The ePrivacy Regulation Is Dead

What Replaces It — and What Irish Websites Need to Do Now

For years, Irish businesses were warned that the ePrivacy Regulation was coming — a sweeping overhaul of cookie law that would replace the patchwork of national rules across the EU with a single, binding framework. It would tighten consent requirements, restrict tracking technologies, and put real regulatory teeth into cookie compliance.

It never arrived. On 11 February 2025, the European Commission officially withdrew the ePrivacy Regulation proposal from its legislative programme. After eight years of drafts, negotiations, lobbying, and political deadlock, the Commission concluded that no agreement was reachable and that the proposal had become outdated in light of legislation passed in the meantime.

But here is the critical point: the withdrawal of the ePrivacy Regulation is not a relaxation of the rules. The current ePrivacy Directive — which has been in force since 2002 and transposed into Irish law as the ePrivacy Regulations (S.I. No. 336 of 2011) — remains fully in force and is actively enforced. And the European Commission’s November 2025 Digital Omnibus proposal is now introducing targeted changes to cookie law that are, in some respects, more structurally significant than the regulation that was withdrawn.

This article explains what has actually changed, what the Digital Omnibus proposes for cookie and tracking law, where the current rules stand and how the DPC is enforcing them, and what Irish businesses need to do on their websites right now — regardless of what the Omnibus ultimately delivers.

A Decade of Cookie Law in Three Paragraphs

The ePrivacy Directive (Directive 2002/58/EC) was adopted in 2002 — before smartphones, before social media, before behavioural advertising became the economic foundation of the internet. Its Article 5(3) requires that websites obtain prior, informed consent from users before placing any non-essential cookies or tracking technologies on their devices. In Ireland, this is transposed through Regulation 5 of the ePrivacy Regulations 2011.

When GDPR came into force in May 2018, it added significantly higher consent standards — consent must be freely given, specific, informed, unambiguous, and as easy to withdraw as to give. The intersection of these two frameworks created the complex, often dysfunctional cookie consent landscape that most Irish websites still operate under today.

The European Commission proposed a new ePrivacy Regulation in January 2017, intended to replace the Directive with a unified, directly applicable EU law. Eight years of negotiations followed. The file stalled repeatedly under successive Council presidencies. The Commission formally withdrew it in February 2025, with its official rationale citing both the absence of a foreseeable legislative agreement and the fact that subsequent legislation — GDPR, the Digital Services Act, and others — had addressed some of the Regulation’s objectives through different routes.

Important clarification — The withdrawal of the proposed ePrivacy Regulation does not change the existing ePrivacy Directive or Ireland’s 2011 ePrivacy Regulations. Every current cookie compliance obligation remains legally in force. Nothing has been relaxed.

Enter the Digital Omnibus: What Is Actually Changing

On 19 November 2025, the European Commission published the Digital Omnibus — a comprehensive package of proposed amendments to the EU’s digital regulatory framework, including the GDPR, the ePrivacy Directive, the Data Act, NIS2, and the AI Act. This is the most significant proposed reform to EU digital law since GDPR itself.

For cookie and tracking law specifically, the Digital Omnibus proposes a structural shift that would be more impactful than the abandoned ePrivacy Regulation in one key respect: it moves cookie compliance for personal data directly into the GDPR framework, replacing the current parallel-running of two separate legal instruments with a single, harmonised EU standard enforced by the same authorities that enforce GDPR.

The Digital Omnibus is currently in the ordinary legislative procedure — it has been submitted to the European Parliament and the Council for examination, debate, and amendment. Adoption under the standard procedure could occur in mid-to-late 2026, though the Parliament’s urgent procedure could accelerate this. Substantive amendments are expected during negotiations, and the final text will differ from the November 2025 proposal. Implementation timelines after adoption add further lead time before obligations bite.

Key timeline reality — Irish businesses should not wait for the Digital Omnibus to be finalised before addressing their cookie compliance. The current rules apply now. The DPC is enforcing them now. And the proposed Omnibus changes are — in most respects — stricter than the current baseline, not looser.

