Europe is facing two parallel developments that both promise to solve the cookie banner problem. One relies on technical innovation within existing rules, the other on fundamental legal changes. Both paths could fundamentally shape the future of digital data protection in Europe. But which one is the right approach?
Am 17. Oktober 2025 hat die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) mit "Consenter" erstmals einen Cookie-Manager offiziell anerkannt. Das Browser-Plugin der Berliner Legal-Tech-Initiative Law & Innovation Technology erfüllt die Anforderungen der seit April 2025 geltenden Einwilligungsverwaltungsverordnung (EinwV), einer deutschen Verordnung, die festlegt, wie Cookie-Einwilligungen zentral verwaltet werden dürfen. Die Idee: Du stellst einmal zentral ein, welche Cookies Du akzeptierst, und der Assistent kommuniziert diese Präferenzen automatisch an alle Websites. Cookie-Banner würden damit überflüssig.
Nur wenige Wochen später, am 19. November 2025, will EU-Wettbewerbskommissarin Henna Virkkunen den "Digital Omnibus" vorstellen. Ein umfassendes Gesetzespaket, das DSGVO, ePrivacy-Richtlinie, Data Act und AI Act gleichzeitig ändern soll. Offizielles Ziel: Vereinfachung, Bürokratieabbau, mehr Wettbewerbsfähigkeit. Kritiker sprechen von der größten Datenschutz-Aufweichung seit Einführung der DSGVO.
Diese beiden Entwicklungen mögen auf den ersten Blick unabhängig erscheinen. Tatsächlich aber zeigen sie zwei grundverschiedene Philosophien, wie Europa mit dem Cookie-Problem umgehen kann und will.
The recognition of Consenter is a milestone. For the first time, there's an officially validated way for users to centrally manage their cookie preferences. The numbers from the current BfDI survey also show: there's interest. 66 percent of internet users can imagine using such a cookie assistant. For 83 percent, it's important or very important to be able to decide for themselves how their data is used online.
At the same time, the survey reveals a problem: Cookie managers solve a symptom, while more than half of respondents (56 percent) can't fully understand the underlying issue. They couldn't explain what cookies are and what they're used for.
Then there's the crucial limitation: The EinwV isn't mandatory for website operators. Companies could ignore a cookie manager's signals and still ask users for consent on every visit. Consenter is recognized but still needs to prove itself in the market. Whether website operators will actually implement and respect the interfaces remains to be seen.
It's an approach that enables innovation within existing rules. But it relies on outdated technology and hopes that all market participants will voluntarily adhere to new standards. That can work. But it could also lead to another layer of complexity instead of solving the problem at its root.
The Digital Omnibus takes a different approach. Instead of building new tools for old rules, the rules themselves should be adjusted. The EU Commission argues with competitiveness and talks about "simplification by design." Following the critical Draghi and Letta reports on Europe's competitive disadvantages compared to the US and China, bureaucracy is supposed to be reduced.
What sounds reasonable carries significant risks. Max Schrems from noyb, one of Europe's most prominent data protection activists, warns: "This would be a massive downgrading of Europeans' privacy 10 years after the GDPR was adopted." The European Digital Rights organization (EDRi) speaks of a "death by a thousand cuts."
Specifically, the Commission plans to integrate the ePrivacy Directive into the GDPR. This could dilute the special cookie protection. Even more problematic: changes to the "scope," meaning the definition of what requires consent in the first place. The concern is that more data could be collected without explicit consent, especially when companies invoke "legitimate interest," such as for AI training.
Unlike the GDPR, which was negotiated for years, the Digital Omnibus is running on a fast track. The public consultation only ended in October. Democracy thrives on involving citizens in such processes, on open exchange and informed debates. Critics complain about exactly this: fundamental changes to European data protection would be pushed through without sufficient public discussion, even though these are fundamental rights that affect us all.
Here's where a brief technical digression is worthwhile. Cookies are small files stored in the browser that make users identifiable across different page visits. Tracking cookies create detailed profiles: which pages do you visit, when, for how long, what do you click on. This personal data requires explicit consent under the GDPR.
The alternative is cookie-free analytics solutions. They capture website data in aggregate form without identifying or tracking individual users. Technically speaking, visits are counted and analyzed, but no individual profiles are created. No cookies means: no personal data, no consent requirement, no banners.
The difference is fundamental. Cookie managers and the Digital Omnibus regulate how a specific technology is handled. Cookie-free solutions make this regulation unnecessary because the problematic technology isn't used at all.
For website operators and decision-makers, a strategic question now arises: Which horse are we betting on?
We can bet on cookie managers like Consenter. That works within the current system but depends on these tools gaining traction and website operators actually supporting them. In Germany, there's a first regulatory framework with the EinwV. What the situation looks like in other EU states is still completely unclear.
We can hope that the Digital Omnibus simplifies cookie banners by loosening consent requirements. That would reduce implementation effort in the short term. Long term, however, we risk getting into data protection conflicts if the weakening of protection levels leads to counter-movements. The GDPR wasn't formulated so strictly without reason.
Or you take the step toward innovation with us: Cookie-free analytics solutions aren't affected by either development. No cookies means no cookie management, no dependency on regulatory twists and turns, no banner fatigue for your users. At the same time, you get the analytics data you need for informed business decisions, just without the personal data baggage.
Europe is at a crossroads. The Consenter recognition shows: there's political will to promote innovative solutions within the data protection framework. The Digital Omnibus shows: there's also political pressure to subordinate data protection to competitiveness.
Both paths have their logic. But both rely on regulating an outdated technology instead of fundamentally questioning whether cookies are still the right approach. Cookie banners aren't annoying because the regulation is bad, but because the technology behind them is designed to track users.
The question isn't just how to make cookie banners simpler. The question is whether we still want to be regulating cookie-based systems in ten years, or whether we take the step now toward technologies that understand data protection not as a compliance problem but as a fundamental technical architecture.
For website operators, this means: now is the time to rethink your analytics strategy. Cookie managers are a step in the right direction, but they're just the beginning and still need to prove themselves in practice. The Digital Omnibus could bring short-term relief but lead to new uncertainties in the long run.
Solutions like bchic Analytics show that there's another way: GDPR-compliant, without cookies, without banners, without dependency on regulatory twists and turns. While Germany is launching a first pilot with the EinwV, the situation in other EU states remains unclear. Companies operating Europe-wide need solutions that work independently of national special paths.
Europe is deciding in the coming weeks which direction it's heading. You decide whether you're betting on old technology with new regulations, or on new technology that makes regulation unnecessary.
