What the Digital Omnibus Package Proposes
On 19 November 2025, the European Commission published the Digital Omnibus package, a set of proposed amendments to the EU's digital regulatory framework. Among the most significant changes is a plan to move cookie consent rules out of the ePrivacy Directive and into the GDPR itself, through two new provisions: Article 88a and Article 88b.
Article 88a would govern when storing information on, or accessing information from, a user's device requires consent. Article 88b would set technical standards for how users express their consent preferences, including through browser-level signals.
The Commission described the proliferation of cookie banners and consent fatigue as a problem whose regulatory solution is "long-overdue".
Why Cookie Rules Would Move from ePrivacy to GDPR
Since 2002, cookie consent has been governed by Article 5(3) of the ePrivacy Directive, later amended in 2009 to require active consent. The ePrivacy Regulation was meant to replace the Directive, but after years of legislative deadlock since 2017, the Commission has taken a different approach.
Under the Omnibus proposal, the ePrivacy Directive would no longer govern the processing of personal data of natural persons. The GDPR alone would apply. This consolidation aims to reduce the confusion that comes from having two overlapping legal instruments covering the same cookies.
For website owners, this means one regulation to follow rather than two, at least where personal data is involved.
Article 88a: The New Cookie Consent Framework
Article 88a does not eliminate the need for cookie consent. It retains consent as the general rule but introduces a closed list of exemptions where storing or accessing information on a user's device would be permitted without prior consent.
Exemptions That Would Not Require Consent
The proposed exemptions under Article 88a cover four categories:
| Exemption | Description | Example |
|---|---|---|
| Network transmission | Strictly necessary for transmitting a communication over an electronic communications network | Load balancing cookies |
| User-requested service | Strictly necessary to deliver a service expressly requested by the user | Shopping cart cookies, PHPSESSID |
| First-party audience measurement | Generating aggregated audience measurement data, used solely by the service provider for its own online service and internal purposes | Self-hosted analytics pageview counters |
| Security | Maintaining or restoring the security of a service | Anti-fraud tokens, CSRF cookies |
The first-party analytics exemption is new and significant. If adopted, a website running its own privacy-preserving analytics purely for internal use could skip the consent prompt for those measurement cookies. Third-party analytics services like Google Analytics would still require consent, since the data leaves the site owner's direct control.
What Still Requires Consent
Everything outside these four categories still needs consent before cookies are set. That includes marketing cookies, cross-site tracking pixels such as the Meta Pixel, third-party analytics, and personalisation cookies.
The proposal does not introduce legitimate interest as a legal basis for cookie storage. This distinction matters: the exemptions in Article 88a are specific carve-outs, not a broad permission to process data without consent.
Article 88b: Browser-Level Consent Signals
Article 88b is arguably the more forward-looking provision. It would require data controllers to respect machine-readable consent signals sent by browsers or operating systems.
The idea is straightforward. Rather than clicking through a cookie banner on every website, a user would set their privacy preferences once in their browser. Websites would read those preferences automatically and act accordingly.
This concept is not entirely new. The Global Privacy Control (GPC) signal already exists and carries legal weight under several US state privacy laws, including the CCPA. The Omnibus proposal would establish a similar requirement within EU law, though the technical standards for how browsers should implement this are not yet defined.
The Practical Gap
Browser vendors would need to agree on technical standards, build the functionality, and deploy it to users. That process will take time. The Commission has acknowledged this by proposing a longer transition period for Article 88b: 24 months after the regulation enters into force, compared to just 6 months for Article 88a.
Until browsers widely support standardised consent signals, cookie banners will remain necessary.
New Restrictions on Repeat Consent Prompts
The Omnibus proposal directly targets consent fatigue with two specific rules. First, where a user provides consent, the controller must not request consent again for the same processing purpose. Second, where a user refuses consent, the controller must not prompt again for at least six months.
For website owners, this means storing and respecting refusal decisions for a minimum of six months rather than showing a banner on every visit.
The proposal also requires that any consent mechanism include a single-click refusal option. This echoes existing enforcement by the CNIL in France, which has fined companies for making rejection harder than acceptance. The one-click reject principle would become a statutory requirement across the EU if the proposal is adopted.
