AI Act and Digital Omnibus — how consent rules are changing
The end of cookie fatigue? The Commission is working on it
The European Commission has acknowledged what internet users have been saying for years: cookie banners are exhausting. As part of the Digital Omnibus package, it proposes fundamental changes to online consent rules — while also addressing how GDPR intersects with the new AI Act.
For companies, agencies, and CMP platform operators, this means one thing: the rules are changing and those who don't prepare will be catching up.
What the Digital Omnibus brings
Universal preference mechanism
The Commission proposes standardized settings that allow users to express consent or opt out consistently across websites and applications. Browsers, operating systems, and app stores will be required to honor these settings — with a six-month implementation period.
In practice, this means users set their preferences once and websites read them automatically. Cookie banners will only appear where truly necessary.
Cookies without consent — in certain cases
The proposal allows certain scenarios where consent is not required. Audience measurement for security purposes is one example. This doesn't mean the end of consent — it means a more precise definition of when consent is actually required.
AI as a legitimate interest
A new provision explicitly recognizes AI system development and deployment as a legitimate interest under GDPR. However, conditions remain: controllers must demonstrate necessity and proportionality, minimize training data, and grant data subjects an unconditional right to object.
AI Act: what companies must comply with by August 2026
The AI Act enters full force on August 2, 2026 for high-risk AI systems. Key requirements include:
- Fundamental Rights Impact Assessment (FRIA) — mandatory for high-risk systems, analogous to DPIA under GDPR.
- Transparency — systems interacting with humans must clearly disclose they are communicating with AI.
- Documentation and traceability — complete records of training data, decision processes, and outputs.
Companies processing personal data through AI will need to comply with both frameworks simultaneously — GDPR and the AI Act.
EDPB: transparency as the 2026 priority
The European Data Protection Board (EDPB) announced that the coordinated action for 2026 will focus on compliance with transparency obligations under Articles 12 to 14 of the GDPR. This includes:
- Clarity of information about data processing
- Accessibility and readability of privacy policies
- Quality of information provided during consent collection
What this means for consent management
The direction is clear: consent must be simple, transparent, and respectful of users' genuine choices. Cookie banners won't disappear, but their role will change — from an annoying pop-up to part of a broader preference system.
Waulter CMP is prepared for these changes. Google Consent Mode 2.0 support, granular consent scenarios, preference center integration, and APIs for automated preference management — these are the tools that will be essential in the new regulatory landscape.
Sources: European Commission — Digital Omnibus Package (2025), EDPB Coordinated Action 2026, EU AI Act (Regulation 2024/1689)