The EU Digital Omnibus Explained: What Every Marketer Needs to Know in 2026
TL;DR
Cookie banners could vanish for approximately 60% of websites. First-party analytics receives explicit legal authorization. European businesses stand to save an estimated €1 billion annually.
What is the Digital Omnibus?
On November 19, 2025, the European Commission released proposal COM(2025) 837. It consolidates five separate data regulations into just two, making it the most comprehensive overhaul of Europe's digital governance framework since GDPR.
| Current law | Becomes |
|---|---|
| GDPR | Updated GDPR (incorporates cookie rules, AI provisions) |
| ePrivacy Directive | Partially merged into GDPR |
| Data Governance Act | Merged into Data Act |
| Open Data Directive | Merged into Data Act |
| Free Flow of Data Regulation | Merged into Data Act |
| P2B Regulation | Repealed |
Why should you care?
The business impact is significant. Cookie implementation costs European businesses an estimated €820 million annually. The projected total savings by 2029 exceed €5 billion. Currently, 334 million hours are wasted yearly on cookie interactions alone.
The cookie banner revolution
Consent rules move from the ePrivacy Directive into GDPR with a crucial modification: common use cases no longer require consent.
No consent required
— First-party audience measurement (aggregated)
— Functional cookies (carts, language, sessions)
— Security cookies (fraud prevention, DDoS)
Still requires consent
— Third-party tracking pixels
— Cross-site profiling
— Advertising retargeting
— External data sharing
Article 88a(3)(c) explicitly permits “creating aggregated information about the usage of an online service to measure the audience of such a service, where it is carried out by the controller of that online service solely for its own use.”
Key changes you need to know
1. GDPR updates
| Change | Implication |
|---|---|
| Personal data definition | “Reasonably likely to be used” standard codified |
| Breach notifications | Only “high risk” breaches require reporting |
| Research exemptions | Expanded for technology development |
| Access requests | Easier rejection of abusive requests |
2. New cookie consent rules (Articles 88a & 88b)
— One-click rejection mandatory (equal prominence to “accept”)
— Six-month cooling-off period before re-requesting consent
— Browsers must respect automated privacy preferences (24-48 month window)
3. AI and data processing (Article 88c)
A new legitimate interest legal basis for AI development with safeguards including data minimization and unconditional objection rights.
4. SME & mid-cap relief
Companies with up to 749 employees receive extended exemptions, reduced fees, and simplified pathways — saving €5-19 million annually sector-wide.
Timeline
| Milestone | Expected date |
|---|---|
| Proposal published | November 19, 2025 |
| Parliament & Council review | Q1-Q2 2026 |
| Final adoption | Late 2026 / Early 2027 |
| Cookie rules apply (Art. 88a) | ~Q1 2028 |
| Browser signals required (sites) | ~Q3 2029 |
| Browser signals required (browsers) | ~Q3 2031 |
Regulatory position: EDPB-EDPS opinion
On February 10, 2026, the European Data Protection Board and Supervisor issued Joint Opinion 2/2026. They support the simplification goals, cookie consent reform, higher breach notification threshold, and the analytics aggregation exemption. They opposed changes to the personal data definition and Commission control over breach notification templates.
Winners and losers
Winners
— First-party analytics users
— SMEs and mid-caps
— Privacy-respecting businesses
— End users (fewer banners)
Losers
— Third-party tracking networks
— Behavioral advertising platforms
— Consent management platform vendors
What to do now
Immediate actions (2026)
1. Audit your analytics stack — what tools do you use? Are they first-party or third-party?
2. Review tracking implementation — identify what qualifies for the exemption and what still needs consent
3. Evaluate privacy-first alternatives for the tools that will still require consent
Pre-implementation (late 2026-2027)
4. Update privacy policies
5. Plan your cookie banner strategy
6. Train your team on the new framework
FAQ
Does the Digital Omnibus replace GDPR?
No. It amends GDPR and integrates the previously separate ePrivacy cookie rules into it.
When will cookie banners disappear?
Starting approximately Q1 2028, websites using only first-party aggregated analytics may remove banners entirely. Sites using third-party tracking still need them.
What counts as “aggregated” data?
Data not relating to specific identifiable individuals: total views, visitor counts, traffic sources, popular pages — not individual journeys or profiles.
Does this affect Google Analytics?
Standard GA4 involves Google as a third party, which may disqualify it from the exemption. First-party solutions are better positioned.
Does this apply to non-EU businesses?
Yes, if you offer goods or services to EU residents or monitor their behavior (GDPR territorial scope).
The bottom line
The Digital Omnibus represents pragmatic evolution of European data law. First-party, privacy-respecting analytics receives clear legal validation. Cookie friction decreases for legitimate measurement. Third-party tracking faces increasing regulatory headwinds.
Businesses that adopt first-party relationships and privacy-respecting measurement will outperform those clinging to third-party tracking. Learn how cookieless analytics works or calculate how much data you are losing today.