EDPB and EDPS Response
The European Data Protection Board and European Data Protection Supervisor published a joint opinion on the Digital Omnibus in early 2026. They support the objective of reducing consent fatigue and welcome the proposed requirements for machine-readable consent signals.
Their concerns focus on two areas. Moving cookie rules from the ePrivacy Directive into the GDPR creates a potential gap: the GDPR only covers personal data, while Article 5(3) of the ePrivacy Directive covers all information stored on a device, whether personal or not. Cookies that do not contain personal data might fall outside GDPR scope.
The EDPB and EDPS also raised strong objections to the Omnibus proposal's changes to the definition of personal data, which they argue could significantly narrow data protection rights. These broader concerns, while not directly about cookies, could affect how cookie-related processing is classified.
Timeline and What to Expect
The legislative process for the Digital Omnibus follows the ordinary EU procedure. The European Parliament received the proposals in late 2025 and committee discussions are under way in 2026. The EU Council will formulate its position in parallel, followed by trilogue negotiations to reach a compromise.
Optimistic estimates suggest adoption by late 2026, with Article 88a entering force in early 2027 (six months after adoption) and Article 88b by early 2029 (24 months after adoption).
| Milestone | Estimated Date |
|---|---|
| Commission proposal published | November 2025 |
| Parliament and Council deliberations | 2026 |
| Possible adoption | Late 2026 - 2027 |
| Article 88a applies (cookie exemptions) | 6 months after adoption |
| Article 88b applies (browser signals) | 24 months after adoption |
These timelines are subject to change. Previous attempts to reform EU cookie law, including the ePrivacy Regulation, stalled for years. Political negotiations could extend the process considerably.
What Website Owners Should Do Now
The Omnibus Directive is a proposal, not law. No changes to your current compliance setup are required today. Cookie consent under the existing ePrivacy Directive and GDPR framework remains the binding standard.
That said, several steps can prepare your site for the direction the regulation is heading:
- Audit your analytics setup. If you rely on third-party analytics, the proposed first-party exemption would not cover you. Consider whether self-hosted analytics tools could reduce your consent dependency.
- Ensure your banner already offers a single-click reject option with equal prominence to the accept button. Regulators are enforcing dark pattern rules now, not waiting for the Omnibus.
- Track the legislative progress. The IAPP and official EDPB publications are reliable sources for updates.
- If your site already supports GPC signals, you are ahead of the curve on browser-level consent. If not, consider implementing GPC detection as a practical step toward the Article 88b model.
Frequently Asked Questions
Will the EU Omnibus Directive eliminate cookie banners?
Not entirely. The proposal exempts certain cookies from consent requirements, such as first-party analytics and security cookies, but marketing cookies, third-party tracking, and personalisation still require prior consent. Cookie banners will remain necessary for most commercial websites until browser-level consent signals are widely adopted.
When will the EU Omnibus cookie changes take effect?
The proposal was published in November 2025 and is now being debated by the European Parliament and Council. If adopted by late 2026, the cookie exemptions under Article 88a could apply from early 2027, while browser-level consent requirements under Article 88b would follow roughly 24 months later.
Does the Omnibus proposal exempt Google Analytics from consent?
No. The first-party analytics exemption applies only where the service provider processes aggregated audience measurement data solely for its own online service and internal use. Google Analytics sends data to Google's servers, which falls outside the exemption. Self-hosted analytics tools used for internal measurement are the intended beneficiaries.
What is Article 88b and how does browser-level consent work?
Article 88b would require websites to respect machine-readable consent signals from browsers or operating systems. Users would set their privacy preferences once in their browser, and websites would honour those preferences automatically. Technical standards for this functionality have not yet been finalised.
Can websites keep showing cookie banners after a user refuses consent?
Under the proposal, if a user refuses consent, the website must not prompt again for the same purpose for at least six months. This aims to reduce consent fatigue and repetitive banner displays.
How does the EDPB view the Omnibus cookie changes?
The EDPB and EDPS support reducing consent fatigue and welcome browser-level consent signals. They have raised concerns about moving cookie rules from the ePrivacy Directive to the GDPR, since the GDPR only covers personal data while the ePrivacy Directive covers all device storage regardless of data type.
Take Control of Your Cookie Compliance
Regardless of how the Omnibus proposal progresses, compliant cookie consent remains a legal requirement today. If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie so your visitors get a clear choice and you stay on the right side of the law.
