The European Commission’s Digital Omnibus proposal, published in November 2025, represents a significant attempt to simplify and streamline the EU’s complex digital regulatory framework (read more). Among other things, the proposal revisits long-standing rules on cookies, online tracking and consent, explicitly acknowledging that the current approach has led to “consent fatigue and the proliferation of cookie banners”.
While the proposal does not dismantle the EU’s cookie framework, it does signal an important recalibration which points to an evolution of existing trends and practices in digital advertising (such as a focus on first-party data strategies) rather than a fundamental shift.
Recalibrating the GDPR and the ePrivacy Directive
In an attempt to harmonise requirements and reduce legal overlap between different frameworks, under the proposal, the ePrivacy rules will no longer apply when personal data is being processed. In those situations, only the GDPR will apply, bringing rules on cookies firmly into the domain of data protection law. To make this clear, the proposal adds a new sentence to the ePrivacy Directive that clearly explains where the responsibilities of each law begin and end.
Changes to consent collection
The proposal integrates cookie and similar tracking rules directly into the GDPR through a new Article 88a, replacing the current reliance on the ePrivacy Directive. A companion provision, Article 88b, will regulate how consent, refusal and objections must be technically expressed, including through automated and machine-readable signals.
Article 88a will permit the storage of, or access to, information on a user’s device without consent only where this is strictly necessary for limited purposes, including:
- transmitting an electronic communication over an electronic communications network
- delivering a service expressly requested by the user
- generating aggregated information about audience measurement data (provided this is done by the service provider solely for its own online service and its own internal use), and
- maintaining or restoring the security of a service, as requested by the user or the terminal equipment used for the provision of the service.
The audience-measurement exemption is narrowly framed. It appears to exclude analytics or tracking tools that operate across multiple services, clients or platforms, meaning that many commonly used advertising and measurement solutions will remain subject to consent requirements.
The drafting in relation to the exemption for processing necessary to ensure the security of a service or the user’s device is ambiguous. It is unclear how broadly this provision will be interpreted, particularly in relation to third-party security providers that rely on cookies to protect their customers’ systems. A purposive reading would suggest that such security-related processing should remain permissible without consent where genuinely necessary, but further clarification - including at Member State level - will be required.
Consent mechanisms
The proposals maintain existing consent validity requirements, emphasising that rejecting consent must be as straightforward as giving it. This reinforces guidance from both UK and EU regulators that user interfaces must not employ 'nudges' or dark patterns to encourage consent.
The proposal explicitly provides that, where a user has provided consent, a controller shall not make a new request for consent for the same purpose for the period during which the controller can lawfully rely on the consent of the data subject. This means that where consent is given, the controller would generally be expected to rely on that consent for as long as it remains valid, rather than repeatedly prompting the user for the same permission. While this provision may have limited practical impact, it underlines the importance of structured consent management.
More materially, if a user refuses consent, the controller would be prevented from re-requesting consent for the same purpose for a minimum period of six months. How narrowly or broadly “the same purpose” will be interpreted - particularly for services offering multiple features - will be an important point to watch as the proposal develops.
Importantly, these provisions do not remove consent as the default requirement for cookies and similar technologies. The exemptions allowing storage or access without consent remain limited to a closed list of low-risk scenarios. Any further use of the data must continue to comply with the GDPR’s general legal bases, with legitimate interests available only where strict conditions are met. The proposal also emphasises enhanced scrutiny in higher-risk contexts, such as processing involving children, sensitive data, large-scale tracking or particularly intrusive practices.
Browser-level consent management
Article 88b introduces a more technical, but potentially meaningful, shift in how consent is managed online. The Commission recognises longstanding criticism of banner-based consent models, noting that they are inefficient and structurally flawed - particularly where refusal choices themselves must be stored via cookies, undermining user control and contributing to banner fatigue.
To address this, Article 88b will require websites to support automated, machine-readable mechanisms that allow users to give or refuse consent, as well as to exercise their right to object to certain processing activities. Importantly, controllers will be obliged to respect these signals once expressed, rather than repeatedly prompting users through individual interfaces.
The proposal also places responsibility on web browser providers (other than SMEs) to enable the technical infrastructure needed for such automated preference signals. If implemented effectively, this approach could shift consent management away from site-by-site banners toward more centralised, device- or browser-level controls, reducing friction for users while increasing consistency for businesses.
What does this mean in practice for participants of the digital advertising ecosystem?
The reforms are unlikely to reopen the door to unrestricted behavioural advertising. We know from recent regulator activity, including the ICO’s proactive screening of advertising cookies of top 100 and 1000 websites in the UK, that this issue is one they are focussed on. Instead, the proposals draw a clearer distinction between:
- low-impact, first-party processing, which may proceed without consent; and
- cross-site or cross-service tracking for advertising purposes, which will remain firmly consent-based.
In practice, this could reduce reliance on banner optimisation strategies to drive marginal consent gains and increase the relative attractiveness of contextual advertising and first-party data strategies.
While the Digital Omnibus is still a proposal and subject to negotiation, several strategic conclusions are already clear:
- This is not a return to frictionless tracking. The reforms aim to improve user experience, not to dilute privacy protections for behavioural advertising.
- First-party and contextual strategies will matter more. Advertisers with strong publisher relationships and privacy-resilient targeting models will be best placed.
- Measurement innovation remains critical. Investment in privacy-safe attribution and analytics will continue to be a competitive necessity.
- Legal simplification does not mean lighter scrutiny. Clearer rules may reduce uncertainty, but enforcement risk remains for non-compliant tracking practices.
It's worth noting, however, that even if the proposal passes as drafted (and negotiations are expected to be complex and lengthy), changes will take some time to take effect. While Article 88a is intended to apply six months after the Digital Omnibus enters into force, Article 88b GDPR will apply within 24 months.
In short, even once effective, the Digital Omnibus will not put an end to cookies - but it looks as though it will accelerate the shift toward an advertising ecosystem that can function even when consent is limited or absent. Advertisers that adapt early to this reality will be best positioned as the EU’s digital rulebook continues to evolve.
