GDPR + eprivacy changes your Marketing Operations team may have missed.
- Sojourn Solutions
- 12 hours ago
- 7 min read
The big picture: eprivacy didn’t get replaced, it got stuck… and then quietly killed
For years, everyone waited for the EU’s ePrivacy Regulation to replace the old ePrivacy Directive and finally standardise cookie rules across Europe.
That wait is over.
The European Commission formally withdrew the ePrivacy Regulation proposal in 2025, and the European Parliament’s legislative tracker lists the file as withdrawn, with the withdrawal announced in the Official Journal in October 2025.
What that means in practice:
The ePrivacy Directive still runs the show for cookies and similar tracking tech in the EU, and it’s still implemented through national laws.
So yes: you still have a “European” standard, but enforcement and cookie banner expectations can vary by country (and by regulator mood).
If you’re a Marketing Ops team supporting multi-region websites, this is the part where you stop pretending one banner configuration works everywhere.
Change #1: “cookies” now means a lot more than cookies, and regulators are spelling it out
Most Marketing Ops teams still talk about “cookie consent” like it’s just GA + a couple of pixels.
Regulators don’t.
The European Data Protection Board published Guidelines 2/2023 (final version 2.0) clarifying the technical scope of the ePrivacy cookie rule (Article 5(3)). It’s explicitly aimed at newer tracking methods replacing third-party cookies.
Translation into Marketing Ops reality:
Tracking pixels, device fingerprinting approaches, identifiers stored in browser storage, SDK identifiers in apps, and other “cookie-like” tricks are still within scope if they store/access info on a user’s device (or gain access to info already stored).
“Server-side tagging” is not a magic cloak. If you’re still dropping identifiers or reading from the device, you’re still in the same consent conversation... you’ve just moved the furniture.
If you’re doing any of the following, you should treat it as part of your consent architecture, not a side quest:
Identity stitching / probabilistic matching
Fingerprinting (including “privacy-safe” variants)
Persistent IDs passed through tags or SDKs
Cross-domain tracking setups
Clean-room style matching where the web layer still drops identifiers
Change #2: Cookie banner UX is now a compliance surface, not just a conversion surface
Regulators have been consistent about one thing: If it’s easier to accept than reject, you’re nudging - and nudging is increasingly treated as non-compliance.
Across Europe, “reject” being as visible/easy as “accept” has become a baseline expectation in cookie UX enforcement (country by country). Spain’s regulator (AEPD) is one of the clearer examples: Guidance updates moved Spain toward requiring a reject button at the first layer.
France (CNIL) has also pushed hard against “dark pattern” cookie banners, including formal notices and enforcement attention around misleading designs.
Marketing Ops takeaway:
Your cookie banner is now effectively a regulated UI component. It needs:
Symmetry (accept/reject equally prominent)
Clear purpose descriptions (no “enhance your experience” nonsense)
Granular choices that actually do something
A withdrawal path that’s as easy as consent
If you’re A/B testing consent banners: fine, but every variant must still meet valid consent requirements. Don’t “test” your way into an enforcement letter.
Change #3: You can record “no” but be careful what you store to remember it
Marketing teams often ask: “Can we remember a user’s rejection so we don’t keep pestering them?”
Yes, sometimes you can store a refusal signal to reduce repeated prompts, but the details matter.
In the draft joint guidance on the interplay between GDPR and the Digital Markets Act (DMA), the European Commission and the European Data Protection Board point out that recording a refusal may be necessary for effectiveness, but they recommend that a record of “negative consent” should not contain a unique identifier.
Marketing Ops implication:
If your “remember rejection” mechanism becomes a stealth identifier, you’re creating the very tracking you claim you’re avoiding.
Practical pattern that usually behaves better:
Store a short-lived, non-unique refusal flag (or a strictly local preference)
Avoid building a cross-session identity just to remember someone said “no”
Change #4: “Consent or pay” got official scrutiny and it spills into marketing patterns
While this is most famous in publisher/media land, it matters for Marketing Ops because the same logic shows up in:
“Download the whitepaper only if you consent to tracking”
“Use the site only if you accept marketing cookies”
“Access pricing only if you opt into marketing”
The European Data Protection Board adopted Opinion 08/2024 on “consent or pay” models used by large online platforms for behavioural advertising, warning that these models can undermine the idea of freely given consent and should offer real choice.
Now, you’re probably not Meta. But enforcement logic spreads downhill.
What to do with your gated content and forms:
Separate “get the thing” (contract/legitimate interest) from “track me everywhere” (consent)
If you require an email for a download, don’t bundle it with behavioural advertising consent
Give a real alternative path if you’re asking for optional processing
If your consent mechanism starts sounding like a bouncer, regulators start acting like the police.
Change #5: The UK quietly raised the stakes for eprivacy enforcement (massively)
If you operate in the UK (or have UK traffic/customers), this is not subtle.
The UK’s Data (Use and Access) Act 2025 has been rolling in changes between June 2025 and June 2026.
A major batch of provisions took effect on 5 February 2026.
The headline Marketing Ops change: PECR fines now look like GDPR fines
The UK regulator, the Information Commissioner’s Office, confirmed the Act gives it power to issue PECR fines up to £17.5m or 4% of global turnover (previously capped much lower).
Why Marketing Ops should care:
In the UK, a lot of “marketing enforcement” happens under PECR (cookies, email marketing), not just UK GDPR. Raising PECR penalties is basically putting a turbo engine on the thing that already hits marketers most often.