The Three Omnibus Changes Irish Businesses Need to Understand

1. Single-Click Refusal Will Become Mandatory

The Digital Omnibus proposes that wherever a website relies on consent as its legal basis for tracking, users must be able to refuse consent with a single click or equivalent action — in the same way they can accept. The current widespread practice of making acceptance a one-click process while hiding the ‘reject all’ option behind multiple menus and sub-pages would be explicitly non-compliant under the new framework.

This is consistent with DPC enforcement that is already happening under the current rules. The DPC has found on multiple occasions that consent mechanisms designed to make rejection disproportionately difficult — fewer buttons, additional steps, dark patterns — do not constitute valid consent under GDPR. The Omnibus codifies what the DPC is already treating as the standard.

What this means for your website — If your cookie banner requires users to click through multiple pages, open settings menus, or toggle off individual categories to decline tracking, it likely does not meet the current DPC standard — and will be explicitly non-compliant under the proposed Omnibus rules. The fix is a ‘Reject All’ button on the first layer of your consent banner.

2. A Six-Month Moratorium on Re-Requesting Declined Consent

The Digital Omnibus proposes that if a user declines consent for a specific tracking purpose, the website cannot present a new consent request for the same purpose for at least six months. This addresses a widespread and well-documented dark pattern: showing the consent banner repeatedly until the user accepts out of frustration or exhaustion — what regulators refer to as ‘consent fatigue.’

The Commission’s own assessment estimates that EU users collectively spend around 334 million hours per year interacting with cookie consent banners, representing approximately €11.2 billion in lost productivity. The six-month moratorium is designed to make re-request harassment legally impermissible, not just poor practice.

For Irish businesses with websites that currently re-show consent banners on every visit or after short intervals for users who have declined, this rule requires a change in implementation — consent management platforms will need to be configured to respect declined consent states for the defined period.

3. Machine-Readable Consent Signals

Proposed new Article 88b of the GDPR would require websites to accept automated, machine-readable consent preferences — signals sent by browsers or operating systems on behalf of users, indicating their preferences without requiring manual interaction with each website’s banner.

This is the most technically significant change, and the one most likely to be amended or scaled back during the legislative process. In its current form, it would allow users to configure their privacy preferences once at the browser level — similar to how the Global Privacy Control (GPC) signal works — and have that signal respected by all websites. For websites built on standards-compliant consent management platforms, supporting this would involve technical configuration. For custom-built implementations, it may require development work.

The practical implication for website builds is straightforward: any new website built in 2026 or 2027 should use a consent management platform that is actively maintained and has a track record of implementing regulatory updates. Bespoke consent solutions built from scratch will require ongoing development investment as standards evolve.

The Current Rules: What the DPC Is Enforcing Today

While the Digital Omnibus works through the legislative process — a journey that will take at least until late 2026 and likely longer — the current ePrivacy Regulations and GDPR remain in full force. The DPC is actively enforcing them.

• 146 ePrivacy investigations concluded by the DPC in 2024.
• 8 companies prosecuted under Ireland’s ePrivacy Regulations in 2024.
• €325 million fine issued by France’s CNIL against Google in September 2025 for Gmail advertising and cookie violations — the largest ePrivacy-related fine in Europe.
• 11% increase in valid data breach notifications to the DPC in 2024 — 7,781 notifications in total.

There is an important nuance in the Irish enforcement context that businesses should understand: unlike GDPR, the DPC is not empowered to issue direct financial fines for breaches of the ePrivacy Regulations under current Irish law. The maximum penalties under the Regulations themselves are modest. However, this limitation does not mean cookie violations are consequence-free.

Where a cookie violation involves the processing of personal data without a valid legal basis — which is almost always the case when non-essential tracking scripts load before consent is given — the DPC can and does pursue enforcement under GDPR, where penalties of up to €20 million or 4% of global annual revenue apply. The practical enforcement pathway runs through GDPR, not just the ePrivacy Regulations.

