Digital Omnibus reshapes EU cookie rules but leaves banner fatigue largely intact

Background and scope

The Digital Omnibus Proposal published by the European Commission in November 2025 is a broad legislative package that seeks to simplify elements of the EU digital acquis, including the General Data Protection Regulation (GDPR), the ePrivacy framework, the Data Act and the AI rulebook. Among the many areas affected are also cookies, online tracking and the way in which consent is collected and managed on websites. The following analysis focuses on these cookie- and tracking-related aspects of the proposal.

As regards cookie banners, the Commission notes, that “consent fatigue and proliferation of cookies banners” has become a problem whose regulatory solution is “long-overdue” (see Explanatory Memorandum, page 6). For a legal framework that is essentially based on Union law, this is a remarkable form of self-description. At least, with the Proposal the Commission puts forward a package of measures intended to harmonise the rules on cookies and consent banners and make them more workable in practice.

Recalibrating ePrivacy and the GDPR

A central element is the recalibration of the relationship between the ePrivacy Directive and the GDPR. In future, the ePrivacy Directive is no longer meant to govern the processing of personal data of natural persons; in such cases, the GDPR alone shall apply. As a consequence, the legal treatment of cookies is, in principle, shifted entirely into data protection law. To this end, the Omnibus Regulation inserts an additional subparagraph into Article 5(3) of the ePrivacy Directive, explicitly clarifying this demarcation. 

In addition, the proposal provides for the repeal of Article 4 of the ePrivacy Directive; as Recital 48 explains, cybersecurity and personal data breach obligations for providers of publicly available electronic communications services will instead be governed in a coherent manner by the GDPR and the NIS2 framework.

New Article 88a GDPR: cookies and terminal equipment

In parallel, the GDPR is supplemented by a new Article 88a, which addresses the storage of information on terminal equipment (including cookies), previously dealt with in the ePrivacy Directive. An accompanying Article 88b lays down requirements for the technical implementation of consent, refusal and objection through automated and machine-readable means. Under the new Article 88a, storing personal data in the terminal equipment of a natural person or gaining access to such data without consent – and the subsequent processing – shall be lawful to the extent that this is necessary for any of the following purposes:

• carrying out the transmission of an electronic communication over an electronic communications network (Article 88a(3)(a));
• providing a service explicitly requested by the data subject (Article 88a(3)(b)); or

• creating aggregated information about the usage of an online service to measure the audience of such a service, where this is carried out by the controller of that online service solely for its own use (Article 88a(3)(c)).

  The last of these exemptions is drafted in very narrow terms: it only covers aggregated usage statistics created by the provider for its own online service and for its own use. By contrast, commonly used tracking and analytics tools typically operate across services, customers and platforms. As a rule, they are therefore unlikely to fall within the scope of this exemption.

• Finally, processing without consent is to be lawful where it is necessary for “maintaining or restoring the security of a service provided by the controller and requested by the data subject or the terminal equipment used for the provision of such service” (Article 88a(3)(d)). This immediately raises the question what this means for security providers that primarily rely on cookies to protect third-party services – that is, the systems of their customers. It is difficult to imagine that the provision is to be interpreted so narrowly that such security-related processing activities would be excluded in the future; that would effectively lower the level of protection and run counter to the very objective of the rule. In addition, for security solutions designed to protect against malicious actors, the requirement that the protection must be “requested by the data subject” leads to obvious inconsistencies in terms of values and incentives: unsurprisingly, cybercriminals will not consent to their data being processed for the purposes of fraud prevention or attack detection.

Consent mechanics under Article 88a(4)

Article 88a(4) further specifies the handling of consent:

• The data subject must be able to refuse requests for consent “in an easy and intelligible manner with a single-click button or equivalent means” (Article 88a(4)(a)).
• If the data subject gives consent, the controller shall not make a new request for consent for the same purpose “for the period during which the controller can lawfully rely on the consent of the data subject” (Article 88a(4)(b)). The practical added value of this provision is not entirely clear: purely out of self-interest, controllers have little incentive to bombard users with superfluous consent requests while consent is still valid; a renewed request for consent within an already running consent period is more likely to create legal uncertainty. From a risk-management viewpoint, the safest solution may be to impose explicit expiration dates on consents, so that controllers know precisely when a new request becomes necessary. At the same time, however, this approach comes with the downside of that limitation in time.
• By contrast, Article 88a(4)(c) is more convincing: if the data subject declines a request for consent, the controller shall not make a new request for consent “for the same purpose” for at least six months. How this notion of “the same purpose” will be interpreted in practice, in particular for services with multiple, partially distinct functionalities, remains to be seen.

Article 88a does not replace consent as the general rule; paragraph 3 merely sets out a closed, limitative list of low-risk purposes for which storage or access in terminal equipment is permitted without consent. As Recital 44 of the proposal makes clear, any subsequent processing for other purposes must fall back on the ordinary GDPR framework, in particular Article 6 (and, where relevant, Article 9), with legitimate interests only being available where strict conditions are met, including heightened scrutiny for children, sensitive data, the scale and intrusiveness of the processing and the reasonable expectations of data subjects.

