The European Commission withdrew the ePrivacy Regulation on February 11, 2025, after eight years of Council deadlock. Its replacement, the Digital Omnibus proposal (November 2025), moves cookie consent rules directly into the GDPR via two new articles: Article 88a, which restructures how consent for terminal equipment access works, and Article 88b, which makes browser-level consent signals legally binding on controllers. Article 88a applies six months after entry into force.
Your banner is re-prompting users who already refused. Under Article 88a, that will be a GDPR violation. Here is what needs to change before the six-month clock starts.
Key Takeaways
- The Digital Omnibus transfers cookie consent obligations from the ePrivacy Directive into the GDPR, meaning GDPR Data Protection Authorities, not telecoms regulators, will enforce them across all EU Member States.
- Article 88a prohibits re-requesting consent for the same purpose for at least six months after a user refuses — a rule most current CMP configurations violate on every return visit.
- Article 88b requires controllers to recognize and respect browser-level consent signals within 24 months of entry into force, reducing reliance on per-visit cookie banners for users who have already expressed a preference.
Why the ePrivacy Regulation Was Abandoned
The ePrivacy Regulation had been in negotiation since 2017. Eight years of Council deadlock over metadata processing, analytics cookies, and the uneasy relationship between the Directive and GDPR left the draft technically obsolete. The Commission's February 2025 withdrawal decision reflected a pragmatic judgment: embed cookie rules where they belong, inside the GDPR, rather than maintain a parallel, inconsistent framework that DPAs had to navigate around.
The Digital Omnibus package addresses GDPR, the AI Act, and the Product Liability Directive. The cookie provisions in Articles 88a and 88b are the changes most immediately relevant to any organization running a consent management platform or website.
What Article 88a Actually Changes
The baseline is unchanged. Consent remains the required legal basis for storing or accessing information on a user's device — cookies, local storage, device fingerprinting, and similar techniques. The Digital Omnibus does not introduce a legitimate interests route for advertising-adjacent tracking. Organizations that rely on cookie consent management face no dilution of that core requirement.
The exceptions list is codified inside GDPR. Article 88a permits device access without consent only for:
- Transmitting an electronic communication over a network
- Providing a service expressly requested by the user
- Aggregated audience measurement — own service, internal use, no data sharing with third parties
- Maintaining or restoring the security of a service or device
The audience measurement exception is the narrowest of the four. It applies only to a service provider measuring its own audience internally. Analytics solutions that share data with third-party platforms, aggregate across multiple domains, or export to advertising ecosystems remain consent-dependent. Most third-party analytics implementations, including standard GA4 configurations, do not qualify.
The six-month re-request ban is the biggest operational change. If a user refuses consent, Article 88a prohibits the controller from re-requesting consent for the same purpose for at least six months. Most current CMP configurations re-surface the banner on every visit, or after a short interval. Under Article 88a, a refusal locks the banner for six months per purpose. That requires CMPs to log refusals with timestamps, apply per-purpose expiry logic, and suppress re-prompts accordingly. For organizations managing multi-purpose consent across a complex tag stack, this is a non-trivial reconfiguration.
Enforcement consolidates under GDPR DPAs. Today, the ePrivacy Directive is enforced by a patchwork of national regulators: telecoms authorities in some Member States, data protection authorities in others. Article 88a places enforcement under the same GDPR supervisory authorities that issue consent fines today. The CNIL, the ICO, and the Irish DPC have all issued significant enforcement actions against organizations for inadequate consent practices and cookie banner dark patterns. Consolidation under GDPR DPAs means more consistent enforcement, with fines up to €20 million or 4% of global annual turnover.
Secure Privacy's consent management platform is built on the GDPR framework, so the shift to DPA enforcement does not change your compliance architecture — it eliminates the split-regulator risk that currently exists for organizations operating across multiple Member States.
Article 88b: Browser-Level Consent Signals
Article 88b introduces machine-readable consent signals as a parallel mechanism. Users set privacy preferences once (in a browser, a digital wallet, or a similar tool) and controllers must read and honor those signals rather than re-prompting with a banner for users who have already expressed a preference.
For users who have configured a browser-level signal, the cookie banner becomes redundant. Controllers that fail to recognize these signals face GDPR enforcement under the unified framework. Web browser providers, excluding SMEs, carry responsibility for implementing the technical infrastructure.
The 24-month implementation window for Article 88b is longer than Article 88a's six-month window. The extra runway reflects the infrastructure investment required from browser vendors. Organizations building or updating consent infrastructure in 2026 should design for signal recognition from the outset rather than retrofitting it as a separate project.
The Global Privacy Control (GPC) signal is the closest current equivalent and is already legally recognized in California under the CCPA. Article 88b creates a comparable obligation in EU law.