The DPC’s enforcement toolkit also includes enforcement notices requiring specific corrective action, public naming of non-compliant organisations, and — increasingly relevant — injunctive relief. In 2024, the DPC used its injunctive powers for the first time to prohibit a social media platform from processing EU user data for AI training. The enforcement posture is expanding, not contracting.

The CNIL precedent — France’s €325 million fine against Google in September 2025 for displaying targeted advertising in Gmail without valid consent is the most significant ePrivacy enforcement action in Europe to date. While issued by the French regulator, it directly informs how the DPC interprets equivalent violations involving companies headquartered in Ireland — including what constitutes valid consent for email and advertising tracking.

What Compliant Cookie Consent Looks Like Under Current DPC Standards

The DPC has published detailed guidance on cookie compliance, and its enforcement actions provide a clear picture of what is and is not acceptable. The following standards apply to Irish websites today — independent of any future Omnibus changes.

The Consent Must Be Freely Given

Consent is not freely given if accepting tracking is a condition of accessing the website. Cookie walls — where users must accept tracking or pay for access — are permissible only in very narrow circumstances and have been found non-compliant in multiple EU enforcement actions. The DPC’s guidance is explicit: the user must have a genuine choice, and the consequences of declining must not be disproportionate.

The Consent Must Be Specific

A single ‘accept all cookies’ button that covers marketing, analytics, personalisation, and third-party tracking under a single consent is not specific. Each category of tracking purpose requires its own consent. Users must be able to accept some purposes while declining others.

Strictly Necessary Cookies Do Not Require Consent — But the Exemption Is Narrow

Cookies that are technically essential for the website to function as explicitly requested by the user are exempt from the consent requirement. This covers session management, shopping cart functionality, login tokens, and security cookies. It does not cover analytics cookies, advertising pixels, social media tracking, or CRM integrations. The DPC explicitly warns against interpreting this exemption broadly.

Declining Must Be as Easy as Accepting

This is the most widely violated requirement on Irish websites. If your consent banner has a prominent ‘Accept All’ button on the first screen and requires users to navigate to settings to decline, your implementation does not meet the DPC’s standard. A ‘Reject All’ or ‘Decline’ option must be available at the same level of prominence as the acceptance option.
Consent cannot Be Pre-Ticked or implied

Pre-ticked consent boxes, continued scrolling, and ‘by using this site you accept our cookies’ notices are not valid consent. The DPC found in its 2020 cookie sweep of 38 Irish companies that these patterns were widespread. Many Irish websites have not remediated them despite the enforcement guidance that is now six years old.

Third-Party Scripts Must Not Load Before Consent Is Given

This is the most technically demanding requirement and the most commonly violated. If your website loads Google Analytics, a Facebook Pixel, a LinkedIn Insight Tag, or any marketing or retargeting script before the user has interacted with the consent banner, you are placing tracking cookies without consent — regardless of what your privacy policy says. The scripts must be technically blocked until valid consent is recorded.

A Practical Audit Checklist for Irish Websites

The following checklist covers what the DPC currently expects and what the Digital Omnibus will formalise. Completing this audit will address both current compliance and readiness for the incoming framework.

• Test your cookie banner with tracking blocked. Open your website in a fresh browser session with network monitoring active.
• Check whether any third-party scripts (Google Analytics, Meta Pixel, HubSpot, etc.) fire before you interact with the consent banner. If they do, your implementation is non-compliant regardless of your banner’s appearance.
• Verify the reject path. From your consent banner’s first screen, count the number of clicks required to decline all non-essential cookies. Under current DPC standards, declining should require no more steps than accepting. If there is no ‘Reject All’ button on the first layer, the implementation needs to be updated.
• Review your cookie categories. Confirm that each type of non-essential cookie — analytics, marketing, personalisation, third-party — is categorised separately and requires individual consent rather than a single blanket acceptance.
• Check consent duration and storage. Your consent management platform should store the user’s consent preference and respect it on return visits. It should not re-show the banner on every visit to users who have already made a choice.
• Audit your consent management platform for maintenance. As the Digital Omnibus progresses, your CMP will need to be updated to implement single-click refusal and eventually machine-readable signal support. Confirm your CMP provider has a clear roadmap for regulatory updates.
• Update your cookie policy. Your cookie policy must list every cookie your site uses, its category, its purpose, its provider, and its duration. Vague references to ‘third-party analytics’ are insufficient. Most Irish business websites have cookie policies that do not reflect their actual cookie use.
• Implement consent mode for Google services. If you use Google Analytics, Google Ads, or any Google marketing platform, Google’s Consent Mode v2 is required for accurate measurement while respecting user consent choices. Failure to implement it correctly means either non-compliant data collection or measurement gaps that affect your marketing performance.
• Consider your email marketing tracking. Following France’s CNIL consultation on tracking pixels in emails — the recommendation to require explicit consent for email open tracking is advancing across EU regulators. If you use email open rate tracking, monitor this development and assess what consent mechanism you would use if required.

