Key Points
The Digital Omnibus is an EU proposal from November 2025, with an earliest start date of 2027. Until then, the banner requirement under Section 25 of the TDDDG and the GDPR remains unchanged. First-party analytics and security cookies are set to become banner-free. Marketing tracking will still require consent. A six-month opt-out period following rejection will prevent pop-ups from appearing every time a page is loaded.
In November 2025, the European Commission presented the proposal for the Digital Omnibus Package. The goal: fewer cookie banners, less click fatigue, clearer rules. Sounds good. The headlines promise an end to the flood of banners. The reality is more sobering.
We are often asked: “Can we turn off the banner now?” The short answer: no. The long answer is in this post. We break down what is actually changing, what remains a proposal, and what preparations are worthwhile for small and medium-sized businesses right now.
What the Digital Omnibus Is
The Digital Omnibus is a package of legislative changes. The European Commission aims to use it to untangle the tangled web of the GDPR, the ePrivacy Directive, the Data Act, and other regulations. Cookie rules are set to be moved from the old ePrivacy Directive into the GDPR. Specifically, a new Article 88a will be added to the GDPR.
The status: proposal, not yet law. The European Parliament and the Council must approve it. Substantial changes to the text are common during the legislative process. The first rules will take effect in 2027 at the earliest; according to official estimates, the full rollout will take up to 48 months after entry into force.
Until then, the current legal situation applies. Section 25 of the TDDDG and Article 6 of the GDPR remain mandatory. Anyone who removes their banner now risks receiving a warning letter.
The four key changes
1. More Exceptions Without a Banner
Certain cookie purposes are exempt from the consent requirement. According to the proposal, these include:
- Audience measurement using the operator’s own first-party tools, provided the operator uses the data only for its own purposes
- Security cookies (e.g., CSRF protection, brute-force defense)
- Cookies for services explicitly requested by the user
- Transmission of electronic communications
For websites with their own analytics solution that does not share data with third parties, this is a real relief. Marketing cookies, pixels, and retargeting will continue to require consent.
2. Legitimate interest as a legal basis
Currently, almost everything relies on consent. The Digital Omnibus Directive extends “legitimate interest” to include cookies as well. This gives companies more leeway. However, the balancing of interests against user rights remains strict. Regulatory authorities can review and overturn any implementation.
3. Browser signals instead of banners per page
Users should set their cookie preferences once in the browser. Websites must read these signals and implement them automatically. This is the biggest technical change in the proposal.
The technical standards for this do not yet exist. Browser manufacturers, standardization bodies, and the advertising industry must first agree on a format. Realistic estimates put the launch in 2028 at the earliest. Until then, banners and consent management will continue as they do today.
4. Six-Month Blocking Period
If a user declines, the website may not ask for the same consent again for six months. This puts an end to the practice of the same question popping up on every new subpage. Many consent management platforms already support this storage, but not consistently.
What applies in 2026
No one needs to change their setup right now. The EU Commission itself emphasizes this. In plain language:
- Cookie banners remain mandatory as soon as third-party scripts or marketing tools load
- Section 25 of the TDDDG continues to require active consent for anything that is not technically necessary
- Embedded content such as YouTube, Google Maps, or external fonts also requires consent before loading
If you want to check whether your own site is running properly, look at four points:
- Does the site load only what is technically necessary without consent?
- Are "Accept" and "Reject" equally prominent on the first level?
- Does the solution remember the rejection, or does it keep asking again?
- Do third-party tools like Google Analytics, Meta Pixel, or Maps really only load after opt-in?
These four points represent the current state of the art. They align with what the Digital Omnibus will later formally enshrine.
What this means for different SME scenarios
The implications depend heavily on the specific setup. Three typical cases from our client projects:
Case 1: A simple company website with a contact form. These sites typically use only Google Fonts (embedded locally), with no trackers or marketing pixels. Under the Digital Omnibus, such sites still require a banner if third-party content—such as a Google Maps directions widget—is embedded. If you replace Google Maps with a static map image and a link to route planning, you can often omit the banner entirely. We recommend this setup because it loads faster and has no third-party dependencies.
Case 2: B2B website with lead generation. Typical setup: Google Analytics, Google Ads, LinkedIn Insight Tag. This configuration remains subject to consent, even after the Digital Omnibus. What’s changing: If you switch to a first-party analytics solution at the same time, you can eliminate the banner for reach measurement. Marketing tracking then runs completely separately and only for users who actively consent.
Case 3: Online store with WooCommerce. Shopping cart, login, and payment processing are technically necessary and are already permitted today without consent. Conversion tracking, retargeting, and personalized recommendations remain subject to consent. Here, the Digital Omnibus Act helps indirectly: Those who correctly implement the six-month blocking period noticeably improve the user experience and eliminate the constant banner fatigue for returning visitors.
What we at Waterproof Web Wizard take away from this
We recommend three steps to our clients. None of them immediately, but all as preparation for 2027 and beyond.
First: Take first-party analytics seriously. Those who rely on a solution that stores data exclusively for their own needs and does not share anything with third parties will benefit most from the new framework. Matomo on-premise, Plausible Self-Hosted, and similar setups are moving in this direction. Google Analytics remains subject to consent.
Second: Reduce your cookie inventory. Many websites carry scripts that are never actively used. Every tool that can be removed simplifies compliance and speeds up page loading. We check this in every audit.
Third: Configure the consent management platform properly. The blocking period and one-click opt-out are already recommended practices today. Those who activate them now will be technically prepared later.
What we don’t do: We don’t promise any client that banners will disappear soon. Marketing tracking still requires consent. Anyone using Meta Pixel, Google Ads, or retargeting will continue to see a banner. The Digital Omnibus doesn’t change that.
Conclusion
The EU wants to reduce cookie banners, not eliminate them. The plan makes sense: first-party analytics without banners, browser signals instead of pop-ups on every page, clear blocking periods. It will take at least two years for this to become a reality. Until then, the rule is: comply with current banner requirements, work with clean technical practices, and clean up your cookie inventory.
Those who bring their website up to the standard that the Digital Omnibus will eventually require will reap double the benefits: cleaner data flows today and less restructuring work later.
Frequently Asked Questions
What specific changes will be made to my cookie banner in 2026?
Nothing will change until the Digital Omnibus Act is passed. The GDPR and Section 25 of the TDDDG remain in full force. A cookie banner is still required whenever third-party scripts or marketing tools load on the website.
When will the cookie banners go away?
They won’t disappear entirely. The Digital Omnibus Directive reduces the banner requirement for security and first-party analytics cookies. Marketing and tracking cookies will still require consent. A realistic timeframe for the first relaxations: from 2027 to 2028.
What is the six-month waiting period?
Once a user declines the banner, the website is not allowed to ask for the same consent again for six months. This puts an end to the practice of the same banner reappearing every time the page is loaded. Many consent tools already store decline records for this length of time.
Which cookies still require consent?
All cookies used for personalized advertising, retargeting, cross-device tracking, third-party analytics, and large-scale profiling. If you use Google Analytics, Meta Pixel, LinkedIn Insight Tag, Hotjar, or similar tools, you still need active consent.