Cookie Banner Reform: Where the EU Digital Omnibus Debate Stands
Cookie banners have been a persistent topic in EU data protection discussions since GDPR came into force. A recent development in the Digital Omnibus legislative process has brought the question back into public focus, with the European Commission, several EU member states, and major technology companies taking opposing positions.
What the Commission proposed
In autumn 2025, the European Commission included Article 88b in its Digital Omnibus proposal. The article would have replaced the current cookie consent banner model with an automated browser-level signal. Under this approach, users would set their consent preferences once at the browser level, and those preferences would be communicated automatically to websites, removing the need to respond to individual banners on each site.
The proposal was narrower than it may appear. The Commission explicitly provided for per-website and per-purpose consent to remain available, meaning users could still grant consent to specific sites of their choosing. A comparable mechanism, the Global Privacy Control, is already in use in California under the CCPA.
The positions in the debate
European Commission: The proposal was positioned as a simplification measure, reducing friction for users while maintaining the legal basis for consent-based tracking where users opt in.
Google: Google published a paper arguing that browser-level consent signals would have a significant negative effect on online advertising revenue. The paper contended that the change would effectively function as a broad rejection of advertising consent. The Commission and privacy advocates have disputed this characterisation, noting that the proposal preserved users’ ability to grant per-site consent and that media outlets would be entirely exempt from the provision.
EU Member States: Germany, France, Poland and others supported removing Article 88b from the Digital Omnibus. These are the same member states that have publicly called for regulatory simplification and red tape reduction at the EU level. In the Council’s position paper published on 18 June 2026, Article 88b was not included.
noyb and Max Schrems: The privacy advocacy organisation noyb and its founder, Max Schrems, have been openly critical of the Council’s outcome. In a LinkedIn post on 23 June 2026, Schrems wrote: “You CANNOT make it up: Google, Germany and France are now lobbying to keep the cookie banner in the EU, when the European Commission has proposed to replace them with a simple signal. Lobbying against the vast majority of voters worked.” noyb has previously published research suggesting that only 3 to 10% of users actively want to be tracked, while industry consent rates reach up to 90% through banner design techniques.
Where the process stands
The Council’s position is not the final legislative outcome. The European Parliament is conducting its own review of the Digital Omnibus and has not yet published a position on Article 88b. EU legislation of this type requires the Council and the Parliament to reach a joint position before any change to the law takes effect.
Article 88b remains under consideration. The Parliament’s position and the outcome of negotiations between the two institutions will determine whether some version of browser-level consent makes it into the final regulation.
What this means for businesses now
Current obligations have not changed. If your website uses cookies or similar tracking technologies for non-essential purposes, you are required to obtain valid consent under GDPR and the ePrivacy Directive. That consent must be freely given, specific, informed and unambiguous. It must be as straightforward to withdraw or refuse as it is to give.
Regulators across the EU have been enforcing consent requirements for several years, with a particular focus on banner design. Pre-ticked consent boxes are not valid. Making the rejection option harder to find than the acceptance option is not compliant.
If Article 88b passes in any form, businesses will need to adapt their consent infrastructure to handle browser-level signals alongside or instead of banner-based consent. That is a technical and operational change, not just a design update.
For now, the practical position for businesses is to ensure that current consent mechanisms are compliant and to monitor developments in the Digital Omnibus process over the coming months.
About the Author
Zlatko Delev
Country Manager & Head of Commercial — GDPRLocal
Zlatko specialises in data protection compliance, ISMS strategy, and AI law. With a legal background and hands-on experience supporting organisations globally, he helps businesses navigate GDPR, the EU AI Act, and international privacy frameworks.