Europe proposes machine-readable consent signals for GDPR compliance

The European Commission has proposed amendments that would allow internet users to communicate their consent or refusal for data processing through machine-readable signals set via their web browsers or mobile device settings, according to a post from Luis Alberto Montezuma, an International Data Spaces Facilitator, on his LinkedIn profile.

The amendment aims to provide data subjects with the ability to set preferences through their internet browsers or mobile device settings, enabling automated communication of decisions regarding consent, refusal, and the right to object under Article 21(2) of the General Data Protection Regulation. Data controllers would be required to recognize and honor those signals, except for news sites and media, according to Montezuma's summary of the proposal.

This proposal builds on previous amendments to Directive (EU) 2002/58/EC (ePrivacy Directive), references Article 21(5) of GDPR, and considers reforms from 2017. Its purpose is to allow users to manage their choices using browser or application settings, according to the post shared on November 14, 2025.

Once standardized methods are established, controllers of websites and mobile applications will be obligated to honor such machine-readable indications following a six-month transition period. This initiative intends to encourage browser and mobile operating system developers to incorporate functionality supporting user preference signals.

The Commission may require browser manufacturers, mobile phone operators, and app store providers to allow users to set cookie consent preferences, which would then be communicated automatically and in a machine-readable format to websites and mobile apps.

The timing of this proposal comes amid significant tension between major technology platforms and European regulators over consent mechanisms. Apple faced a €150 million fine from the French Competition Authority in March 2025 for implementing what regulators determined was an anticompetitive consent framework through its App Tracking Transparency system.

The proposed machine-readable consent signals would differ fundamentally from existing preference mechanisms implemented by major platforms. The stated aim of Google's Privacy Sandbox Proposals was to remove cross-site tracking of Chrome users through third-party cookies and alternative tracking methods such as fingerprinting and replace it with tools to provide selected functionalities currently dependent on cross-site tracking. This year, Google ended its Privacy Sandbox plan. Chrome will continue to support third-party cookies in normal browsing.

While not a preference signal, Apple's universal opt-out feature, which was added to their operating system several years ago, allows users to universally opt out of giving app developers permission to track the users' activities across other applications. The feature sparked significant controversy and regulatory scrutiny across multiple European jurisdictions.

France's data protection authority, the Commission Nationale de l'Informatique et des Libertés, has issued opinions on Apple's App Tracking Transparency framework that highlighted fundamental problems with the consent collection mechanism, according to a CNIL opinion dated May 19, 2022. The opinion, labeled as Decision No. 2022-060, addressed complaints filed by professional online advertising associations against Apple.

Since the effective update 14.5 of iOS on April 26, 2021, app publishers wishing to track their users for advertising purposes (either by accessing the device advertising identifier IDFA or by using other tracking methods), or allow their partners to do so, are required to obtain the user's explicit consent via a pop-up window designed by Apple and called "App Tracking Transparency," part of whose architecture cannot be modified, according to the CNIL opinion.

The advertising targeting in question is that which is carried out using data collected from several applications or websites. The Competition Authority received a complaint filed on October 23, 2020, by several professional online advertising associations against Apple. This complaint, which was accompanied by a request for interim measures, sought to have the company convicted on the basis of Articles L. 420-2 of the Commercial Code and 102 of the Treaty on the Functioning of the European Union, due to practices that the complainant associations consider to be anticompetitive.

The CNIL opinion highlighted critical problems with Apple's implementation. The applicant associations claimed that the ATT request has a limited number of characters. The ATT request therefore limits in practice the possibility of including the information necessary to obtain valid consent, as set out by the Commission in Article 2 of its guidelines on cookies and other trackers, in particular the list of partners to whom the data is transmitted when this is important.

The ATT request appears to require publishers to design a second window to obtain consent for cross-app/site advertising tracking, according to the CNIL analysis. Based on the information available to the Commission and subject to the evidence that Apple will provide in its defense, it appears that the ATT prompt does not allow for the direct insertion of the information necessary to obtain informed consent within the meaning of GDPR articles, as it suffers from two limitations: on the one hand, the length of the text appears to be limited and does not allow, in practice, for the insertion of all the information required, in particular by Articles 12 et seq. of the GDPR; on the other hand, the window does not appear to allow the insertion of a clickable hyperlink enabling the user to access this information on a second level.

The CNIL emphasized that the possibility of obtaining valid consent, within the meaning of the GDPR, for advertising tracking, directly via the ATT request, may offer advantages including simplification of the user's choices through a standardized interface, partially imposed and particularly clear wording, and provision of a tool for small publishers. A marginal improvement in the settings for the ATT request that does not compromise the readability of this window, so that it can be used to obtain valid consent (in particular through the inclusion of a clickable hyperlink), would make it possible to maintain the user protection offered by the ATT request without presenting the disadvantage of creating a complex and excessive system for the user.

The European Commission's proposal for machine-readable consent signals would establish a different approach. The amendment would require controllers to "ensure that their online interfaces are able to interpret the automated and machine-readable indications" for consent refusal and objections, according to recent reporting on proposed GDPR changes. The obligation would apply six months after harmonized standards publication, though the Commission retains authority to mandate browser and operating system providers to implement such features if market adoption proves insufficient.

The exemption for news sites and media under the proposed framework has drawn attention from privacy advocates. Ronni K. Gothard Christiansen, Technical Privacy Engineer and CEO at AesirX, commented on the LinkedIn post about the concern that "controllers would be required to recognise and honour those signals, except for news sites/media."

Media service providers receive explicit exemption from automated consent signal requirements under proposed Article 88b(3), maintaining existing consent banner practices for news websites and streaming platforms. This exemption contrasts sharply with the strict requirements imposed on other types of website operators.

