Politics

EU’s Digital Omnibus reshapes cookie consent framework with browser integration and opt-out tracking

Monday, 24 November 2025 7:11PM UTC

The European Commission’s upcoming Digital Omnibus proposal aims to overhaul data privacy laws, introducing browser-based consent management, shifting to opt-out tracking, and redefining sensitive data, with far-reaching implications for marketers and users alike.

Since the implementation of the EU’s General Data Protection Regulation (GDPR) in 2018, the widespread use of cookie consent banners has become a global norm, requiring explicit user consent before websites can track data. While this framework aimed to bolster user privacy, it has also introduced notable challenges for both marketers and users. Marketers have faced difficulties in collecting comprehensive data for accurate attribution and retargeting if visitors withhold consent, disrupting marketing measurement tools. Meanwhile, users often encounter frequent cookie pop-ups, which can detract from a seamless browsing experience.

Looking ahead, the European Commission has introduced the Digital Omnibus proposal, a legislative package announced in November 2025, which promises broad changes affecting data privacy laws in the EU. This initiative, set to reshape how digital consent is managed, could have significant implications for businesses operating both within and beyond the EU’s borders. According to BrowserMedia’s detailed analysis, the proposal is not merely about cookies but includes a wide-ranging effort to modernise digital regulation, aligning consent management with the evolving landscape of digital technologies, including artificial intelligence (AI).

A central element of the Digital Omnibus is the overhaul of the cookie consent framework. One of the standout changes is the move toward integration of cookie settings within browsers and operating systems. Instead of encountering a multitude of individual cookie banners, users will be able to set their preferences once at the browser level, which websites must honour for six months. This shift has the potential to significantly enhance user experience by reducing the frequency of interruptions while navigating different websites. However, this also means marketers might have to adapt to managing consent signals at the browser level rather than relying on interactions with individual cookie banners, posing new tracking complexities especially given divergent approaches from browsers like Chrome, Safari, Brave, and DuckDuckGo. Some of these browsers already impose stringent blocks on third-party cookies, potentially limiting data collection further.

Controversially, the Digital Omnibus proposes a shift from an opt-in to an opt-out model for certain types of tracking cookies. Currently, explicit consent is required before tracking cookies can be set, but under the new proposal, tracking may be established by default with users needing to actively opt out if they wish. While this could ease data collection for some marketers, it raises privacy concerns, as users may be tracked unless they take steps to refuse. Moreover, privacy-centric browsers might still block tracking despite legal allowances, complicating the landscape. The legislation plans to categorise cookies by risk, implying that explicit consent will still be mandatory for high-risk, marketing-oriented cookies.

Another notable change involves expanding the use of ‘legitimate interest’ as a legal basis for processing personal data, currently subordinate to explicit consent for most marketing activities. The Digital Omnibus would allow businesses to rely on legitimate interest assessments (LIAs) to justify some uses of tracking cookies, provided they balance their interests against user rights, maintain clear opt-out options, and document their processes thoroughly for potential regulatory scrutiny. This pivot has sparked debate, as it may dilute the primacy of user consent, raising concerns about possible overreach in data exploitation.

Further complicating the data privacy landscape, the proposal seeks to narrow the definition of special category data, sensitive personal information such as health status and political beliefs, to only data that directly reveals such information. Under the current regulations, even inferred data relating to sensitive categories is protected. Marketers might benefit from this redefinition by gaining more flexibility in using inferred interest data for targeting, but critics warn it could undermine protections for vulnerable groups. For example, the risk of sensitive targeting leading to harmful scenarios, such as exposing vulnerable individuals to coercive or manipulative advertising, remains a serious ethical concern.

The timeline for these reforms is expected to be extensive. The proposal now proceeds to the EU’s ordinary legislative process involving the European Parliament and Council, where substantial amendments are anticipated. Given the often slow pace of digital regulation, illustrated by the ongoing delays surrounding the ePrivacy Regulation, full implementation could take several years. Additionally, browser-level integration adds another layer of complexity, requiring compatibility across major browsers to ensure a uniform user experience.

Marketing professionals must start preparing for potentially significant changes. The proposed reforms could complicate multi-touch attribution models if consent rates decline or browsers adopt stricter default privacy settings. This could lead to a reliance on last-click attribution or alternative measurement techniques such as marketing mix modelling and incrementality testing to compensate for gaps in digital data. Retargeting campaigns could see audience sizes shrink, impacting the granularity and efficiency of personalised marketing efforts. Moreover, the need to conduct and document lawful interest assessments rigorously introduces new compliance burdens.

Adapting to these changes also means revisiting technology and data strategies. Google’s Consent Mode and similar platform-specific solutions will need to evolve to interface effectively with browser-level consent signals. Server-side tracking and conversion APIs may become more critical to maintain data accuracy amid browser restrictions. Meanwhile, marketers will likely refocus on first-party data collection, leveraging customer relationship management (CRM) systems, loyalty programmes, and direct user engagement tools such as preference centres and surveys. The role of zero-party data, information users explicitly share, will become paramount as third-party tracking faces increasing constraints.

