[This article has been authored by Netraa Rathee, a 3rd-year student at NLIU, Bhopal. It traces the evolution of EU cookie regulation from the 2002 ePrivacy Directive’s opt-out model to today’s strict opt-in system, examining how consent requirements have tightened amid growing privacy concerns. The author explores enforcement challenges, consent fatigue, and the tension between user privacy and commercial interests as the proposed ePrivacy Regulation remains stalled after years of negotiation.]
Introduction
A cookie is a small text file placed on a user’s device to store information relating to the user’s browsing activities. Lou Montulli at Netscape, a web services company, invented the HTTP cookie as a way for websites to “remember” information like shopping carts, log in info, addresses. The addition of this tool to the web browser was not announced to the public. It was initially seen as an ingenious technical fix but gradually evolved into something darker.
The first public warnings about the potential risks of cookies appeared in an article by the Financial Times. Subsequently, the rising marketing industry realised that cookies could be used as a tool for profiling users. Advertising networks like DoubleClick popularised the use of third-party cookies to track users across multiple websites by transforming cookies from a simple functional tool into a powerful mechanism for behavioural profiling and targeted advertising. DoubleClick purchased Abacus Direct, a company holding vast amounts of offline consumer data, and sought to merge it with users’ online browsing profiles collected via cookies.
The move triggered a major privacy scandal in the United States investigated by the Federal Trade Commission and although it unfolded across the Atlantic, it resonated strongly in Europe alerting EU policymakers to the risks of cookies as instruments of large-scale tracking and profiling.
In response the European Union began developing legal frameworks to address the privacy risks posed by cookies. This Article explores the evolution of EU cookie law, starting from the early ePrivacy Directive to the ongoing debates around the proposed ePrivacy Regulation. By tracing the history and current state of cookie regulation this Article seeks to illuminate the tension between commercial interests, technological innovation, and the fundamental right to privacy in the EU.
The EU’s Cookie Law
The aftermath of the Doubleclick dilemma led to the drafting and implementation of the e-Privacy Directive (“EPD”). The EPD does the heavy-lifting with respect to regulating cookies so much so that it has been dubbed the “cookie law”. It was brought about in 2002 and a main feature of the same was the ‘opt out’ option wherein the user had the right to be informed and additionally the right to refuse the cookies. In the context of the EPD, the opt-out model presumed that users consented to the collection and use of their data unless they actively chose to stop it by exercising their right to opt out. Websites were required to clearly advertise whether they used cookies or not. It is important to note that the EPD here only dealt with ‘strictly-necessary’ cookies, those essential for the functioning of a website and not advertising or marketing cookies. As a result, the practice of behavioural profiling via cookies remained largely unregulated.
The Article 29 Working Party (“WP”) was established to deal with issues relating to the protection of privacy and personal data until 2018 where it was replaced with the European Data Protection Board (“EDPB”). The WP was extremely crucial in the 2009 amendment of the EPD. The amendment mainly revolved around the ‘opt out’ option. Further, the WP in its opinions regarding the amendments required to the 2002 Directive recognised that behavioural advertising, even though a highly economically beneficial activity, does not supersede an individual’s right to privacy. It stated that real consent is when users must actively agree before any cookies are placed on their devices. Moreover, the WP clarified that silence, inaction, or pre-ticked boxes could never amount to valid consent.
These positions directly influenced the 2009 amendment of the ePrivacy Directive which significantly revised Article 5(3). The new wording required that cookies could only be placed if the user had given prior informed consent with an exception made for strictly necessary cookies. This amendment formally converted the system from an opt-out approach to an opt-in model. Websites across the EU were obliged to request user permission before setting tracking or advertising cookies giving rise to the familiar cookie banners and consent pop-ups that remain a constant feature of the online experience today.
Recognising the shortcomings of the directive-based approach the European Commission proposed a new ePrivacy Regulation in 2017. Unlike a directive which requires member states to transpose provisions into national law, a regulation would apply directly and uniformly across the EU.
One of the regulation’s goals is to reduce unnecessary cookie banners. By clarifying which cookies require consent and which do not, it seeks to simplify user choices and minimise banner overload. However, despite its ambitions, the ePrivacy Regulation has been delayed for years due to political disagreements and lobbying. As of 2025, the regulation remains under negotiation, leaving businesses and regulators stuck with the patchwork system created by the existing directive.
Enforcement and Consent Challenges
Since the 2009 amendment EU, internet users have become accustomed to never ending cookie banners. These banners are meant to ensure informed consent but in practice they have led to what critics call “consent fatigue.” Users often click “accept all” to remove the banner quickly without fully considering the implications. This undermines the very purpose of informed consent. Regulators have acknowledged this problem with the EDPB issuing guidance that consent interfaces must be designed fairly and should not manipulate users into agreeing. In effect, the banner system risks becoming a box-ticking exercise where compliance exists on paper but not in substance. The entry into force of the General Data Protection Regulation (“GDPR”) in 2018 further tightened the rules around consent. The GDPR defines consent as a freely given, specific, informed, and unambiguous indication of a user’s wishes expressed through a clear affirmative action. This standard applies equally to cookies.
