EDPB’s 2025 enforcement targets GDPR Article 17, auditing erasure compliance, including cookies. Rising deletion requests, high costs, and non-compliance risks demand automated workflows, consent tracking, legal readiness, and robust privacy operations to avoid penalties and build trust.
The European Data Protection Board (EDPB) launched its Coordinated Enforcement Framework (CEF) action for 2025 early in the year with a focus on implementing the right to erasure or right to be forgotten (Art.17 GDPR). The shift in enforcement priorities for Europe’s Data Protection Authorities (DPAs) reflects a more robust enforcement of the GDPR’s Article 17, which gives individuals the right to have their personal data deleted in certain situations.
During 2025, 30–32 EU Data Protection Authorities (DPAs) will audit controllers through fact-finding and formal investigations to see whether erasure requests are handled properly. That is, are requests to delete managed within the scope of the law, in a timely fashion, and in compliance with exceptions under the GDPR?
The crackdown stems from the fact that requests for erasure are one of the most frequently invoked GDPR rights, and one that generates significant complaints from individuals. Data controllers are expected to erase personal data “without undue delay” (typically within one month), and must track down and inform third parties who hold that data.
A 2025 report tracking trends in privacy highlighted an 82% year-on-year growth in data deletion requests. For companies with medium to high levels of traffic, this is expensive at an estimated 1.26 million USD annually per five million unique visitors. Gartner research puts the cost of a single data subject request at 1,524 USD – a cost that can quickly skyrocket.
As a part of the consumer drive to take control of data privacy, the number of “do not sell” requests are also soaring. As regulatory bodies subject organizations to greater scrutiny, it would seem that companies would be on their best behavior in honoring opt-out requests, but the same privacy trend report claims that upward of 69% of businesses violate consumer consent, deploying tracking cookies regardless of consent preferences.
This finding aligns with trends observed elsewhere, for example, in research from Iceland’s Electronic Communications Office, all web service providers reviewed placed cookies on users’ devices despite users’ explicit rejection. And the Dutch DPA recently ramped up its enforcement mechanisms, issuing warnings to a number of organizations, that were found to be deploying misleading cookie bannkers or unlawfully placing tracking cookies without valid consent.
Erasure isn’t limited to personal data in your CRM — it also apply to cookies and trackers, tied directly to consent mechanisms.
Under the GDPR and ePrivacy rules, consent for cookies must be freely given, specific, and revocable. EU law mandates that consent can be withdrawn at any time, and if it is, all relevant cookies must be deleted.
Yet real-world audits reveal disturbing non-compliance: a 2024 study of 20,000 domains found:
19.9% made revocation harder than giving consent
57.5% failed to delete cookies after withdrawing consent
Some withheld revocation from third parties, enabling continued tracking
Moreover, around 50% of websites set “intractable cookies” that stay even after rejection, often lasting over 10 days.
Non-compliance with cookie and consent management can be considered a form of erasure failure, thus exposing the offending organization to greater enforcement and penalties.
In addition to creating unpredictable costs to the mix, commercial and technical overheads become a concern as individuals start to activate their privacy rights in greater number. Specifically with regard to cookies, every banner interaction triggers logging, cookie audits, and integration with consent management systems, which adds to the complexity and cost – and this needs to be a part of the big-picture consideration for right-to-erasure compliance.
Many of these overheads are worsened by organizations not having a clear idea about where all consumer data actually lives and how (or whether) they have collected valid consent for the cookies they have placed and the subsequent data gathered.
To be able to manage the coming flood of erasure requests, a new approach to data privacy and consent management is required. To get ready for this new era of tougher enforcement, it’s time to take stock and invest in some key actions:
Map data flows across internal and third-party systems, highlighting storage locations, retention limits, and third-party transfers
Build automated workflows for verifying identity, tracking requests, locating data, triggering deletion and issuing confirmations.
Maintain audit trails with proof of erasure and communications
Know when erasure can be lawfully refused
Know how to explain these exceptions
With CEF audits active, expect DPAs to inquire on fact-finding missions. Prepare the evidence trail, including your policies, logs, and communications.
Bolster erasure capabilities to avoid administrative penalties and reputational damage
Ensure your CMP supports real-time revocation, automatic deletion of cookies, and communication with third parties. Perform audits to detect intractable cookies
Coordinate processes among legal, compliance and IT teams
Include cookies and consent in the wider data privacy
The era of passive data handling is over. Under the EDPB’s 2025CEF enforcement drive, companies must elevate their privacy operations, especially in the areas of erasure and consent-driven cookie management. The stakes are high: manual processing costs in the high hundreds of thousands, automated infrastructure investment, potential fines, and reputational damage.
To stay compliant and competitive:
Automate as much of the deletion and revocation workflow as possible.
Track and audit consents and erasures in real time.
Document legal rationales for any refusals or delays.
Prioritize DPA readiness: internal reviews should mimic the depth of a likely investigation.
Adopt a comprehensive consent management platform
By taking these steps today, organizations can transform erasure from a compliance headache into a trust-building opportunity.
©2025 CookieHub ehf.
