After years of debate, the European Commission has officially withdrawn its proposal for a new ePrivacy Regulation—a law that was meant to modernize how cookies and other tracking technologies are regulated. But the withdrawal has not slowed down momentum or loosened compliance obligations surrounding tracking technologies. On the contrary, enforcement is intensifying, consumer expectations are rising, and regulators are increasingly aligned on what constitutes valid consent. This article breaks down what the withdrawal means in practice, where enforcement is headed, and how your organization can stay ahead in an environment where superficial compliance is no longer enough.
Implications of the Withdrawal of the ePrivacy Regulation
The European Commission’s decision to withdraw the proposed ePrivacy Regulation in 2025 concluded a years-long initiative to modernize EU rules governing electronic communications and tracking technologies. The issues the regulation aimed to address—legal fragmentation, outdated rules, and the rise of advanced tracking techniques—remain unresolved.
In the absence of a new regulation, the ePrivacy Directive, and its national transpositions, continue to govern the use of cookies and similar technologies. However, this framework—originally adopted in 2002 and last updated in 2009—no longer reflects the full complexity of the current digital ecosystem.
The European Data Protection Board (EDPB) has underscored the need for renewed legislative attention. Any future proposal, as it argues, must align with the General Data Protection Regulation (GDPR), provide practical and enforceable consent requirements, and address challenges related to AI-driven personalization, profiling, and other emerging technologies. Until then, organizations must continue to operate under the existing rules while adapting quickly to evolving enforcement practices and interpretive guidance.
The Current Legal Framework: Complex but Clear Enough
Today, the use of cookies and other tracking technologies—such as tracking pixels, local and session storage, SDKs, and browser fingerprinting—is governed in the European Economic Area (EEA) by the ePrivacy Directive. Because it is a directive (not a regulation), each EEA country has transposed it into national law, leading to variations in wording, interpretation, and enforcement approaches across countries.
That said, one core rule applies across jurisdictions: if a tracker is not strictly necessary to transmit a communication or provide a service explicitly requested by the user, then valid, prior consent is required. This “strictly necessary” exemption is interpreted narrowly and typically applies only to trackers essential for the technical delivery of a service—such as those used for load balancing, maintaining secure sessions, or enabling basic site functionality like logging in or managing a shopping cart.
Trackers used for anything beyond that—such as audience measurement, content personalization, or social media features—generally fall outside the exemption and require consent, even if they enhance user experience or serve legitimate business purposes.
Some regulators have carved out narrow exemptions for specific use cases, such as low-risk audience measurement tools. However, these carve-outs are not harmonized across the EEA and tend to come with strict conditions.
GDPR and ePrivacy: A Dual Obligation
When it comes to cookies and similar technologies, organizations operating in the EEA must navigate two overlapping legal frameworks: the ePrivacy Directive and the GDPR.
The ePrivacy Directive governs the act of storing or accessing information on a user’s device, regardless of whether that information is personal data. The GDPR applies when that data is, in fact, personal. Importantly, the ePrivacy Directive is lex specialis to the GDPR: it takes precedence in its specific area of application, but must still be interpreted in harmony with GDPR principles.
In practice, this creates a dual obligation:
- Under the ePrivacy Directive: You must obtain prior consent before deploying non-essential cookies or other trackers.
- Under the GDPR: That consent must meet the Regulation’s high standards, meaning it is freely given, specific, informed, and unambiguous.
Shortcuts are not an option. Organizations must fully comply with both legal frameworks. These requirements apply to all technologies and devices, including mobile apps, tablets, and desktop browsers. Consent must be obtained before any data is stored or accessed on a user’s device, and consent mechanisms must be clear, user-friendly, and designed to reduce fatigue, not to manipulate or confuse.
Enforcement is Driving Convergence and Raising the Bar
National enforcement authorities across the EU are playing a key role in shaping cookie compliance expectations. Through concrete decisions, audits, and detailed guidance, they are offering increasingly consistent interpretations of what valid consent looks like under the ePrivacy Directive and GDPR. While enforcement remains decentralized, a shared vision is clearly emerging.