One important carve-out: media service providers are explicitly exempt from Article 88b's signal-recognition obligation. They may instead offer users an alternative (such as a subscription) before honoring a refusal signal. For non-media businesses, no such alternative is available; signal recognition will be mandatory.
Two structural reasons ensure cookie banners do not disappear even for users who configure browser signals. First, GDPR's information obligations require that users be notified about processing before it occurs — an Article 13 notice must still be served regardless of how consent is collected. Second, withdrawal of consent must be as easy as giving it, which in practice requires a banner-adjacent interface for users who later want to change a preference they set at browser level. The banner evolves; it does not vanish.
What Stays the Same, What Changes
| Requirement | Under ePrivacy Directive | Under Article 88a |
|---|---|---|
| Default rule | Consent required for device access | Consent required for device access |
| Exceptions | Analytics, session, security (varies by Member State) | Electronic comms, express request, own-service audience measurement, security |
| Re-prompting | No explicit minimum interval | 6-month ban after refusal, per purpose |
| Enforcement authority | Telecoms regulators or DPAs (varies by country) | GDPR Data Protection Authorities in all Member States |
| Browser/wallet signals | No legal obligation to recognize | Mandatory under Article 88b (24-month window) |
| Maximum fine | Varies widely by Member State | GDPR maximum: €20M or 4% of global turnover |
Timeline: When Does This Apply?
The Digital Omnibus proposal is in Trilogue negotiations between the European Parliament, Council, and Commission as of mid-2026. A final vote is expected later in 2026, with entry into force following ratification.
- Article 88a: six months after entry into force
- Article 88b: 24 months after entry into force
Organizations that update consent infrastructure now (refusal logging, per-purpose re-prompt suppression, signal-ready CMP architecture) will be compliant from day one rather than scrambling against the six-month clock after ratification.
If your organization manages consent across multiple jurisdictions, the UK's Data Use and Access Act 2025 PECR changes introduced parallel changes to analytics cookie exemptions with different conditions and timelines that do not map one-to-one to Article 88a. Both require separate compliance tracks.
Three Infrastructure Changes to Make Now
Audit your CMP for three operational gaps before Article 88a enters into force:
1. Refusal logging with timestamps. Each purpose-level refusal must be recorded with a date so re-prompt suppression can enforce the six-month window per purpose.
2. Per-purpose cooldown logic. A blanket "user refused once" flag is insufficient. The six-month ban applies per purpose: marketing, analytics, and personalization each need separate timestamps and separate suppression logic.
3. Signal recognition readiness. If your CMP does not already read machine-readable privacy signals, Article 88b will require it. Build signal recognition into current infrastructure updates rather than as a separate future project.
Secure Privacy's cookie and consent solution supports per-purpose consent logging, automated re-prompt suppression, and GPC signal recognition: the three capabilities that Article 88a and 88b will make mandatory across the EU.
Frequently Asked Questions
Does Article 88a become law automatically once the Digital Omnibus passes?
Yes. The Digital Omnibus amends GDPR directly, so Article 88a applies in all EU Member States without separate national implementation. It takes effect six months after the Omnibus enters into force.
Does the audience measurement exception cover Google Analytics?
Almost certainly not. The Article 88a audience measurement exception requires single-service scope and no third-party data sharing. Standard GA4 sends data to Google, a third party. That takes it outside the exception, leaving consent as the required legal basis.
What happens to my existing cookie banner once Article 88a applies?
If your banner re-requests consent on return visits after a user has refused, it will violate the six-month re-request prohibition. You need a CMP that logs refusals per purpose and suppresses re-prompting for at least six months after each refusal.
Does Article 88b eliminate the need for cookie banners?
No. Banners persist for two independent reasons. For users without a configured signal, the banner remains the primary consent mechanism. For users who do configure a browser signal, GDPR's Article 13 information obligation still requires a pre-processing notice, and withdrawal rights require an interface for changing preferences later. As Osborne Clarke put it, "the long-awaited end of cookie banners as such is not yet in sight."
Who enforces Article 88a and at what fine level?
Your national GDPR supervisory authority — the same body that can impose fines of up to €20 million or 4% of global annual turnover under GDPR Articles 83(4) and (5).
Is the Digital Omnibus final law?
Not yet. The proposal is in Trilogue negotiations as of mid-2026. One unresolved question is the fate of the ePrivacy Directive itself: the Digital Omnibus does not formally repeal it, meaning a transitional overlap period is possible between the Directive's national implementations and the new GDPR-based framework. Entry into force (and Article 88a's six-month application window) depends on final legislative outcomes.
Does Article 88a affect the consent-or-pay model?
Article 88a does not explicitly restrict the consent-or-pay approach. The EDPB's October 2024 opinion on consent-or-pay remains the primary guidance — it permits the model under specific conditions but requires a genuinely equivalent free alternative. Article 88a does not change that analysis.




