FEDMA calls for risk‑based and purpose‑oriented cookie rules in the GDPR

FEDMA's newly published position paper sets out a pragmatic and future‑proof contribution to the ongoing discussions on the EU Data/Digital Omnibus. The paper responds to current negotiations on the proposed amendments to the GDPR and ePrivacy framework and aims to support the EU’s broader simplification agenda while maintaining a high level of protection for individuals.

European users are increasingly confronted with excessive and repetitive consent requests, often for low‑risk and purely technical data processing. FEDMA’s analysis shows that this over‑use of consent undermines meaningful user choice, weakens trust, and diverts significant resources away from genuinely high‑risk processing. In this context, FEDMA welcomes the direction taken in the Digital Omnibus proposal to introduce Article 88a GDPR, but argues that further adjustments are needed. In particular, continuing to rely on a consent‑first logic for any storage or access to terminal equipment, even where processing is low‑risk and expected by users, risks perpetuating cookie fatigue rather than resolving it.

Our suggested alternative is fully aligned with the GDPR’s risk‑based framework: establishing objective, non‑cumulative indicators that create a rebuttable presumption of low risk under Article 88a(3) GDPR. Where these indicators are met, genuinely low‑risk processing could rely on appropriate GDPR legal bases without systematically triggering consent banners, while remaining subject to strict safeguards such as accountability, transparency, purpose limitation, and effective enforcement. This approach would allow companies and regulators to focus efforts where they matter most - on high‑risk processing - while preserving a high level of fundamental rights protection for individuals.

FEDMA also stresses the importance of keeping EU data protection law technology‑neutral. The position paper warns against inflexible rules, such as a list of sector-specific processing activities. Instead, FEDMA supports a competitive ecosystem of interoperable solutions that can adapt to technological developments and user expectations. By clarifying that many common data‑driven marketing activities, such as contextual advertising, frequency capping, ad fraud prevention, ad measurement and brand safety, are likely to be low risk when properly safeguarded, the proposal improves legal certainty while reducing unnecessary compliance burdens, especially for SMEs.

FEDMA believes that a rebuttable presumption of low‑risk processing under Article 88a would meaningfully contribute to the Commission’s simplification objectives. It would reduce administrative burden, lower compliance costs, and allow both businesses and data protection authorities to allocate resources more effectively, without lowering privacy standards.

We have shared our position paper with EU policymakers, including the Council Presidency, and stand ready to discuss its tenants and their practical implications for European businesses and consumers.