Simplification has become the latest buzzword in Brussels — now they're coming for cookie banners.
Behind the annoyance and the catchy name 'cookies' lies a powerful safeguard against technologies that track every click, shopping habit, and health app update.
'Simplifying' cookie banners should mean making it easier for people to say 'no' in a single click.
Instead, the European Commission's Digital Omnibus proposal risks stripping away the very rule that ensures we can refuse tracking at all: Article 5(3) of the ePrivacy Directive.
This rule is what keeps our devices under our control.
Without it, companies could quietly harvest data from our maps, browsers, and connected gadgets, while governments could lean on the same systems to expand surveillance.
What looks like a technical clean-up could turn into a deregulatory shortcut that risks leaving people in the EU with less choice, less control, and less privacy.
Most people know ePrivacy only through the banners that clutter websites. But those pop-ups are just the surface.
The law’s real purpose runs much deeper: it protects every bit of information stored on or sent from our devices. Article 5(3), in simple terms, says: websites, apps, and other digital services cannot store or access information on your device without your consent.
In other words, it makes clicking the “No” button on a cookie banner actually meaningful.
Article 5(3) blocks spyware from being installed in secret.
This is not an abstract fear: many EU countries have already deployed commercial spyware like Pegasus against journalists, activists and politicians — tools that hijack phones invisibly, siphoning off messages, call and location data without a trace.
Without this rule, such intrusions risk being normalised.
It also prevents companies — from telecom networks to the apps and websites we use every day — from stockpiling data without consent, data that can quickly become a goldmine for law enforcement surveillance.
And it shields us from hidden tracking technologies designed to monitor our private lives. O
One example is fingerprinting: a way of building a unique profile of your device so you can be followed online even if you delete cookies or refuse pop-ups.
A 2024 study of some of Europe’s most-visited websites found fingerprinting to be widespread, even though almost none of their privacy policies mentioned it.
Without Article 5(3), practices like this could easily become routine.
Together with the GDPR, ePrivacy forms a double lock on our rights. The GDPR governs how personal data can be collected, used, and shared, while ePrivacy safeguards the confidentiality of our communications in the very first place.
Remove one, and the other cannot fully protect us. Without Article 5(3), companies could claim to follow GDPR rules, while still quietly harvesting sensitive information from devices.
The Commission seemingly wants to alter Article 5(3) through its so-called 'Digital Omnibus' package.
The official justification? To reduce 'cookie fatigue.' The effect, however, would make it easier for companies and governments to tap into our devices without consent.
The approach is just as troubling as the substance.
By tying ePrivacy changes into a large legislative package, the European Parliament and the Council are pressured to approve them wholesale.
Normally, legislation is examined piece by piece, with opportunity for debate and public input.
The Omnibus sidesteps that, creating a fast track where negotiations happen quickly, far from view, and favour corporations and governments over the people whose rights are at stake. Open one door and a dozen of protections, including fundamental rights, risk being dragged open alongside it.
Consent should be given, not negotiated.
And while in the digital world it may look like a simple click, in practice, it is the thin line between individuals deciding what happens on their devices and companies or governments deciding for them.
Weakening Article 5(3) could erase that line.
The stakes are real. Commercial and state surveillance are deeply intertwined. The very same systems that allow advertisers to follow our clicks, locations, and contacts can be repurposed for governmental surveillance.
Weakening ePrivacy does not just mean more intrusive advertising, it creates infrastructures that can be tapped for political monitoring, social scoring, or law enforcement overreach. The consequences reach far beyond annoyance: it is about control over our lives and our digital spaces.
Yes, people are tired of banners. But the problem is not the law itself: it is weak enforcement and the tricks used by the advertising industry.
Many pop-ups are engineered to make accepting tracking easy and rejecting it difficult. The result is far from a real choice.
There is a better answer: privacy signals.
These simple settings in a browser or device let people decide whether they want to be tracked and then automatically communicate that choice to every website or app. No more fatigue, no hidden tracking, no endless clicking.
These technical solutions could genuinely simplify life without eroding privacy.
Every month, hundreds of thousands of people read the journalism and opinion published by EUobserver. With your support, millions of others will as well.
If you're not already, become a supporting member today.
Itxaso Domínguez de Olazábal is a policy advisor at the European Digital Rights Initiative (EDRi), a network of 50+ NGOs defending online privacy.
Itxaso Domínguez de Olazábal is a policy advisor at the European Digital Rights Initiative (EDRi), a network of 50+ NGOs defending online privacy.