The CNIL has taken multiple enforcement actions against websites for deceptive cookie consent practices. France's data protection authority ordered websites to fix misleading cookie banners in December 2024, targeting dark patterns that make rejecting cookies more difficult than accepting them.

Google faced a €325 million fine from CNIL in September 2025 for Gmail ads and cookie violations affecting over 74 million accounts. The enforcement action addressed two major violations: displaying advertisements between Gmail emails without user consent, affecting 53 million users, and implementing biased cookie consent mechanisms during Google account creation that favored accepting personalized advertising.

The proposed machine-readable consent signal system would need to coordinate with existing regulatory frameworks. European data protection board guidelines on DSA-GDPR compliance published in September 2025 emphasized the need for privacy-preserving approaches to dual compliance with both Digital Services Act requirements and GDPR provisions.

Germany has pushed for sweeping data protection simplification beyond the Commission's proposals, submitting a document on October 23, 2025, requesting immediate GDPR amendments including changes to consent hierarchies, information requirements, breach notification deadlines, access rights, and sensitive data protections.

The timing of the European Commission's machine-readable consent signal proposal occurs alongside broader regulatory scrutiny of major technology platforms. German regulators found Apple's app tracking rules may violate competition lawin February 2025, with the Bundeskartellamt announcing that Apple's implementation of its App Tracking Transparency Framework created stricter requirements for third-party app providers seeking user consent for data access compared to Apple's own apps.

The proposal would create standardized technical mechanisms for communicating user preferences across different websites and applications. Implementation would require coordination between browser developers, mobile operating system providers, website operators, and regulatory authorities to establish interoperable technical standards.

For marketing professionals, the machine-readable consent signal system could fundamentally change how user preferences are collected and honored across digital properties. Rather than each website presenting its own consent management platform, users would be able to set preferences once at the browser or device level that would be automatically communicated to websites they visit.

France has proposed stricter email tracking consent rules that would require explicit consent for email tracking pixels, demonstrating the continued expansion of consent requirements across different communication channels. The CNIL opened a public consultation period through July 24, 2025, inviting industry feedback on regulations that would significantly impact how organizations monitor email engagement.

The European Commission's proposal represents an attempt to reduce consent fatigue while maintaining strong privacy protections. Users currently face multiple consent requests across different websites, leading to what regulators describe as "consent banner fatigue" that may undermine informed decision-making.

The six-month transition period following standardized methods establishment would give website operators and application developers time to implement technical systems capable of recognizing and honoring machine-readable consent signals. The Commission's authority to mandate implementation if market adoption proves insufficient suggests regulators are prepared to enforce compliance if voluntary adoption fails.

The exemption for news sites and media outlets from the machine-readable consent signal requirements preserves existing consent banner practices in the publishing sector. This carve-out acknowledges the specific business models and technical constraints facing media organizations while maintaining stricter requirements for other website categories.

Timeline

• July 12, 2002: European Parliament adopts Directive 2002/58/EC (ePrivacy Directive) concerning processing of personal data and protection of privacy in electronic communications sector
• November 25, 2009: Directive 2009/136/EC amends ePrivacy Directive
• April 27, 2016: European Parliament adopts Regulation (EU) 2016/679 (GDPR) on protection of natural persons with regard to processing of personal data
• April 26, 2021: Apple releases App Tracking Transparency in iOS 14.5 update
• May 19, 2022: CNIL issues Decision No. 2022-060 on Apple's App Tracking Transparency framework
• February 13, 2025: German competition authority announces Apple's ATT Framework may violate competition laws
• March 30, 2025: French Competition Authority fines Apple €150 million for anticompetitive ATT implementation
• November 14, 2025: European Commission proposes amendments for machine-readable consent signals allowing users to set preferences through browsers or mobile device settings

Summary

Who: The European Commission proposed amendments affecting data controllers, website operators, mobile application publishers, browser manufacturers, mobile phone operators, app store providers, and internet users across the European Union. Data subjects would gain ability to set consent preferences through technical mechanisms. Controllers would face obligation to recognize automated consent signals. News sites and media outlets receive explicit exemption from requirements.

What: The proposal introduces machine-readable consent or refusal signals for data processing that users can set through internet browsers or mobile device settings. Data controllers must recognize and honor automated communications of consent decisions, refusal, and objections under Article 21(2) GDPR following six-month transition period after standardized methods establishment. The Commission may mandate browser manufacturers, mobile operators, and app store providers to implement user preference functionality. News media receives exemption from automated consent signal requirements.

When: The European Commission proposed amendments that build on previous reforms to Directive (EU) 2002/58/EC (ePrivacy Directive) from 2017 and reference GDPR provisions. Controllers would have six-month transition period to comply after harmonized standards publication. Luis Alberto Montezuma shared analysis of the proposal on November 14, 2025.

Where: The amendments would apply across European Union member states to websites and mobile applications accessible to EU data subjects. Requirements affect controllers operating digital interfaces that process personal data. Implementation requires coordination between browser developers, mobile operating system providers primarily based in United States (Apple, Google, Microsoft) and website operators globally serving EU users.

Why: The proposal aims to reduce consent fatigue from multiple individual consent requests while maintaining privacy protections. Current system requires users to interact with separate consent management platforms on each website visited. Machine-readable signals would allow users to set preferences once at browser or device level. Regulators identified problems with existing platform-specific implementations like Apple's App Tracking Transparency that created anticompetitive conditions and failed to collect legally valid consent under GDPR. Standardized approach would provide consistent consent communication mechanism across digital ecosystem while preserving user control over personal data processing.