The EU Digital Omnibus: What It Means for Cookie Banners and Analytics
On November 19, 2025, the European Commission released proposal COM(2025) 837 — the Digital Omnibus. If adopted, it would be the biggest change to EU data law since GDPR came into force in 2018.
Five laws become two
Currently, EU data operations require navigating GDPR, the ePrivacy Directive, the Data Act, the Data Governance Act, the Open Data Directive, the Free Flow of Data Regulation, and the Platform-to-Business Regulation. The Omnibus proposes consolidating these into two instruments: an amended GDPR and a consolidated Data Act. The P2B Regulation would be repealed entirely.
Cookie consent moves to GDPR
The proposal would repeal Article 5(3) of the ePrivacy Directive — the legal basis for cookie consent banners. Cookie rules would move into GDPR itself, with a crucial modification: first-party analytics for your own use would not require consent if the data is aggregated. Third-party tracking still requires consent.
Additionally, the proposal mandates single-click refuse buttons (equal prominence to “accept”) and prohibits re-asking for consent for six months after a user declines.
Browser signals are coming
Article 88b introduces mandatory support for browser-based consent signals. Websites must respect these signals within 24 months, and browsers must implement them within 48 months. This functions similarly to Global Privacy Control, but with legal enforcement behind it.
Timeline
Final adoption: Late 2026 or early 2027
Cookie rules apply: ~6 months post-entry
Website browser signals: 24 months post-entry
Browser implementation: 48 months post-entry
Why this matters
If you use first-party, aggregated analytics — and nothing else that requires consent — you may not need a cookie banner at all. France and the UK already permit this approach. The EU proposal would standardize it across all member states.
For a deeper analysis of every provision and what to do now, read our complete marketer's guide to the Digital Omnibus.