For example:
- France’s Commission Nationale de l’Informatique et des Libertés (CNIL) emphasizes the need for symmetry in cookie banner design. Users must be offered a real choice, with “Reject” and “Accept” options presented equally. Interfaces that highlight acceptance, obscure refusal, or suggest that consent is mandatory are noncompliant. CNIL also affirms that continued browsing or implied consent is invalid.
- The Dutch Data Protection Authority (DPA) has highlighted the importance of transparency and clarity. Cookie banners must avoid vague language and should not bury essential information in collapsed sections or behind “read more” links. Pre-ticked boxes are not permitted, and users must be able to withdraw consent easily.
- The Belgian Data Protection Authority (DPA) has reinforced the principle that users must be able to refuse non-essential cookies as easily as they accept them. Practices such as bundled consent, default opt-ins, or misleading toggle designs have been explicitly rejected. Organizations are also expected to maintain and produce evidence of how their cookie notices and consent mechanisms have evolved over time, including providing a date and version number for their cookie notices.
- The German Federal Commissioner for Data Protection and Freedom of Information (BfDI) has issued guidance against obstructive banners that block access to content or delay entry pending a decision. Such designs compromise the voluntariness of consent. Additionally, functionality across devices, including mobile phones and tablets, is expected to be consistent and reliable.
These enforcement examples reflect a broader regulatory trend: while national authorities retain flexibility to address country-specific concerns, they are increasingly aligned in interpreting and applying GDPR standards to cookie consent. As a result, organizations must move beyond minimal technical compliance and focus on implementing consent mechanisms that genuinely respect user autonomy and follow both legal requirements and user experience best practices.
Best Practices for EU Cookie Compliance in 2025
Based on recent regulatory guidance and enforcement options, the following practical steps can help you build compliant, user-friendly consent mechanisms:
- Respect visual and functional symmetry in cookie banners by giving equal prominence to “Accept” and “Reject” buttons. Authorities have clearly indicated that consent cannot be considered freely given if one choice is more visually attractive or easier to select than the other.
- Avoid deceptive or coercive design patterns. Interfaces that rely on pre-ticked boxes, hidden opt-outs, bundled purposes, or cookie walls that limit access unless users consent is unlikely to meet GDPR standards.
- Eliminate passive or implied consent mechanisms. Continued browsing, scrolling, or inactivity does not constitute valid consent. Users must take affirmative action to enable non-essential trackers. Consent must be obtained before any storage or access occurs, with exceptions only for strictly necessary cookies.
- Audit all cookies regularly. Keep a detailed and regularly updated inventory of all cookies and similar technologies in use. Document their purposes, retention periods, and whether they’re subject to an exception for consent.
- Group cookies and trackers logically and allow granular control. Group cookies by purpose (e.g., essential, performance, marketing) and enable users to give or withhold consent separately for each category. Avoid bundling multiple purposes into a single toggle.
- Provide ongoing access to settings. Users must be able to change their tracking preferences easily at any time, not just during their first visit.
- Renew consent periodically, especially when vendors, technologies, or purposes change. Relying on outdated permissions increases regulatory risk.
- Design with clarity and simplicity. Combat consent fatigue with clear and simple interfaces. The EDPB encourages standardized, interoperable solutions that reduce friction and increase user trust.
Regulators have made it clear that superficial compliance will not withstand scrutiny. Consent mechanisms must be designed with the user in mind, not just to satisfy technical requirements. Beyond legal compliance, user-centered consent design strengthens brand trust and supports ethical data practices.
Organizations that embrace these practices will be better positioned as enforcement intensifies and privacy expectations evolve. Ensure your organization is on the right track. Stay ahead of the curve by ensuring your website or app aligns with the latest regulations. Schedule a free consultation with VeraSafe’s team today.
You may also like:
Special Categories of Personal Data Under the GDPR
Session Reply Software and Privacy
Dark Patterns: How to Detect and Avoid Them
Related topics: EU Privacy Laws, GDPR