What This Means When You Build or Rebuild a Website

For any Irish business commissioning a new website, cookie and tracking compliance needs to be a specification requirement, not an afterthought. This means several things practically.

First, consent management should be built into the project scope with a named CMP platform, a configuration that technically blocks all non-essential scripts pending consent, and a banner implementation that meets the current DPC standard — including a first-layer reject option. This is not an optional configuration that can be added post-launch. If the website goes live with non-compliant cookie handling, it is non-compliant from day one.

Second, Google Consent Mode v2 integration needs to be part of any project that includes Google Analytics or Google Ads. Without it, the measurement infrastructure is either non-compliant or blind to users who decline consent — both of which create problems for the business.

Third, the cookie policy needs to be generated from an actual audit of what cookies the built website uses — not from a template. A cookie policy that does not match the actual cookies on the site is itself a compliance issue.

Fourth, the architecture of the website should minimise tracking dependencies where possible. Every third-party script that loads tracking code is a compliance obligation to manage. The fewer unnecessary tracking integrations a site has, the simpler and more robust its consent implementation can be.

Our standard at build — Every website we build at our Dublin agency includes a compliant consent management implementation as a baseline deliverable — technically verified to block scripts pending consent, configured with a first-layer reject option, and documented with an accurate cookie policy. We treat this as a build requirement, not a post-launch project.

The Bigger Picture: Cookie Law Is Becoming More Stringent, Not Less

The story of the ePrivacy Regulation is sometimes told as a regulatory failure — eight years of effort that produced nothing. That framing is misleading. The enforcement of cookie law across Europe has intensified significantly over the past four years, with major fines issued by the CNIL, the Belgian DPA, and others for consent violations. Ireland’s DPC concluded 146 ePrivacy investigations in 2024 alone. And the Digital Omnibus — still being negotiated — proposes changes that would, if adopted, make single-click refusal and consent state persistence legal requirements rather than best practice recommendations.

The direction of travel is consistent. Consent must be genuinely free, genuinely informed, and technically real — not performed through banners designed to manufacture acceptance. Machine-readable consent signals may, within the next two to three years, reduce the role of per-site banners in favour of system-level preferences. The consent framework is evolving toward one where the user’s preference is expressed once and respected everywhere — a future that may be closer than the current legislative calendar suggests.

For Irish businesses, the practical conclusion is the same regardless of what the Digital Omnibus ultimately contains: audit your website’s cookie implementation against the current DPC standard, remediate what needs fixing, and build new websites with compliant consent handling from day one. The current rules are enforceable. The incoming framework is stricter. And the DPC is the most active data protection regulator in Europe.

Is your website’s cookie implementation compliant?

We are a Dublin-based full digital agency specialising in compliant website development, consent management implementation, and digital marketing infrastructure for Irish businesses. If you are not certain whether your current cookie consent setup meets the DPC’s standards — or if you are planning a new website and want to build compliance in from the ground up — we can help.
This article is for informational purposes and does not constitute legal advice. Irish businesses with specific data protection compliance questions should consult a qualified data protection solicitor or the DPC’s published guidance at dataprotection.ie.