UK cookie rules: More exceptions, but don’t celebrate like it’s a free-for-all
The ICO has updated guidance on “storage and access technologies” to reflect PECR changes and added a section explaining exceptions.
Depending on your exact use case, some low-risk cookies/tech may be easier to justify without consent in the UK than in many EU countries... but:
Advertising cookies are still advertising cookies
Cross-site tracking is still cross-site tracking
“Analytics” can be low-risk or very much not, depending on how it’s configured and shared
Marketing Ops action:
Treat the UK as its own compliance configuration and not a copy/paste of your EU setup.
Change #6: GDPR itself isn’t being rewritten, but targeted “simplification” is moving through the system
In the EU, there’s an active policy push to reduce admin burden - especially for SMEs and “small mid-caps”.
In May 2025, the Commission published a proposal that would amend GDPR Article 30(5) (records of processing activities / ROPA). It aims to broaden exemptions and shift the trigger toward processing that’s likely to result in high risk.
The European Data Protection Supervisor and the European Data Protection Board responded via a joint opinion in July 2025.
Important nuance: this is a proposal, not “GDPR changed yesterday”. But it signals direction: Regulators want to reduce paperwork for smaller orgs without weakening core principles.
Marketing Ops reality check:
Even if ROPA thresholds loosen for some organisations, Marketing Ops still needs a working data inventory to survive:
DSARs
vendor reviews
cookie audits
consent proof
incident response
AI and enrichment governance
So yes, you might get less paperwork. No, you don’t get to be less organised.
Change #7: “Digital rulebook” overlap is becoming a real compliance factor
Marketing Ops used to treat GDPR like the privacy layer and everything else like “someone else’s problem”.
That era is ending.
The European Data Protection Board adopted guidelines on the interplay between the Digital Services Act (DSA) and GDPR in September 2025.
And the European Commission + EDPB ran a public consultation on draft guidance for the interplay between the Digital Markets Act (DMA) and GDPR from October–December 2025, with finalisation expected some time in 2026.
Why this matters for Marketing Ops:
Consent, personalised ads, profiling, and data-sharing can be scrutinised under multiple frameworks
Platform changes (especially by “gatekeepers”) can ripple into your tracking stack and measurement model
Your “compliance by CMP” strategy won’t cover everything if your downstream processing is messy
So what should Marketing Ops do now?
Here’s a practical plan that doesn’t require you to become an EU lawyer or develop a sudden love for policy PDFs - although your company red tape department really needs to be involved ASAP.
1) Treat consent as infrastructure, not a banner
If your CMP is just “a thing we installed,” you’re behind.
You need:
A consent state that flows into tag management, CDP rules, ad platforms, and CRM sync logic
Proof trails (what was shown, what was chosen, when it was applied)
A way to prevent “shadow firing” tags when consent is missing
Also: Audit what your site actually does, not what your tag map says it does. Tag maps lie. Browsers don’t.
2) Reclassify your tracking methods using the EDPB’s broader scope
Use the EDPB technical scope guidelines as your internal taxonomy refresh.
Specifically, update your tracking register to include:
Pixels and non-cookie identifiers
Fingerprinting-like techniques
SDK-based tracking in apps
Identity matching flows
If you can’t describe it clearly, you can’t justify it credibly.
3) Fix banner UX where it’s obviously indefensible
If your reject button is hidden behind “Manage options” but accept is a big shiny button… you already know how that looks.
Aim for:
equal prominence
plain language
no guilt-tripping
no pre-ticked toggles
no “legitimate interest” switcheroo that behaves like consent
4) Split “marketing” into lawful buckets (and stop mixing them)
Marketing Ops teams get in trouble because they treat all growth activity as one blob.
You need separate rules for:
Service messaging (contract / legitimate interest)
Customer marketing (soft opt-in may apply in some jurisdictions; check local rules)
Prospecting (legitimate interest may be possible, but transparency + opt-out must be real)
Behavioural advertising (usually consent-heavy, especially once ePrivacy applies)
The ICO’s direct marketing guidance is a solid operational reference point for UK interpretations.
5) UK-specific: review PECR risk like it’s GDPR risk now
Because the penalty ceiling just moved into grown-up territory.
Do a UK pass on:
Cookie classifications and exceptions (based on the ICO’s updated storage/access guidance)
Email marketing basis (consent vs soft opt-in vs B2B rules)
Suppression lists, opt-out mechanisms, and proof of consent where required
6) Prepare for the boring-but-deadly bits: DSARs and complaints
The UK reform programme is phased, and some obligations land later (including elements around complaints handling during 2026).
Even if you’re EU-only, DSAR operational maturity is often where orgs fail in practice:
You can’t find data fast enough
You can’t delete it cleanly
You can’t explain why you have it
Marketing Ops is usually the owner of half the systems involved. Lucky you.
A quick “what to tell your team” summary
EU ePrivacy Regulation is dead; the ePrivacy Directive lives on, so cookie rules stay fragmented across member states.
The EDPB has clarified that tracking beyond cookies still falls into the consent regime.
Banner UX is enforcement fuel: Reject must be easy, dark patterns are a liability.
“Consent or pay” scrutiny is real and the logic spreads into gated experiences.
The UK has escalated PECR enforcement: £17.5m / 4% is now on the table.
GDPR “simplification” is in motion (especially around ROPA thresholds), but it’s not a free pass to be messy.
