The European Commission has proposed a significant restructuring of the rules governing cookies and tracking technologies as part of its “Digital Omnibus” regulation.
The proposal effectively migrates the “cookie rules” from the ePrivacy Directive to the General Data Protection Regulation (GDPR) and introduces prescriptive requirements regarding consent fatigue, browser-based signals, and exemptions for audience measurement.
Here’s our analysis of the proposed changes to terminal equipment storage and access rules.
Integration into the GDPR
The proposal repeals Article 4 of the ePrivacy Directive (security and breach notification) and amends Article 5(3).
Under the new regime, Article 5(3) of the ePrivacy Directive will no longer apply where the user is a “natural person” (individual) and the information stored or accessed on their device constitutes personal data.
Instead, the Commission proposes inserting a new Article 88a into the GDPR. This brings the processing of personal data on and from terminal equipment directly under the GDPR’s consistency mechanism and penalty regime.
New exceptions to consent
Article 88a(1) maintains the general requirement for consent to store or access information on a user’s terminal equipment.
However, Article 88a(3) expands the list of exemptions where processing is “lawful” without consent. The new list includes:
- Communication transmission: Carrying out the transmission of an electronic communication over an electronic communications network.
- Strictly necessary: Providing a service explicitly requested by the data subject.
- Audience measurement: Creating aggregated information about the usage of an online service to measure the audience. This is limited to processing carried out by the controller “solely for its own use”.
- Security: Maintaining or restoring the security of a service provided by the controller and requested by the data subject.
Combatting ‘consent fatigue’
The proposal introduces specific interface design requirements intended to reduce the burden of constant cookie banners.
Under Article 88a(4), where access is based on consent, controllers must ensure that:
- Data subjects can refuse consent in an “easy and intelligible manner” with a “single-click button or equivalent means”.
- If a data subject declines a request, the controller must not make a new request for consent for the same purpose for at least six months.
Automated browser signals
The proposal introduces Article 88b, which mandates the recognition of automated and machine-readable indications of a data subject’s choices (e.g., browser privacy settings).
Once technical standards are developed:
- Controllers must allow users to give consent or exercise their right to object via automated means (such as web browser settings or the EU Digital Identity Wallet). Controllers must respect these automated choices.
- Web browser providers (excluding SMEs) must provide the technical means to allow data subjects to set these preferences.
The media exemption
There is a notable carve-out regarding automated browser signals.
Article 88b(3) states that the obligation to respect automated choices does not apply to media service providers.
This exemption appears designed to protect the advertising revenue models of independent journalism, allowing media outlets to continue presenting consent walls or banners even if a user has broadcast a “reject” signal via their browser.
Subsequent processing and legitimate interests
The proposal clarifies the legal basis for processing personal data after it has been collected from the device.
For purposes within the Article 88a(3) exceptions (e.g., security, audience measurement), subsequent processing is deemed lawful.
For other purposes, the controller must identify a legal basis under Article 6 GDPR.
Recital 44 suggests that while controllers may rely on “legitimate interests” for subsequent processing, this is subject to a strict balancing test. It specifically notes that processing based on legitimate interests “should not give rise to the continuous monitoring of the data subject’s private life.”
Timeline for application
If adopted, the Regulation enters into force on the third day following publication.
- The transition of the cookie rules to the GDPR (Article 88a) applies 18 months after entry into force.
- The obligation to respect automated browser signals applies 24 months after entry into force.
- The obligation for browsers to provide these signals applies 48 months after entry into force.
However, the proposals have a long way to go in the EU’s legislative process and must gain approval from the European Parliament and Council before they pass. This process could take a long time, and the Omnibus could look quite different at the end of it.
