The EU Digital Omnibus and cookie consent: what digital marketers need to know

Will we finally see the death of the cookie policy? Or are things about to get even more complex when it comes to tracking marketing data?

By 

Victoria Spall

published on 

Since the EU’s General Data Protection Regulation (GDPR) came into force in 2018, websites across the globe have had to implement cookie banners to ensure compliance, with visitors giving explicit consent that they agree to be tracked.

This legislation has created problems for both marketers and users. For marketers, if consent is not granted, no data will be passed to the data collection tools, making tracking and measuring marketing data more difficult, messing up attribution modelling, as well as impacting remarketing.

For users, depending on how they are implemented, cookie banners create an annoying additional step when accessing virtually every website in the world, almost every time they visit.

In November 2025, it was announced that changes to data privacy laws are on the horizon. This new legislation, known as the Digital Omnibus proposal, has the potential to reshape data privacy laws for businesses operating in the EU and beyond. 

The compliance burden for companies could be significant. When GDPR was rolled out, smaller businesses had to invest time and money into bringing data privacy and protection up to scratch, and now, the upcoming Digital Omnibus proposal has the potential to be just as disruptive. 

However, getting rid of third-party cookies isn’t going to be simple, as demonstrated by Google’s failed attempts to do so.

What is the EU Digital Omnibus proposal? 

The EU Commission’s Digital Omnibus proposal aims to overhaul how consent works online. While cookies are included as part of the proposal, the regulatory changes will be wider-reaching. These changes will, unsurprisingly, benefit US Big Techs, as well as AI companies, who have been lobbying for changes to access all our lovely data to feed their training models.

When it comes to cookies specifically, low-risk cookies for things like security and basic analytics wouldn’t need consent banners, while marketing and tracking cookies could be managed through centralised browser preferences that work universally across sites.

What changes could we see to tracking cookies?

One-click consent and centralised browser settings

Rather than having to accept a cookie policy on every website, users will be able to set their cookie preferences once through their browser or operating system settings, and websites must respect those preferences for at least six months.

In theory, this means fewer pop-ups interrupting the user experience – something that UX and CRO teams will love. For marketers, this could mean dealing with browser-level signals rather than individual banner interactions. 

The challenge? Browsers may implement this differently, and we’ve already seen some with stricter privacy stances than Chrome, not to mention DuckDuckGo, which blocks almost all third-party cookies, and Brave, which blocks them by default.

Shift from opt-in to opt-out for certain tracking purposes

This is where things get controversial. Currently, tracking cookies require explicit consent before they’re set. The Digital Omnibus would allow tracking cookies to be set by default under certain conditions rather than the user giving explicit consent, with users needing to object afterwards rather than agree in advance.

So rather than asking “Can we track you?” before setting cookies, you’d be operating under “We’re tracking you unless you say otherwise.” 

If the shift to tracking cookies in the browser does happen, this gives marketers less control and potentially, less data to collect. A user could, with one setting, confirm that they do not consent to being tracked on any website they visit from that browser. Plus, privacy-focused browsers may still block tracking by default regardless of what the law allows.

However, as cookies are likely to be broken down into risk-based categories, it seems likely that opting into third-party cookies will still need to be explicit.  

Expansion of “legitimate interest” as a legal basis

Under current rules, consent is king for most marketing cookies. The Digital Omnibus would open up the full range of GDPR legal bases, including ‘legitimate interest’. This means you could potentially set tracking cookies based on your business interests rather than explicit user consent. Is that a good idea? Probably not.

So what counts as ‘legitimate interest’ for marketing? That’s still being debated. The Commission argues this allows tracking cookies to be stored and read based on corporate objectives, but it’s not a free pass. You’d still need to:

  • Conduct legitimate interest assessments (LIAs)
  • Balance your interests against user rights
  • Provide clear opt-out mechanisms
  • Document everything for regulatory scrutiny

For analytics and audience measurement, there’s better news. Cookies used purely for statistical purposes, without individual profiling, could be permitted without consent – provided only aggregated, anonymised information is collected. This could make basic traffic analysis and reach measurement significantly simpler. And we could finally see huge swathes of GA4 session data return, making for much more accurate website traffic reporting. 

Changes to special category data definitions

This technical change has major implications. Currently, special category data (health, sexual orientation, political opinions, etc.) is protected if it can be inferred about someone. The Digital Omnibus would narrow this to only data that “directly reveals” sensitive information. 

