The EU Digital Omnibus: What It Means for Cookie Banners and Analytics

On November 19, 2025, the European Commission released proposal COM(2025) 837 — the Digital Omnibus. If adopted, it would be the biggest change to EU data law since GDPR came into force in 2018.

The proposal directly addresses cookie consent, browser-level privacy signals, and the legal treatment of first-party analytics. For marketing teams that have spent years navigating the gap between privacy law and data completeness, this matters. Here is what the proposal says, what it changes, and what it means for your analytics setup.

Five laws become two

Currently, EU data operations require navigating GDPR, the ePrivacy Directive, the Data Act, the Data Governance Act, the Open Data Directive, the Free Flow of Data Regulation, and the Platform-to-Business Regulation. The Omnibus proposes consolidating these into two instruments: an amended GDPR and a consolidated Data Act. The P2B Regulation would be repealed entirely.

This matters for analytics because the ePrivacy Directive — the 2002 law that created cookie consent requirements — would be absorbed into GDPR. Instead of two overlapping legal frameworks governing cookies and data collection, there would be one. The practical effect: fewer ambiguities, fewer conflicting DPA interpretations, and a single set of rules for the entire EU.

Cookie consent moves to GDPR

The proposal would repeal Article 5(3) of the ePrivacy Directive— the legal basis for cookie consent banners. Cookie rules would move into GDPR itself, under a new Article 88a, with a crucial modification: first-party analytics for your own use would not require consent if the data is aggregated and not shared with third parties.

The exact wording in Article 88a(3) creates an exemption for “audience measuring” where the data controller processes information solely for statistical purposes on their own website, provided the data is aggregated and no individual user profiles are created. Third-party tracking and cross-site measurement still require explicit consent.

This distinction is critical. Tools like GA4 send data to Google’s servers — a third party — and create individual user profiles via cookies. Under the proposed rules, GA4 would still require consent. A first-party cookieless tool that aggregates data without identifying individuals would not.

Stricter rules for consent banners

For tools that still require consent, the Omnibus tightens banner requirements significantly. The proposal mandates single-click refuse buttons with equal visual prominence to “accept.” No more dark patterns where “reject” is buried three clicks deep.

Additionally, websites are prohibited from re-asking for consent for six months after a user declines. This directly targets the practice of showing consent banners on every visit until the user gives in — a pattern the French CNIL and other DPAs have criticized but lacked specific legal basis to enforce uniformly.

The combined effect of equal-prominence reject buttons and the six-month re-ask prohibition will likely push consent rejection rates higher than the current EU average of approximately 35%. For cookie-dependent analytics, this means even more data loss from consent banners.

Browser signals are coming

Article 88b introduces mandatory support for browser-based consent signals. Websites must respect these signals within 24 months of entry into force, and browsers must implement them within 48 months.

This functions similarly to Global Privacy Control (GPC), but with EU-wide legal enforcement behind it. When a user sets their browser to “reject non-essential cookies,” every website in the EU must respect that signal automatically. No banner, no interaction, no per-site decision.

For marketing teams, browser signals represent a structural shift. Once major browsers implement default privacy signals — and Safari, Firefox, and Brave are already moving in this direction — the percentage of visitors who implicitly reject tracking could exceed 50% even before a consent banner appears. Cookie-based analytics will lose data at a rate that makes current losses look modest.

Countries already ahead of the Omnibus

France and the UK have already implemented similar exemptions. The CNIL (France’s DPA) published specific criteria for analytics tools that can operate without consent: no cross-site tracking, no individual profiles, data used only for aggregated audience measurement. SealMetrics published its CNIL self-assessment meeting all 14 technical criteria.

The UK went further with the Data Use and Access Act 2025, which explicitly exempts certain analytics from PECR consent requirements. The EU Omnibus proposal would harmonize this approach across all 27 member states, eliminating the current patchwork of national interpretations.

Timeline

The legislative process will involve amendments from both the European Parliament and the Council. The analytics exemption and browser signal provisions are likely to see debate, but the general direction — simplification and stronger enforcement — has broad political support.

What this means for your analytics

If you use first-party, aggregated analytics — and nothing else that requires consent — you may not need a cookie banner at all once the Omnibus is adopted. France and the UK already permit this approach. The EU proposal would standardize it across all member states.

If you rely on GA4 or other cookie-based tools, the picture is less favorable. Stricter consent banners, browser-level rejection signals, and the continued requirement for consent when data goes to third parties will compound the data loss problem that already leaves GA4 with roughly 13% of real EU traffic.

The practical recommendation is straightforward: evaluate whether your analytics infrastructure qualifies for the first-party exemption. If it does, you are already positioned for a post-Omnibus world. If it does not, the gap between what you measure and what actually happens on your site will only grow.

Learn how cookieless collection works or read our complete marketer's guide to the Digital Omnibus for a deeper analysis of every provision.