Digital Omnibus — how GDPR and cookie rules are about to change
What is the Digital Omnibus
In November 2025, the European Commission introduced the Digital Omnibus — a sweeping legislative package that, among other things, amends GDPR and cookie rules. The key shift: the ePrivacy Regulation has been withdrawn and cookie rules are integrated directly into the GDPR through new Articles 88a and 88b.
The goal is to simplify the regulatory landscape, reduce administrative burden for businesses, and strengthen user control over their data. The legislative process could conclude by mid-2026.
Key changes that will affect every website
1. Analytics cookies without consent
Cookies used purely for statistical purposes — without individual profiling — could be permitted without consent. The condition: only aggregated, anonymized data is collected.
This means basic traffic measurement and reach analysis would become significantly simpler. However, tools that operate across multiple services or platforms (typically advertising and cross-site tracking) will still require consent.
2. Browser-level consent preferences
Users set their preferences once in their browser or operating system — and websites automatically respect them via CMPs. No more clicking through cookie banners on every single site.
New Article 88b regulates how consent, refusal, and objections must be technically expressed — including through automated, machine-readable signals.
3. Six-month re-consent cooldown
If a user refuses consent, the website cannot re-ask for the same purpose for a minimum of 6 months. This ends the practice of constant cookie pop-ups after every refusal.
4. Narrowed personal data definition
Data is "personal" only if the specific controller has the means to link it to an individual. The mere theoretical possibility of identification is not enough. The Commission, together with the EDPB, can establish criteria for when pseudonymized data no longer qualifies as personal data for a specific entity.
This point is controversial — the Czech ÚOOÚ and many privacy advocates are critical. There is concern that narrowing the definition could weaken data protection.
5. Higher breach reporting threshold
The obligation to report data breaches would apply only to "high risk" incidents — not every breach. This reduces administrative burden but increases the risk that smaller incidents go unreported.
6. Right to refuse or charge for repeated access requests
Data controllers could refuse or charge a fee for manifestly excessive or repeated data access requests (Art. 15 GDPR).
Timeline
| Phase | Date |
|---|---|
| Commission proposal | November 2025 |
| Parliament and Council review | 2026 |
| Expected adoption | Mid to late 2026 |
| Entry into force | 3 days after publication in Official Journal |
What this means for consent management
The Digital Omnibus brings fundamental changes for CMP platforms:
- Browser-level signal support — CMPs will need to read and respect preferences set in the browser.
- Granular consent stays — Article 88a confirms that consent must be granular, easy to withdraw, and obtained before cookies are set.
- 6-month cooldown — CMPs must track when a user last refused and not re-ask before 6 months.
- Analytics cookies without banner — but only for aggregated data without cross-site tracking.
How Waulter is preparing
Waulter CMP is tracking the Digital Omnibus legislative development and preparing for the new requirements:
- Granular consent has been a Waulter standard from day one — symmetric buttons, no pre-checked checkboxes.
- Cookie blocking before consent — no trackers fire without valid consent.
- Audit-ready records — transparent logs for regulatory inspections.
Once the Digital Omnibus enters into force, Waulter CMP will be updated with browser-level preference support and the 6-month moratorium logic.
Sources: Finmag.cz, Taylor Wessing, Usercentrics, Didomi, White & Case