Technical consent management under Article 88b

Article 88b ultimately announces a small technical turning point. Businesses will welcome that, after many years of criticism, the Commission now acknowledges that it is more efficient to manage consent at the level of terminal equipment rather than through countless individually designed cookie banners – not least because the current model has an inherent design flaw: where cookies are rejected, that decision must technically again be stored in a cookie; otherwise, the banner would reappear upon every page view. This effectively lowered the level of data protection: the days where internet users could simply delete all cookies after each session and were still able to browse through the internet without being subject to countless banners, buttons and overlays, are long gone. 

Article 88b now requires controllers to ensure that their online interfaces allow data subjects to (a) give consent and (b) decline a request for consent and exercise their right to object pursuant to Article 21(2) “through automated and machine-readable means” (Article 88b(1)). Under Article 88b(2), controllers must respect the choices made by data subjects in this way. Article 88b(6) further obliges providers of web browsers (which are not SMEs) to provide the technical means for such automated and machine-readable indications of data subjects’ choices.

Specific rules for media service providers

The proposal also provides for a specific rule for media service providers. According to the Explanatory Memorandum (pages 7–8), they should “not be obliged to respect such signals” in view of the economic need to finance media services through advertising. The wording of Article 88b(3), however, is cautious: it merely disapplies paragraphs 1 and 2 for controllers that are media service providers when providing a media service, meaning it lifts the technical obligations to collect consent via the online interface and to respect transmitted preference signals. What it does not do is establish an explicit legal basis for processing. A clearly formulated positive exemption – for example, stating that media service providers do not require consent for certain, specifically defined purposes – would have been considerably more helpful. As drafted, time will tell whether Article 88b(3) is sufficient to support the intended privilege in a legally robust manner.

Overall, it is far from certain that the proposed amendments will, in practice, result in genuine simplification. The narrowly drafted exemptions particularly raise the question to what extent controllers will still be able to rely on legitimate interests as a legal basis, or whether well-intentioned detail rules will in some constellations create additional uncertainty.

Moreover, the relationship between the GDPR and the ePrivacy Directive remains complex: the requirements of the ePrivacy Directive continue to apply – although only for non-personal data. In practice, website operators will typically not be in a position to reliably distinguish whether a request originates from a natural person or from an automated crawler (“screen scraper”). In case of doubt, they will therefore still have to keep both the ePrivacy framework and the GDPR in mind.

Outlook: will cookie banners really disappear?

Whether the Digital Omnibus Proposal will finally make it possible to surf the web without cookie banners in the future is more than questionable. Although the Digital Omnibus Proposal addresses consent to the use of cookies and the related process, it lacks a practical overall solution for the use of cookies.

A number of follow-up questions are already arising. Many providers use cookie banners not only to obtain consent, but also to comply with information obligations. In such instances, it will need to be assessed on a case-by-case basis how to handle the information currently placed in these banners in the future. Simply switching off the banners will rarely be sufficient; the information will either have to be moved into the privacy notice or special cookie notices, or presented in a reduced, purely informational notification banner. 

Furthermore, it seems as if the new provision was drafted without taking a comprehensive view of the cookie issue. The new Article 88a(4) governs various cases of consent requests and thus seems to lead to fewer cookie banners. However, it does not take into account all requirements for the use of cookies that do not directly relate to the consent addressed in the provision, but have a significant influence on whether a pop-up, of whatever form, remains necessary:

On the one hand, any information obligations must be fulfilled before data processing takes place. The Digital Omnibus proposal provides that, as a future standard, consent to or rejection of cookies should be given via browser preferences, Article 88b(1) (new). However, the information obligations cannot be complied with in the browser preferences themselves, so that a corresponding notification banner can be considered as a result of the information obligation prior to data processing. It is doubful whether a reference at the bottom of the website, as is the case for general privacy policies, is sufficient – one could argue that information provided there would be too late. 

In addition, according to Article 7(3) sentence 4 GDPR, the withdrawal of consent must be “as easy as giving consent.” Also, for this reason, from a practical point of view, one may again hold that giving the data subject the possibility of withdrawal by means of a notification banner is the easiest solution – even if consent was given through browser preferences. 

As a result, the legal construct of cookie banners, which has grown over many years, is unlikely to be significantly affected by the specific proposed amendments which mainly concern obtaining consent. For many providers – not least with regard to the continued applicability of the ePrivacy rules – the pragmatic question will therefore be whether it is not, in fact, cheaper and more practical to maintain something close to the current practice. 

Experience suggests that it will take some time before market-ready technical standards emerge for the automated and machine-readable consent management envisaged in the draft and before browser providers implement corresponding functionality at scale. Here too, one should expect a longer transition phase rather than a swift cure for the existing situation. 

In the end, it is likely that in many cases a hybrid pop-up setup will be a solution, consisting of cookie consent banners where no browser preferences have been set and notification banners where respective browser preferences have been set and where no consent is necessary. Unfortunately, the long-awaited end of cookie banners as such is not yet in sight.