Skip to main content
Back to Guides
Compliance7 min read

The EU Digital Omnibus: How Cookie Consent Changes in 2026

In November 2025 the European Commission proposed moving cookie rules out of the ePrivacy Directive and into the GDPR through a new Article 88a. Here is what the Digital Omnibus would change for consent banners, and what is still just a proposal.

For nearly a decade the EU's plan to modernise cookie rules ran through the ePrivacy Regulation, a reform that never made it past the Council. In February 2025 the Commission formally withdrew that proposal in its 2025 Work Programme. Then, on 19 November 2025, it published a very different vehicle for change: the Digital Omnibus, a package of amendments that would pull cookie and tracking rules out of the ageing ePrivacy Directive and fold them directly into the GDPR.

This guide explains what the Digital Omnibus proposes for cookie consent, why the shift from ePrivacy to the GDPR matters, and which parts are firm versus still contested. One caveat up front: as of mid-2026 this is a proposal working through the ordinary legislative procedure. Nothing here is binding law yet, and the text will change before it does.

What the Digital Omnibus Is

The Digital Omnibus is part of the Commission's broader simplification drive to cut administrative burden across the EU digital rulebook. Published on 19 November 2025, it proposes targeted amendments to several instruments at once, including the GDPR, the ePrivacy Directive, the Data Act, and the AI Act (the Commission summarises the package in its Digital Package FAQ). The cookie-relevant changes sit in the data-protection strand of the package.

The Commission is explicit about the problem it is trying to solve. The current model, it says, has produced consent fatigue and a proliferation of cookie banners without meaningfully improving privacy. Rather than write a whole new regulation, the Omnibus tries to relocate the rules into a legal home that already works uniformly across all 27 member states: the GDPR.

The Core Shift: Cookies Move From ePrivacy Into the GDPR

Today, the requirement to obtain consent before storing or reading information on a user's device comes from Article 5(3) of the ePrivacy Directive (2002/58/EC), transposed differently in each member state. That fragmentation is why French, German, and Dutch cookie rules never quite line up, and why the CNIL's guidance in France reads differently from its neighbours.

The Digital Omnibus proposes a new Article 88a of the GDPR to govern the storing of and access to information on terminal equipment. The practical effect is significant: where personal data is being processed, the ePrivacy rules would step back and the GDPR alone would apply. Cookies and similar tracking would become a data-protection matter, governed by one regulation with one enforcement framework, rather than a patchwork of national ePrivacy transpositions.

A companion provision, Article 88b, would govern how consent, refusal, and objection are expressed technically, including through automated, machine-readable signals.

One-Click Reject and the Six-Month Rule

Two consent mechanics in the proposal stand out for website owners.

A genuine single-click refusal. Under Article 88a as drafted, users must be able to refuse non-essential cookies with a single click (or equivalent), and refusing must be as easy to reach as accepting. This codifies at EU level what several regulators already demand through dark-pattern enforcement: a reject option on the first layer, no buried preference menus.

A cool-off period on re-asking. If a user has refused consent for a purpose, the controller would not be allowed to ask again for that same purpose for at least six months. This directly targets the nagging pattern of showing the banner on every visit until the user gives in. It also means "no" has to be remembered, not reset each session.

Article 88b: Browser Signals Become Binding

The most structurally important idea is machine-readable consent. Article 88b would require controllers (with a carve-out for media service providers) to respect automated, machine-readable indications of consent or objection, for example preferences set in a browser or operating system, once the relevant technical standards exist.

The vision is that a browser or OS transmits a standardised privacy signal telling each site whether the user accepts or rejects cookies for given purposes, and the site must honour it. This is the same principle behind Global Privacy Control, but backed by a legal duty rather than voluntary adoption. If it lands, the browser becomes a consent layer and the website banner shrinks toward a fallback for signals that cannot be expressed automatically, such as granular vendor-level TCF consent.

Note the conditional: the obligation is tied to standards that do not yet exist. Building purpose-level, cross-browser signalling is a multi-year technical project, so this provision would arrive later than the banner rules even if adopted.

What Might Become Exempt From Consent

Alongside the strictly-necessary exemption that already exists, the proposal signals an appetite to add consent exemptions for lower-risk purposes, such as aggregate audience measurement and certain security uses, so that not every measurement cookie triggers a banner. This is the most contested area of the package.

Privacy advocates warn that broad exemptions recreate the ambiguity the reform is meant to remove, the familiar "we need this cookie for statistics" argument. Ad-tech and publisher groups push the other way, wanting room for analytics and legitimate interest. Because the exemption list sits at the centre of the political fight, treat any specific exempt category as provisional until the co-legislators settle the text.

Timeline: What Is Firm and What Is Not

The Digital Omnibus is at the start of the ordinary legislative procedure, not the end. The Parliament and the Council each have to agree a position, then reconcile them in trilogue. Expect the cookie provisions to be reshaped along the way.

  • Proposal published: 19 November 2025.
  • Application of Article 88a: drafted to apply roughly six months after the regulation enters into force.
  • Application of Article 88b: drafted to apply within about 24 months, reflecting the dependency on technical standards.
  • Realistic adoption: optimistic scenarios point to adoption around the end of 2026, with practical application in 2027 at the earliest. Slippage is likely given the history of EU digital files.

In short: the direction is clearer than it has been in years, but the date is not.

What Website Owners Should Do Now

You can't compliance-plan around a proposal, but you can position yourself so adoption is a small adjustment rather than a rebuild.

  1. Get today's rules airtight. The status quo, the ePrivacy Directive plus the GDPR, still governs. If your GDPR cookie compliance already delivers real one-click refusal and reliable script blocking, you're ahead of most of what Article 88a would demand.
  2. Make "no" durable. The six-month re-consent bar rewards systems that store and honour a refusal across visits rather than re-prompting each session. Check that your consent record does this.
  3. Separate consent logic from the banner UI. If a browser signal can drive your blocking rules as cleanly as a click, Article 88b is an added input, not a redesign.
  4. Watch the exemption list, not the headlines. Whether aggregate analytics escapes consent will decide how many banners you actually need. Document which of your measurement cookies are first-party and purely statistical so you can act quickly either way.

How CookieBeam Fits

CookieBeam treats consent as an orchestration problem rather than a pop-up. Its script-blocking engine, regional consent rules, and consent logging work the same whether a choice arrives from a banner click, a GPC header, or a future browser signal. That signal-agnostic design is exactly what a move to Article 88a and 88b would reward: the machinery behind the banner matters more than the banner, and equal-prominence reject plus durable refusal records are already how CookieBeam behaves.

The bottom line: the Digital Omnibus is the most credible attempt in years to simplify EU cookie rules, and it points clearly toward one-click refusal, remembered choices, and browser-level signals. It's also unfinished. Build for that direction, verify against the enacted text when it arrives, and don't retire anything the current law still requires.

EU Digital Omnibus 2026: Cookie Consent Changes Explained | CookieBeam | CookieBeam