This is great news for marketers running interest-based campaigns. If your targeting parameters allow someone to infer sensitive characteristics through “comparison, cross-referencing, or logical conclusions,” that’s currently protected. Under the new rules, it might not be. But from a privacy standpoint, it’s really not very cool. At all.

Yes, it does open up more targeting options for marketers (yay), but critics warn this allows companies to process special categories of data if they claim a “legitimate interest,” fundamentally weakening protections for the most sensitive personal information. 

As an example, a pregnant person could be looking for ways to terminate their pregnancy. Imagine they have an abusive partner who they do not want to know about their healthcare choices. If deemed to have a ‘legitimate interest’, that person could then be targeted with ads for clinics, medical procedures, and even pro-life political groups to sway their decision. By being targeted with ads relating to their pregnancy, they could be put in harm’s way. There is a reason why sensitive categories do not allow cookie-based ad retargeting, and I firmly believe it should stay that way.

Timeline for implementation

Don’t bin your current consent management platform just yet – as with all things data-related, it’s going to take yonks to see the light of day – and even then, we don’t know what form it will take. 

The Digital Omnibus now enters the EU’s ordinary legislative procedure, moving to the European Parliament and Council for deliberations, with substantial amendments likely during the legislative process.

Based on how long previous EU digital regulations have taken, we’re looking at a 2-3 year timeline at an absolute minimum. The ePrivacy Regulation, for context, has been in negotiation since 2017 and still hasn’t passed. Browser implementation would add another layer of time – getting Chrome, Safari, Firefox, and Edge to all implement compatible consent signals is no small feat – and that’s not even considering the acceleration we’ll see during the next few years with every technology business trying to ‘innovate’ with AI. And by ‘innovate’, I mean forcing its users to use AI features (that literally nobody asked for).

What these changes could mean for digital marketing teams

If you are ancient like me, you’ll probably remember the ‘fun’ transition to making sure all our clients were GDPR compliant. And you’ll also probably recall shuddering at further updates to data privacy policies over time, like Google’s Consent Mode V2

Well, depending on whether these changes will end up being implemented (and when), here’s what digital marketing teams will need to bear in mind.

Changes to tracking and attribution models

  • Multi-touch attribution becomes significantly harder if consent rates drop or browser defaults block tracking
  • Last-click attribution may become the default fallback for many campaigns, reducing visibility into the full customer journey
  • Server-side tracking and conversion APIs could gain importance as workarounds for browser-level blocking
  • Marketing mix modelling and incrementality testing may need to supplement digital attribution gaps
  • Cross-device tracking faces additional hurdles as browser-level consent doesn’t easily translate across desktop, mobile, and app environments

Impact on retargeting campaigns and audience building

  • Retargeting pools could shrink dramatically if browsers default to rejecting non-essential cookies
  • Custom audiences built from website behaviour may become smaller and less granular
  • Lookalike audience quality depends on the size and accuracy of seed audiences, which could deteriorate
  • Dynamic retargeting for e-commerce (showing specific products users viewed) relies heavily on tracking that may be restricted
  • Frequency capping across sites becomes more difficult without persistent identifiers
  • Budget efficiency drops when you’re repeatedly targeting the same converted customers you can’t identify

Adapting to ‘legitimate interest’ vs consent-based tracking (legal gubbins)

  • Legitimate interest assessments (LIAs) become mandatory documentation for any tracking not based on explicit consent
  • You’ll need to clearly articulate and document your business case for each tracking purpose
  • Balancing tests required: your business interests vs user privacy rights and expectations
  • Easy opt-out mechanisms must be available and prominent, not buried in privacy policies
  • Regular reviews are needed as laws evolve around what counts as legitimate marketing interest
  • Different interpretations across EU member states, as well as jurisdictions outside of it, could create compliance complexity

Google Consent Mode and platform-specific requirements

  • Google Consent Mode v2 already requires granular consent signals; Digital Omnibus adds browser-level signals to manage
  • Conversion modelling kicks in when consent is denied, but accuracy varies significantly
  • Meta’s Conversions API needs server-side implementation to supplement pixel data lost to consent restrictions
  • Other ad platforms (TikTok, LinkedIn, etc.) all have different approaches to handling limited consent
  • Platform reporting dashboards will show increasing gaps between modelled and observed conversions
  • Ad targeting quality degrades with smaller consent-based audiences, potentially increasing CPC/CPA
  • Each platform’s interpretation of ‘legitimate interest’ may differ, creating reconciliation headaches

