In an earlier client update, we reported on the possible effects of the EU’s planned “Omnibus” reform. Of particular relevance is the planned modernisation of ePrivacy cookie rules, which could have a significant impact on the online industry.
Currently, businesses must comply with both the requirements of the ePrivacy Directive for access to end devices, as well as with those of the GDPR for the processing of personal data. In the future, the regulations for businesses could be bundled and simplified under just the GDPR: In principle, user consent would still be required, but exceptions are being discussed, particularly for aggregated audience measurement. If user data is only processed in aggregate form to analyse website usage without identifying individuals or passing on advertising data to third parties, businesses may be able to dispense with traditional cookie banners in the future.
In addition, the EU Commission plans to allow users to store their general cookie preferences centrally in their browser, operating system, or digital profile. Individual websites would then be legally required to respect these preferences. This would not only improve the user experience and reduce compliance costs for businesses, but ultimately also strengthen the influence of browser and system providers who store users’ decisions.
Whether the reform will be adopted as planned and actually lead to a noticeable simplification depends on the specific wording of the new exceptions. With imprecise legal requirements, businesses might just continue to use cookie banners out of caution, even if exceptions or central settings apply in some way. The new regulations are expected to become applicable in the first quarter of 2027. Until then, we will continue to monitor the legislative developments so that our clients can make timely changes to their internal processes.
(Dr. Lukas Mezger, UNVERZAGT Rechtsanwälte)