Agnes standing in front of a closed door labeled 'ePrivacy Reform', holding an action list

Cookie Law 2026: The ePrivacy Reform Is Dead — Here's What to Do Now

GDPR, Compliance

After eight years of waiting, the answer is finally here: the ePrivacy Regulation is not coming. On 11 February 2026, the European Commission officially withdrew the proposal. No new European cookie law. No simplification of the current rules. That door is closed.

In a sideways sense, that is a relief. If you have been holding off on updating your cookie banner until the new rules arrived, the waiting is over. Not because the rules were simplified, but because they simply are not coming.

The less comfortable part: current rules remain fully in force, and the Dutch DPA (AP) is enforcing more strictly in 2026 than at any point in the past five years. If your consent setup is not in order, this is the moment to fix it. Not next year. Now.

Why the ePrivacy Regulation is never coming

Negotiations began in 2017 and stalled on almost every substantive point. Member states disagreed on exceptions for national security, rules for machine-to-machine communications, and the knock-on effects for ad-funded media business models. After eight rounds of negotiation, no majority existed for a compromise text.

The European Commission took the pragmatic exit: limited amendments to existing rules via the Digital Omnibus package, rather than a comprehensive new regulation. That package is primarily an administrative simplification exercise, not a fundamental overhaul of cookie law.

The result: the ePrivacy Directive from 2002 stays in place, supplemented by GDPR. The rules that apply today are the rules you are working with.

What does change through the Digital Omnibus?

Not much, and nothing that affects your day-to-day compliance work. The Digital Omnibus makes two technical adjustments.

First, duplicate notification obligations are removed. Security incidents and data breaches had to be reported under both the ePrivacy Directive and GDPR (Articles 32 to 34). That overlap disappears. This saves paperwork but changes nothing about your cookie policy.

Second, Article 5(3) of the ePrivacy Directive is lightly amended for certain device storage that is already fully governed by GDPR. Edge cases for developers; no practical impact on standard cookie banners.

What does not change: the requirement for prior consent for non-essential cookies, the obligation to give users a genuine choice, and the rules around transparent information. These stay exactly as they are.

Stricter enforcement from the Dutch AP in 2026

The AP published its 2026 enforcement priorities and explicitly names pre-consent tracking and dark patterns as its top two areas of focus. These are not vague policy ambitions. The EDPB's 2026 Coordinated Enforcement Framework has 25 national supervisory authorities simultaneously investigating transparency and consent practices. Companies are being contacted right now.

What specifically is the AP looking for? Five patterns keep coming up in current enforcement practice.

Scripts loading before consent. Advertising pixels, analytics tags and tracking code that fire before the user has clicked accept. This is the most common violation.

Cookie banners without a clear reject button. A banner with only "accept all" and "manage settings" is a dark pattern. The option to reject must be as accessible as the option to accept.

Pre-ticked consent boxes. Consent must be actively given, not the result of inaction.

Bundled consent. One button for all purposes, with no option to choose per purpose.

Privacy notices that provide no specific information about which cookies are used and why.

Three things to fix right now

This does not need to be a major project. The basics can be sorted in a day.

Run a technical audit of your cookie banner. Open your browser, go to the network inspector (F12, Network tab) and load your website without accepting any cookies. Check which external requests fire before you click anything. Ad pixels from Google, Facebook, LinkedIn, or Hotjar that load before consent is given are violations. They must only load after acceptance. This is the first check the AP will run.

Add a clear "reject all" button to your cookie banner. If your banner only offers "accept all" and "manage preferences," it does not meet current AP guidance. The rejection option must be as prominent as the acceptance option: same level, same visual weight. Not a small link in grey text.

Update your privacy notice. A cookie section cannot be generic. Describe per cookie category what you use, for what purpose, which third parties receive the data, and how long cookies are retained. "We use cookies to improve our service" is legally insufficient. The AP expects specific, granular information.

Conclusion: waiting for simplification is not a strategy

Companies that waited for the ePrivacy reform before updating their consent setup have been waiting eight years. The wait is officially over, just not in the way they hoped. The door is closed, the rules have not been simplified, and the AP is actively enforcing.

The three steps above take a day and directly reduce your exposure to the AP's active 2026 enforcement cycle.

Want to get your GDPR compliance properly in order? ComplianceHive helps you map the areas the AP is focusing on most in 2026. See the GDPR feature overview for a full picture.


Start gaining control over your vendors and software today

Let ComplianceHive help you with ISO 27001, GDPR, vendor management, and more. No hassle, no spreadsheets, just clarity. Start now with a free 1-month trial. No credit card required, no hidden fees. Discover the Busy Hive plan and manage up to 25 tools and vendors in one overview.

Try 1 month for free