The Only Law That Stops Tracking Before It Starts
There’s a growing push to dismantle Article 5(3) of the ePrivacy Directive - the so-called “cookie law.” Critics argue it’s outdated, redundant because of the GDPR, and a burden to digital business.
That argument misses the mark entirely.
Article 5(3) is the only EU legal provision that restricts the technical act of tracking – before any data is stored, accessed, or classified. It applies to all device access, not just cookies. That includes scripts, pixels, SDKs, and beacons, regardless of whether they store personal data. The GDPR only applies after data becomes “personal.” By then, the damage is done.
“If we lose ePrivacy 5(3), we lose the only legal control users have before tracking begins. GDPR doesn’t replace it. It follows after.”
- Ronni K. Gothard Christiansen
What’s really happening in practice?
Modern tracking often avoids cookies entirely. Server-side tag managers, fingerprinting, and telemetry data collection are embedded on first page load. Consent Mode 2.0, as deployed on most large websites, still loads the full GTM framework by default - analytics, ads, and even third-party beacons.
Consent is delayed, but data is already flowing. Few websites defer loading until after consent, even though it’s possible. This isn’t a technical limitation. It’s a design choice - one made to preserve marketing data at the cost of user rights.
And under GDPR alone, it’s hard to stop. Most of this data isn't “personal” at the moment of capture. Profiling happens later, in backend systems and ad networks. The GDPR kicks in downstream. Article 5(3) is the only regulation that stops access upfront.
So why the push to kill it?
Because 5(3) gets in the way. It forces businesses to ask for consent before loading surveillance tech. It reduces default data capture, breaks dark pattern consent flows, and limits third-party tracking. It’s a legal roadblock to surveillance capitalism.
Repealing or weakening 5(3) won’t help consumers. It will simply make it easier for BigTech and ad brokers to extract more behavioral data by default.
Let’s be honest about the trade-offs:
- Privacy isn't the problem. Non-compliance is.
- Poor implementation of consent banners isn’t a reason to remove consent requirements.
- Consent Mode that collects data before consent is not compliance. It’s privacy theatre.
We don’t need fewer rules. We need better enforcement.
Instead of dismantling 5(3), we should be scanning websites, auditing scripts, and enforcing technical compliance. We should stop loading third-party trackers until after informed consent. And we should move toward first-party solutions that respect user rights by design.
At AesirX, we’ve built a full first-party alternative to adtech dependency. Consent, analytics, and tagging - all privacy-first and fully GDPR + ePrivacy-compliant.
We’re not in a “post-cookie” world. We’re in a pre-consent tracking world.
If we abandon Article 5(3), there’s nothing left to protect users before they’re tracked.
That’s not privacy. That’s surrender.
Ronni K. Gothard Christiansen, AesirX.io
If you are in doubt if your website or e-commerce solution is loading beacons and other tracking technologies before consent is given you can check it in our free privacy scanner.
