Back in 2009, Brussels revised the e-Privacy Directive and decided that every website had to beg users’ permission before dropping cookies, except for the ones deemed “strictly necessary.” Fast forward to 2025 and punters are mindlessly clicking “accept all” without reading a word, proving once again that too much consent kills consent.

Keller and Heckman data lawyer Peter Craddock said: “People are used to giving consent for everything, so they might stop reading things in as much detail.”

The Commission wants to simplify things by letting users set cookie preferences once, perhaps in their browser, instead of dealing with endless banners. Denmark has floated scrapping banners for harmless cookies used for basic stats or essential functions, while leaving advertising trackers in the naughty corner.

Industry is lobbying to fold cookie rules into the GDPR, which takes a more “flexible” risk-based approach. Advertisers’ lobby IAB Europe insists this wouldn’t mean watering down protections, just letting businesses rely on things like “legitimate interest” rather than begging for consent every five seconds.

Itxaso Domínguez de Olazábal, policy adviser at European Digital Rights, said: “Focusing on cookies is like rearranging deckchairs on the Titanic, the ship being surveillance advertising.”

She warned that redefining what counts as “essential” would sneak adtech tracking back in through the side door.