Effective September 2025, the EU Data Act aims to unlock industrial data and boost innovation. It empowers users to access and share data from connected devices, reducing vendor lock-in. Businesses must align data sharing with GDPR standards, updating cookie consent and technical frameworks to ensure transparency or face significant fines.
The EU is set to unleash a transformative regulation on 12 September 2025: the EU Data Act — an ambitious effort to unlock data, stimulate innovation, and give users more control over connected products and related services.
The reasoning behind the EU Data Act hinges on innovation and interoperability. By introducing and implementing a regulation designed to harmonize the access to and use of data within the EU, the Union aims to create a single data market, reduce lock-in, and elevate Europe’s global digital footprint.
Why is data sharing important to European digital innovation goals? Data is valuable, but according to European Commission estimates, about 80% of European industrial data goes unused. By opening the door to fair data access and use, it becomes possible to exploit the economic value of this data to the tune of up to an additional 270 billion EUR in GDP by 2028.
The EU Data Act, through its data sharing mandates, holds potential for benefiting both consumers and businesses.
For consumers, the Data Act prevents contractual and technical lock-ins that stop users from switching service providers. This means that businesses, such as manufacturers of connected devices, cloud service providers, and other IoT-related companies that collect or use data generated by IoT products like EVs and wearables, will be affected and have to unlock their previously locked-up data and start sharing. This will improve choice and competition for consumers. They will need to adopt new data governance strategies and contractual frameworks to meet these new requirements.
But businesses across industries also benefit, as they gain increased access to data generated by their connected products and services (even if they don’t own the product), which can lead to opportunities to develop new services and business models. The openness of access to data can disrupt markets and help businesses compete on a more level playing field, which may be especially valuable for small and medium-sized businesses. Organizations can also benefit from better data portability and interoperability, as they too can avoid vendor lock-in.
An often overlooked yet key consideration, particularly as the Data Act is all about data, is how the Data Act intersects with cookies and consent. What do organizations need to do to be prepared for consent in the EU Data Act era? The primary takeaway is that cookie and consent mechanisms must be fully aligned with technical data-access processes and legal obligations under both the Data Act and GDPR. As such, as a part of becoming Data Act compliant, organizations will need to conduct a thorough cookie and consent audit, keeping the following principles in mind:
Cookies during ‘access on request’: Devices/app access portals will often rely on cookies. The Act requires transparent and legitimate data access — meaning consent must be freely given, specific, and granular under GDPR and PECR rules.
Consent logs as data: The Act defines all data generated as in-scope. That includes consent metadata — for example, timestamps and user choices. Tools must expose this metadata clearly.
Avoiding forced consent: Data access must not hinge on accepting tracking cookies. Any such bundling risks both GDPR and Data Act non-compliance, which can result in fines of up to 20 million EU, or 4% of global turnover, whichever is higher. National authorities will enforce non-personal data breaches, while personal data breaches will continue to be managed under GDPR’s supervisory framework.
Updating cookie banners: As devices/apps evolve to support Data Act compliance, cookie notices need updating to reflect how data access is handled, including whether users can opt out of non-essential cookies while still accessing their data.
The EU Data Act introduces sweeping changes, giving users rights to their own data, and making manufacturers and service providers build systems to support this level of data access and transparency. Cookie consent interfaces must adapt accordingly.
Getting ahead requires not just legal reviews, but real changes in technical architecture, contractual frameworks, and cookie-consent flows. The joint lens of Data Act, GDPR, and the UK’s Privacy and Electronic Communications Regulations (PECR) means organizations are on the hook for clarity, fairness, and transparency in their data handling and sharing.
©2018-2025 CookieHub ehf.
CookieHub CMP offers tools and services for managing cookies and online privacy.
