we’ll need to see how Google responds to proposed changes before knowing for sure whether a cookie banner will be required for websites using Google Analytics.

Who should be excited for these changes?

If there’s one thing to take away from this, it’s that the proposed changes are positive. They indicate that maybe, just maybe, the EU understands that the ePrivacy Directive overstepped and didn’t have the positive impact on data privacy as intended. The result won’t be the disappearance of cookie banners, but rather their evolution into more targeted, meaningful consent interactions focused on genuine privacy risks rather than a long list of gibberish we either sign our names on or reject.

If you’re a business who just wants to know “was it a good month or a bad one?”, you might soon be entitled to more accurate analytics data and a website free of cookie banners.

If you’re a user who wants to continue using the internet without your data being sold on the black market. Don’t worry, your privacy is still paramount. Only now, it will be immediately obvious when websites are selling your data thanks to a much more important cookie banner.