The European Commission aims to reform the EU’s cookie consent rules that have cluttered websites with intrusive banners asking for permission to track user data[1]. The initiative seeks to streamline data protection while maintaining privacy safeguards through centralized consent mechanisms[1:1].
Cookie consent banners emerged from the ePrivacy Directive (Cookie Law) and GDPR requirements, which mandate websites obtain explicit user permission before collecting non-essential data through cookies[2]. Current rules have led to widespread implementation of pop-up notices that interrupt user experience and often employ confusing interfaces.
The proposed changes reflect growing recognition that the existing approach has “messed up the internet” while failing to provide meaningful privacy protection[1:2]. Rather than requiring individual consent on every website, the Commission is exploring solutions like centralized consent management to reduce banner fatigue while preserving user privacy rights.
The idea that there are “essential” cookies is what broke the law. There is no such thing, there are only cookies which would mildly confuse the average user if they weren’t present. People should still have the option to opt out of th se cookies as well.
That is factually incorrect. Many websites would literally stop working. Not “mildly confuse”, but “be unusable”.
You ever logged in to a website? That’s a cookie. Ever used an online shopping cart? That’s a cookie. Ever changed a websites language in a dropdown? That’s a cookie.
All these cookies are first party. There are also essential third party cookies for thing like SSO (“sign in with google/Facebook/github/etc”)
Tell your browser to reject 100% of cookies and tell me how much fun that is.
“Legitimate Interest” is the bullshit term. Why does an ad company have a legitimate interest to my data? That should be removed from the law.
“Essential” is still very vague. All purposes should be categorized. If used for session/identity, then it should be categorized as “session/identity”, there should not be a category defined as “essential”.
You can also make a karaoke page that does not work without access to the microphone, but still the browser has a dedicated permission request for this, it does not get mixed up into a bucket of generic “essential” permissions only because that page doesn’t work without using the microphone.
There should be a whole HTML standard similar to the
Notification.requestPermission()(which requests permission to send browser notifications), but with a granular set of permissions for storage of data for different purposes.And this should be a browser standard, not a custom popup in the logic of the website itself that will be styled differently on each page, allowing all sort of anti-patterns. I should be able to control, from the browser, what the defaults should be for each individual category of data, without having to click through every single website I visit individually. The UI to request for consent should be controlled by the browser, not by the page.