The EU Digital Omnibus is the biggest shake-up to European cookie rules since GDPR landed in 2018. Proposed in November 2025, it absorbs cookie consent rules directly into GDPR — and introduces browser-level consent signals that could eventually replace per-site pop-ups.
But will cookie banners actually disappear? The answer is more nuanced than headlines suggest. In this article, I’ll break down what the EU Digital Omnibus changes, what stays the same, and what it means for your analytics setup.
This article is part of our Complete Guide to Privacy-Compliant Web Analytics.
What Is the EU Digital Omnibus?
The EU Digital Omnibus is a legislative proposal published by the European Commission on November 19, 2025. It amends multiple EU digital regulations in a single package — hence “omnibus.”
The most relevant change for website owners: it merges cookie consent rules from the 2002 ePrivacy Directive into GDPR itself. On February 11, 2026, the Commission formally withdrew the long-stalled ePrivacy Regulation (which had been stuck in legislative deadlock since 2017), clearing the path for this approach.
Three new GDPR articles do the heavy lifting:
- Article 88a — migrates cookie/device access rules into GDPR, with new consent-free exemptions
- Article 88b — establishes browser-level automated consent signals
- Article 88c — creates a legitimate interest basis for AI model training (separate topic, but part of the same package)
The stated goal is simplification. Instead of juggling two overlapping frameworks (GDPR + ePrivacy), businesses deal with one. Whether it actually simplifies anything is debatable — privacy advocates at noyb called it “the biggest attack on Europeans’ digital rights in years.”
Why Cookie Banners Exist (and Why Everyone Hates Them)
Quick refresher. Cookie banners exist because the ePrivacy Directive (2002, updated 2009) requires consent before storing or reading information on a user’s device. GDPR (2018) reinforced this with strict consent requirements.
The result: every website greets you with a pop-up. Users click “Accept All” without reading. Studies show 60–70% of EU visitors reject cookies when given an equal-prominence “Reject All” button — but most sites bury that option behind dark patterns.
Everyone hates it. Users get banner fatigue. Businesses lose conversions. Privacy advocates point out banners don’t actually protect privacy — they just create an illusion of choice. The EU Commission itself acknowledged that cookie consent has become “a source of frustration rather than meaningful protection.”
The Digital Omnibus tries to fix this. Keyword: tries.
How the Omnibus Changes Cookie Rules
Article 88a maintains consent as the default for cookies but carves out specific consent-free exemptions for low-risk activities:
The five exemptions where consent is NOT required:
- Technical necessity — cookies essential for transmitting communications
- User-requested services — session cookies, shopping carts, login states
- Audience measurement — first-party analytics under strict conditions (more on this below)
- Security — fraud prevention, DDoS protection
- Software updates — checking for and delivering updates
Two practical improvements for users:
- One-click rejection — rejecting cookies must be as easy as accepting them (no more hunting for the tiny “Manage Preferences” link)
- Six-month cool-down — sites cannot re-prompt for consent within six months of a refusal
Here’s the critical part most headlines miss: marketing and tracking cookies still require explicit consent. Cross-site tracking, behavioral advertising, remarketing — all still need opt-in. Cookie banners don’t disappear for sites running ad tech. They disappear (or shrink significantly) for sites that only use first-party, privacy-respecting tools.
Browser-Level Consent Signals: The Cookie Banner Replacement
Article 88b is the ambitious part. It mandates that websites support automated, machine-readable consent signals — and that browser vendors build the infrastructure to transmit them.
The vision: you set your privacy preferences once in your browser settings. Every website you visit automatically receives those preferences. No more pop-ups.
Three competing standards exist today:
| Signal | Status | How It Works |
|---|---|---|
| Do Not Track (DNT) | Dead | Binary opt-out. Industry ignored it. W3C abandoned the spec in 2019. |
| Global Privacy Control (GPC) | Active | HTTP header + DOM property. Legally enforced in California — Sephora fined $1.2M for ignoring it. |
| Advanced Data Protection Control (ADPC) | Theoretical | Granular purpose-specific consent. Designed by noyb/SBA Research specifically for GDPR. |
The Digital Omnibus doesn’t specify which standard to use. GPC has the most real-world traction — it’s already a W3C Privacy Working Group work item and has legal enforcement precedents in multiple US states. But GPC is binary (opt-in or opt-out), while GDPR’s consent model is purpose-specific. ADPC is architecturally better suited to GDPR but has zero browser implementation.
