Navigating the web in Europe may become less frustrating as the EU advances with data consent reform aimed at curbing invasive advertising practices. This initiative, included within a larger “digital omnibus” proposal (SWD(2025) 836 final; Mariniello, 2025), is to balance efficiency and distribution in the digital landscape.
The “digital omnibus” is a package of legislative proposals designed to update and streamline the EU’s digital regulations, aiming to foster innovation while ensuring a high level of protection for consumers and their data. This overarching goal includes addressing the widespread issue of cumbersome and often manipulative cookie consent banners that have become a ubiquitous feature of the online experience for European users.
The need for reform stems from the current implementation of the General Data Protection Regulation (GDPR) and the ePrivacy Directive, which, while intended to protect user privacy, have inadvertently led to a proliferation of consent requests that are often confusing and time-consuming. Many websites employ what are known as “dark patterns” in their cookie banners, making it difficult for users to refuse consent for data collection and tracking. These dark patterns include pre-ticked boxes, visually prominent “accept all” buttons, and hidden or hard-to-find “reject all” options. The result is that users often feel pressured to accept cookies, even if they are not comfortable with the implications for their privacy.
For example, a user visiting an online retail site like Zalando might find that their personal data is shared with numerous third-party vendors, including Facebook Pixel, Google Ads, Pinterest, Snapchat, and TikTok. This data sharing allows these vendors to track the user’s browsing behavior and target them with personalized advertising. While this can be beneficial in some ways, it also raises concerns about the extent to which personal data is being collected and used without genuine user consent.
Research from Nouwens, Kristensen, Maalt and Bagge (2025) analyzing GDPR cookie banners further underscores the complexities involved. Their study likely examines the prevalence of dark patterns, the effectiveness of different consent banner designs, and the impact of these banners on user behavior. Such research is crucial for informing policymakers about the practical challenges of implementing data protection regulations and for identifying areas where reforms are needed. They find that many websites fail to comply with the GDPR‘s requirements for clear and unambiguous consent, and that users are often misled into accepting cookies that they would otherwise reject. The research also highlights the inconsistencies in how cookie banners are implemented across different websites and countries, making it difficult for users to understand their rights and make informed choices about their data.
One of the key proposals within the “digital omnibus” is to reduce the number of situations in which websites are required to ask for consent. The European Commission proposes integrating elements of the ePrivacy Directive into the GDPR regarding the processing of information stored on user devices. At the same time, it proposes to amend these provisions with a set of low-risk data-use purposes that would no longer require consent. In addition, the Commission also proposes narrowing the definition of ‘personal data’ there.
The Commission estimates that these changes could eliminate the need for consent banners on 50 percent of private websites and 80 percent of public websites. This exemption is justified as necessary to protect the financial basis of independent journalism. However, some argue that limiting this exemption to media organizations is arbitrary, as other sectors also rely on data-driven revenue.
The Commission also directly addresses several common dark patterns used in consent collection. The proposal stipulates that users must be able to give or refuse consent through a single-click mechanism, simplifying consent choices. In addition, it prohibits websites from repeatedly prompting users for consent after a refusal in the hope of eventually securing approval. Under the proposed rules, publishers are barred from requesting consent again for six months.
However, some critics argue that these measures are reactive and only address the symptoms of the problem, rather than the underlying cause. As long as consent banner designs are primarily driven by advertising objectives, new dark patterns will continue to emerge, and actual practices will fall short of regulatory intent.
Ultimately, the goal is to shift the power dynamic, giving users genuine control over their data and creating a more transparent and ethical online ecosystem, as explored in NBER Working Paper 34025 by Farronato, Fradkin, and Lin (2025). This research likely investigates the impact of different consent mechanisms on consumer welfare and the design of choice architectures that can promote more informed and privacy-respecting decisions. Their work emphasizes the importance of aligning the incentives of businesses with the interests of users, so that data protection is not seen as a burden but as a competitive advantage.
This could involve subsidizing or certifying consent tools that are designed around user preferences rather than advertising objectives. Another approach would be for users to choose a consent management system and let companies bargain with the system providers for access to users. In that way consent management platforms would have monetary incentives to make their system attractive to users.
In addition to aligning firm incentives, the Commission should adopt further measures. For instance, it must give much clearer guidance on the implementation of the global consent signal. Although the proposal refers to a standardised signal, the description remains too limited to ensure consistent and user-centred deployment.
Without more detailed specifications on both the technical format and the interface through which users express their preferences, the design of the signal will likely be heavily influenced by commercial priorities. Clear and prescriptive requirements would help ensure that the signal reflects user choices rather than commercial priorities.
Enforcement must be strengthened if the reforms are to achieve their intended effect. The Commission should encourage member states to ensure that their data protection authorities have sufficient resources to consistently monitor compliance, investigate violations and apply corrective measures. Stronger oversight is essential to detect when organizations stretch or manipulate the rules in ways that undermine user autonomy, and to ensure that such practices are addressed promptly rather than becoming entrenched in the market.
