Europe’s ePrivacy Reforms Are Too Late—and Too Small

The European Commission recently unveiled long-overdue proposals to address persistent frustrations with the ePrivacy Directive, the EU’s framework for electronic communications privacy. Adopted in 2002 and updated in 2009, the directive requires websites to obtain prior user consent before storing or accessing information such as web browser cookies. That requirement produced the ubiquitous cookie banners European users now encounter and the resulting “consent fatigue” that leads many to click past notices without reading them.

The frustrations Europeans experience today were entirely predictable. When the updated rules were set to take effect, the UK Information Commissioner warned that forcing users to negotiate endless pop-ups would obviously degrade the browsing experience. The founder of a web analytics company dismissed the consent requirement as “redundant box-ticking,” explaining that having websites declare they use cookies “doesn’t tell you anything, it’s like saying a car uses a road.” In short, today’s problems reflect poor regulatory design.

At the core of the problem lies the shift in the directive imposed in 2009. Before that update, users could always opt out of data collection. From an efficiency perspective, that approach made sense: users who cared could take action, while others could browse uninterrupted. The ePrivacy Directive replaced that model with mandatory opt-in consent, requiring every user to repeatedly state preferences regardless of whether they held any meaningful concerns.

The Commission itself has acknowledged the consequences. Users often click whatever button allows access to a website, disregarding consent choices altogether. In practice, the directive attempts to solve a problem that most users do not meaningfully perceive, while imposing friction on every interaction.

Rather than revisiting this flawed premise, the Commission now proposes technical adjustments intended to make compliance less disruptive. Its Digital Rulebook introduces three changes: expanding the circumstances under which websites may process data without user consent, imposing a six-month ban on repeat consent requests after a user declines, and committing to develop standards for machine-readable, browser-level consent signals.

These steps will reduce the frequency and intrusiveness of cookie prompts, and they represent a modest improvement over the status quo. But they arrive far too late, rely on technical standards that do not yet exist, and leave the underlying consent model intact. Marginal refinements cannot correct a system built on the wrong assumptions.

Meanwhile, the technologies the directive governs—cookies and similar tracking tools—remain foundational to the Internet economy because they enable targeted advertising. Research by MIT Professor Catherine Tucker found that the ePrivacy Directive reduced the effectiveness of online advertising by 65 percent. The decline fell most heavily on websites with less commercial content, such as news outlets, which rely more on user data to deliver relevant advertising.

This impact matters because the dominant online business model depends on free access to services funded by advertising revenue. Targeted advertising makes that model viable: more relevant ads command higher prices, allowing publishers to generate the income required to keep services free. By preserving strict consent requirements for data collection, the Commission’s reforms maintain the very friction that undermines this model and weakens Europe’s digital competitiveness.

These regulatory choices carry consequences far beyond cookie banners. EU policymakers want European digital champions to emerge in the AI era and hope for rapid adoption of AI tools across the economy. Yet data privacy rules that constrain how firms deploy and monetize digital services continue to hold companies back.

While the proposed reforms offer limited relief, they fall well short of the overhaul needed to spur online innovation, sustain free digital services, and support a seamless Internet. Even worse, they arrive so late that their practical value has diminished further, as website operators have already invested heavily in compliance with the existing regime.

The EU cannot afford another decade of incrementalism before confronting the structural flaws in its digital regulatory approach. To build a competitive digital Europe, the Commission must fundamentally rethink the model that has contributed to the bloc’s declining performance. These reforms could have provided that opportunity. Instead, the Commission once again chose trivial fine-tuning over meaningful change.

Image credit for social media preview: Generated by DALL-E