National Data Protection Authorities (“DPAs”) across Europe have been active in enforcing these rules targeting both large tech companies and smaller firms. In 2020 and 2021, CNIL (“Commission nationale de l’informatique et des libertés”) imposed multimillion-euro fines on Google and Facebook (Meta) for failing to make it as easy for users to refuse cookies as to accept them. Both companies had designed their interfaces so that rejecting cookies required multiple clicks while acceptance could be done instantly. CNIL held that this violated the principle of freely given consent. In 2022, Microsoft was fined for similar practices on its Bing search engine where advertising cookies were dropped without proper opt-in consent. Smaller businesses have also faced fines. For instance, regional e-commerce companies and news outlets were penalised for setting analytics or advertising cookies without providing a consent option.
These enforcement actions send a clear message that cookie compliance is not optional. Companies cannot hide behind technical complexity or user interface tricks. For global players fines amounting to millions of euros may be manageable, but for small firms, compliance costs and fear of penalties can pose significant burdens. The EU’s cookie rules are often described as a global benchmark for online privacy regulation. Many countries like Brazil and South Korea have looked to the GDPR and the ePrivacy framework as models for their own laws. Despite this, within Europe the system continues to draw criticism from multiple sides.
Businesses argue that the rules are too strict and create unnecessary compliance burdens. On the other hand, privacy advocates argue that the framework is too weak. They point to the problem of consent fatigue, dark patterns and widespread tracking as evidence that users still lack actual control. They also warn that new forms of tracking such as device fingerprinting or browser-based profiling may bypass cookie laws altogether rendering the existing framework outdated.
This dual criticism illustrates the central paradox of EU cookie law. It is seen as both an overreach and an underreach. It burdens businesses while failing to deliver true empowerment for users. The ongoing debates around the ePrivacy Regulation reflect the difficulty of striking a balance between economic interests in digital advertising and the fundamental right to privacy.
The Future of Cookie Regulation
The controversy surrounding cookies is increasingly tied to the future of online advertising and the broader challenge of balancing innovation with fundamental privacy rights. A major milestone is the slow disappearance of third-party cookies. Google, for instance, has announced plans to retire them in Chrome, replacing their role with alternatives such as the Privacy Sandbox a system designed to allow targeted ads without exposing users’ full browsing history.
Meanwhile, artificial intelligence and machine learning are reshaping how profiling and personalisation are done. Instead of leaning exclusively on cookies, advertisers can now draw on contextual data, device IDs and behavioural patterns to predict user interests. While these methods are technically different, they still rely heavily on personal data and raise questions about how far existing privacy rules should stretch.
The EU has made clear it intends to stay ahead of such developments. Both the GDPR and the draft ePrivacy Regulation are written broadly enough to catch “similar technologies,” ensuring that consent rules extend to device fingerprinting, invisible trackers or any comparable tools. The EDPB has confirmed in its guidance that such methods require the same standard of explicit user consent as traditional cookies.
Looking to the future, three challenges stand out. First, EU lawmakers must ensure that the legal framework remains adaptable as new tracking tools emerge. Second, they need to reduce user fatigue from constant pop-ups while still giving individuals genuine choice. Third, coordination with non-EU partners will be essential to avoid fragmented global standards that make compliance more complex for international businesses.
One possible direction could be a move away from endless cookie banners toward browser-level or operating system privacy controls. These would allow people to set their preferences once and have them automatically respected across websites, an approach that could strike a more effective balance between convenience and protection.
Conclusion
The evolution of EU cookie law reflects the ongoing struggle between technological progress, commercial incentives and the fundamental right to privacy. What began in 2002 as a light-touch directive with an opt-out approach has shifted into a strict opt-in system reinforced by the GDPR’s demanding consent standards. The 2009 amendment to the ePrivacy Directive was a watershed moment forcing websites to obtain clear user approval and leading to the now-familiar consent banners across Europe.
Still, the framework is far from flawless. Europe has positioned itself as a global leader in privacy protection, inspiring similar legislation around the world. Yet it has also created consent fatigue, compliance headaches and patchy enforcement. Critics argue that although the rules are ambitious, they often fail to give users real control in practice. The proposed ePrivacy Regulation aims to fix these weaknesses by harmonising rules across the EU, aligning them more closely with the GDPR and extending them to new communication technologies. But years of political debate and lobbying have delayed progress, leaving businesses and regulators to navigate a fragmented patchwork of national laws.
In the end, the “cookie conundrum” underscores a broader reality of the digital era: privacy regulation cannot be static. It must continually adapt to technological change and shifting social expectations. The EU’s experience shows that safeguarding privacy is less about one-off solutions and more about ongoing negotiation among regulators, industry and individuals. Finding the right balance will remain one of the defining policy challenges of the coming decade.