Every European web user knows the ritual. Click on a website, and you are ambushed by a massive, legalese-filled banner demanding to know: “Do you accept cookies?” Exhausted and frantic to just read the article or buy the product, you click ” Reject All” without thinking.

Europe originally set out with a noble goal: to give citizens meaningful control over their online privacy and stop invisible, predatory tracking. Instead, a collision of overlapping regulations — from ePrivacy to the GDPR — and fragmented enforcement has created significant bureaucracy: the “pop-up economy.” It is a relentless permission machine that protects privacy imperfectly, irritates consumers daily, and inflicts severe economic collateral damage. The EU’s proposed “simplification” may worsen the problem.

The core flaw of the current system is its lack of nuance. EU rules push fundamentally different digital tools into the same compliance box. On one hand, high-risk, intrusive practices track movements across the internet to build personal dossiers. On the other, low-risk, routine operational functions do innocent, essential plumbing to keep you logged into a site, remember your shopping cart, prevent credit card fraud, stop malicious bot traffic, or simply count how many people visited a page. 

Both the basic page counter and an anti-fraud security tool are treated with the same legal suspicion as deep surveillance tracking.

The toll of this “cookie tax” is not distributed equally. Bigger players can absorb the massive compliance costs, specialized legal armies, and engineering burdens required to manage audit trails. Small merchants and independent publishers suffer.

For e-commerce businesses, cookie banners act as a virtual “Do Not Enter” sign. Some merchants report losing up to 10% of potential customers who simply abandon the site the moment a complex banner pops up. 

Independent publishers and news media face a severe revenue squeeze. Advertising funds journalism, but ad inventory loses massive value when publishers can’t even prove basic, non-intrusive facts to advertisers — like whether a real human or a bot saw an ad, or how many times it was displayed. Starved of ad revenue, publishers are being forced to retreat behind business-killing paywalls or clumsy “consent-or-pay” models just to survive.

The economic fallout. It even impacts Europe’s crucial car industry, which worries that it will be unable to collect the data needed to build connected and driverless cars. Danish startup Ooona’s Christian Walther Øyrabø says European customers often turn off cookie banners and location access – and then struggle to see why his devices that warn them about speed traps no longer work.

Get the Latest
Sign up to receive regular Bandwidth emails and stay informed about CEPA's work.

The European Commission knows the current setup fails. Its newly proposed Digital Omnibus package attempts to simplify the rules by allowing users to set their privacy preferences once via their browser, operating system, or digital wallet, theoretically eliminating the need for banners on every single webpage.

But this proposal merely treats the symptoms rather than curing the underlying disease. By centralizing consent at the software level, Europe risks handing permanent powers to the handful of those that already control the dominant browsers and operating systems. This shifts friction from the website to the browser while reinforcing the exact monopoly powers that policymakers claim they want to curb.

True reform requires a bolder, risk-based reset. Europe can fix the web by taking three decisive steps:

  1. Shrink the Consent Surface: Stop asking for permission for things that don’t harm users. Websites must be explicitly permitted to use basic, low-risk tools — such as audience measurement, ad-delivery verification, and fraud prevention — without a prompt. These operations should be allowed by default, provided the data collected is strictly limited to that purpose, kept briefly, and never reused for behavioral profiling.
  2. Reserve Consent for Real Intrusions: Keep strict prior consent frameworks exclusively for genuinely invasive data practices, such as cross-site tracking and the monetization of sensitive personal information.
  3. Shift the Focus to Ad Transparency: Take a leaf out of the Digital Services Act’s book. Instead of derailing a user’s entire website journey with a pop-up, let user choice live directly within the advertisements themselves. Clicking an “Ads” or “Sponsored” tag should open a clean window allowing users to manage their preferences instantly.

Europe was right to champion digital privacy, but the execution has alienated users and penalized the firms least able to bear the cost. By focusing on actual, not theoretical threats, we can protect citizens, rescue independent journalism, and finally slay the Cookie Monster for good.

Dr Anda Bologa is a Senior Researcher with the Tech Policy Program at the Center for European Policy Analysis (CEPA). The views are the author’s own. This piece draws on her longer report, which can be found here.

Bandwidth is CEPA’s online journal dedicated to advancing transatlantic cooperation on tech policy. All opinions expressed on Bandwidth are those of the author alone and may not represent those of the institutions they represent or the Center for European Policy Analysis. CEPA maintains a strict intellectual independence policy across all its projects and publications.

Tech 2030

A Roadmap for Europe-US Tech Cooperation

Learn More
Read More From Bandwidth
CEPA’s online journal dedicated to advancing transatlantic cooperation on tech policy.
Read More