Balancing personalisation with reduced consent rates

  • Contextual targeting makes a comeback as behavioural data becomes harder to collect
  • Content relevance and first-party context become primary personalisation drivers
  • Progressive profiling strategies allow you to build user profiles over time through voluntary data sharing
  • Value exchange becomes critical: users need clear benefits for sharing data
  • Segment sizes shrink, making hyper-personalisation less viable for smaller audiences
  • A/B testing becomes harder with reduced sample sizes and tracking capabilities
  • Default experiences need to convert well since personalised experiences reach fewer users

First-party data strategies become more critical

  • Email addresses and authenticated user data are gold, as they bypass cookie restrictions entirely
  • Customer data platforms (CDPs), centralising first-party data, become essential infrastructure
  • Loyalty programmes and account creation incentives take on new strategic importance
  • Zero-party data (information users intentionally share) through preference centres, quizzes, and surveys
  • CRM integration with marketing platforms ensures you’re maximising known user data
  • Data clean rooms enable privacy-safe collaboration with partners and platforms
  • Single sign-on (SSO) and identity resolution across touchpoints while respecting privacy

Analytics and conversion tracking considerations

  • Google Analytics 4’s cookieless measurement capabilities become more relevant
  • Server-side Google Tag Manager implementation helps maintain tracking accuracy
  • Consent mode impacts data completeness in reports – expect more “direct/none” traffic
  • Conversion windows may need extending as delayed attribution becomes more common
  • UTM parameters and first-party tracking become more important for campaign attribution
  • Board and stakeholder education needed on why metrics may show apparent performance drops

Preparing for browser-level consent signals in marketing automation

  • Marketing automation platforms need updates to read and respect browser consent signals
  • Workflow triggers based on behaviour may fire less reliably without complete tracking
  • Lead scoring models need recalibration when based on incomplete behavioural data
  • Segmentation based on website activity becomes less precise
  • Form submissions and explicit actions become more valuable trigger events
  • Testing environments are needed to simulate different browser consent configurations
  • Integration work is required between consent management platforms and marketing tools

Content marketing implications of reduced tracking

  • Content performance measurement becomes less granular without full user journey data
  • Engaged time metrics and scroll depth tracking may require consent
  • Internal site search data remains valuable first-party behavioural intelligence
  • Content recommendations based on behaviour become harder without tracking
  • Bottom-of-funnel content identification becomes more challenging
  • Increased emphasis on qualitative feedback and user research to supplement reduced analytics

Email marketing and CRM data considerations

  • Email remains largely unaffected – it’s first-party, permission-based communication
  • Web behaviour appended to email profiles may be incomplete
  • Email link tracking and open rates continue working (though Apple privacy measures already impact opens)
  • Progressive profiling through email preference centres gains importance
  • CRM data quality becomes paramount when third-party enrichment is limited
  • Synchronisation between CRM and marketing platforms needs tighter governance
  • GDPR’s data minimisation principle still applies – only collect what you genuinely need and use

What marketing teams should do now

If you’re an agency working with clients, it’s a good idea to give them a heads-up on what these changes could mean to their business, and keep an eye out for legislative developments through the European Parliament and Council.

If you’re an in-house marketer, raise this with legal now, as this is set to be as big as GDPR. You’ll need to:

  • Review your current consent management setup
  • Assess readiness for browser-based consent signals
  • Maintain robust documentation and audit capabilities
  • Consider regional differences in implementation
  • Brief stakeholders on potential impacts to KPIs and reporting

TL;DR: The good vs the bad: what marketers need to weigh up

The potential benefits:

  • Fewer banner dismissals could mean higher actual consent rates
  • Reduced friction in user experience and customer journeys
  • Simplified compliance framework (one set of rules vs GDPR + ePrivacy)
  • Lower costs for cookie banner management
  • Aggregated analytics without consent requirements
  • Clearer rules around “legitimate interest” for marketing purposes
  • Browser-level settings could reduce banner fatigue

The potential drawbacks:

  • Shift to opt-out may face browser implementation barriers
  • Privacy-first browsers could default to “reject all”
  • Increased complexity in managing multiple consent signals
  • Loss of granular control over individual site consent
  • Audit and documentation requirements become more complex
  • Potential for reduced data collection if browsers default to strict settings
  • Marketing attribution could become more difficult

The Digital Omnibus represents evolution, not the elimination of consent requirements, so it looks like cookie banners, in some form or another, are here to stay. While it’s still looking to be a long way off, businesses must be prepared to move quickly as regulations develop.


You may be interested in the following similar posts:

Enjoy this post?

Sign up to Browser Media Bytes for similar posts straight to your inbox.

BM Bytes Sign Up
View all blog posts