Reality check: browser consent signals won’t become mandatory until approximately 2028–2029 (24 months after the regulation enters into force). And getting Chrome, Safari, Firefox, and Edge to implement compatible signals is, as one analyst put it, “no small feat.” Remember — DNT tried this exact approach 15 years ago and failed.
What This Means for Web Analytics
This is where it gets interesting for anyone running a website. The audience measurement exemption in Article 88a lets you run analytics without consent — but only if you meet five strict conditions:
- First-party processing — the website owner controls all data
- No third-party sharing — data stays between you and your analytics provider
- Statistics only — used exclusively for website improvement, not marketing
- User opt-out available — users can disable analytics easily
- Short retention — data stored only as long as necessary
The exemption explicitly excludes “analytics or tracking tools that operate across multiple services, clients or platforms.”
I’ve been advising clients on privacy-first analytics since 2020, and this is exactly the framework I’ve been recommending. It essentially codifies what four EU data protection authorities (France, Spain, Netherlands, Italy) had already been enforcing informally.
GA4 almost certainly fails the test. Google processes data across all its clients, integrates with advertising ecosystems, and operates a shared global infrastructure. Meeting conditions #1 and #2 with GA4 would require fundamental architectural changes Google hasn’t made.
Privacy-first tools pass easily. Plausible, Fathom, and Matomo are designed from the ground up to meet exactly these conditions. They process data solely for the website owner, don’t share with third parties, and are statistics-only by design. WordPress sites using these tools would need no consent banner for analytics at all.
As Piwik PRO’s CEO put it: “This will give privacy-friendly European analytics providers an edge compared to US-based platforms.”
What Businesses Should Do Now
The Digital Omnibus is still in the legislative pipeline — it needs approval from both the European Parliament and the Council. Realistically, full enforcement is 2–3 years away. But smart businesses prepare early.
Now (2026):
- Audit your current analytics setup — identify which cookies are truly first-party and statistics-only
- Ensure your consent banner already offers one-click rejection (this is becoming enforcement-ready regardless of the Omnibus)
- Evaluate whether your analytics tool can meet Article 88a’s five conditions
- If not, start exploring privacy-first alternatives
2027 — Transition:
- Migrate to a compliant analytics tool if your current setup can’t meet the exemption conditions
- Build first-party data strategies that don’t depend on cross-site tracking
- Monitor the legislative process — amendments during Parliament review could change the exemption conditions
2028+ — Browser signals era:
- Prepare for browser-level consent mechanisms
- Monitor GPC and ADPC standardization
- Update consent management platforms to detect and respect automated signals
- Learn about privacy-enhancing technologies that enable measurement without personal data
Bottom line: If you’re already using cookie-free, privacy-first analytics — you’re ahead of the curve. The Digital Omnibus essentially validates the approach privacy-first tools have taken since their inception.
Frequently Asked Questions
Will cookie banners disappear completely under the Digital Omnibus?
No. Marketing and tracking cookies still require explicit consent. Cookie banners will disappear or shrink for sites that only use first-party, privacy-respecting tools — but sites running cross-site tracking, remarketing, or behavioral advertising will still need consent pop-ups.
When does the EU Digital Omnibus take effect?
The proposal was published in November 2025 and is currently under review by the European Parliament and Council. Realistic adoption is expected in mid-2027, with cookie rule changes applying six months later and browser consent signals 24 months after that — putting full enforcement around 2028–2029.
Does Google Analytics qualify for the consent-free analytics exemption?
Almost certainly not. Article 88a’s exemption requires first-party-only processing with no third-party data sharing. GA4’s shared infrastructure, integration with Google Ads, and cross-client data processing make it difficult to meet these conditions. Privacy-first tools like Plausible, Fathom, and Matomo are designed to meet them by default.
What are browser-level consent signals?
A mechanism where users set privacy preferences once in their browser or operating system, which then automatically transmits those choices to every website. Global Privacy Control (GPC) is the leading standard — it’s already legally enforced in California and under W3C standardization. The Digital Omnibus would make websites legally required to respect these signals across the EU.
Should I wait for the Digital Omnibus before changing my analytics?
No. Four EU data protection authorities already enforce similar rules informally. The direction is clear: first-party, privacy-respecting analytics will be the standard. Waiting means years of unnecessary compliance risk. Switching to a privacy-first tool now gives you a head start and eliminates cookie consent headaches today.