On the broader regulatory landscape, the Digital Omnibus is part of a package that also delays certain high-risk provisions in the EU’s forthcoming AI Act to December 2027, following industry lobbying concerns about the challenges of compliance. Reuters and other sources highlight that this package aims to simplify digital regulation enforcement in general, facilitating data use for AI training under the legitimate interest legal basis but drawing criticism from privacy advocates concerned about dilution of privacy rights and enhanced power for Big Tech firms.

In summary, while the Digital Omnibus promises to reduce cookie consent banner fatigue and streamline some aspects of compliance, it also introduces new complexities and potential risks for user privacy and marketing practices. Rather than eliminating consent, the reforms signify an evolution toward browser-based centralisation of consent management, an expanded role for legitimate interest, and a redefinition of sensitive data categories. For digital marketing teams, the challenge will be staying agile as legislative and technology changes unfold, balancing compliance with the need for effective data-driven marketing.

📌 Reference Map:

^[1] (BrowserMedia) - Paragraphs 1, 2, 3, 4, 5, 6, 7, 8, 9, 10
^[2] (iubenda) - Paragraph 4
^[3] (Reuters) - Paragraph 11
^[4] (Ansa.it) - Paragraph 4, Paragraph 5
^[5] (S&K Brussels) - Paragraph 4, Paragraph 9
^[6] (Skadden) - Paragraph 4, Paragraph 9
^[7] (Le Monde) - Paragraph 11

Source: Noah Wire Services

More on this

https://browsermedia.agency/blog/the-eu-digital-omnibus-and-cookie-consent-what-digital-marketers-need-to-know/ - Please view link - unable to able to access data
https://www.iubenda.com/en/help/188546 - This article discusses the European Commission's Digital Omnibus proposal, which aims to integrate cookie consent rules into the GDPR. It highlights changes such as the introduction of exceptions to consent requirements for certain cookies, the implementation of one-click accept and reject options, and a six-month cooling-off period before re-asking users for consent. The article also mentions the introduction of machine-readable preference signals, allowing users to manage cookie preferences through browser or operating system settings.
https://www.reuters.com/sustainability/boards-policy-regulation/eu-delay-high-risk-ai-rules-until-2027-after-big-tech-pushback-2025-11-19/ - Reuters reports that the European Commission has delayed certain high-risk provisions of its AI Act until December 2027, following pressure from major technology firms. This decision is part of a broader regulatory easing initiative known as the 'Digital Omnibus,' which also seeks to simplify the enforcement of other technology-related regulations, including the GDPR, e-Privacy Directive, and the Data Act. The proposed revisions would permit companies to utilize European users' data for training AI models under the 'legitimate interest' legal basis.
https://www.ansa.it/english/news/2025/11/21/eu-digital-deregulation-plans-spur-privacyconsumer-concerns_7ea788c8-1792-4061-8fc5-7083ff561205.html - Ansa.it reports on the European Commission's proposal to modernise cookie rules to improve the online user experience. The plan includes allowing users to set cookie preferences once through their browser or operating system settings, reducing the frequency of cookie consent banners. However, data protection and consumer advocates have expressed concerns that relaxing these rules could weaken citizens' rights and benefit the tech industry.
https://en.sandkbrussels.com/news/seminars-lectures/office-sponsored/webinar-on-november-21-2025-urgent-webinarproposed-amendments-to-gdpr-data-laws-and-ai-laws-as-indic/ - S&K Brussels hosted a webinar discussing proposed amendments to GDPR, data laws, and AI laws as indicated by the leaked EU Digital Omnibus Bill. The proposed changes include redefining 'personal data' in the GDPR, integrating cookie consent rules into the GDPR based on the ePrivacy Directive, and introducing machine-readable opt-in/out signals at the browser and OS level. The draft also proposes recognizing personal data processing for AI model training as a new legal basis while restructuring the definition of sensitive data.
https://www.skadden.com/insights/publications/2025/11/commission-proposes-significant-changes-to-eu-digital-rules - Skadden, Arps, Slate, Meagher & Flom LLP discusses the European Commission's Digital Omnibus proposal, which includes significant changes to EU digital regulations. Key points include amendments to cookie rules, such as introducing new exceptions to consent requirements and requiring controllers to accept and respect individuals' preferences expressed in a machine-readable manner through online interfaces. The proposal also adds a recital to the GDPR clarifying that 'legitimate interest' can be an appropriate legal basis for AI training and use.
https://www.lemonde.fr/en/economy/article/2025/11/19/european-commission-launches-digital-regulation-simplification_6747624_19.html - Le Monde reports on the European Commission's introduction of a digital regulation simplification package aimed at reducing bureaucracy and enhancing Europe's competitiveness in digital innovation, especially in artificial intelligence (AI). The proposal seeks to update regulatory frameworks like the 2016 General Data Protection Regulation (GDPR) and delay certain provisions of the 2024 AI Act until 2027 for high-risk AI models. The package has sparked criticism from privacy advocates who argue it undermines privacy rights and gives big tech excessive leeway.

Noah Fact Check Pro

The draft above was created using the information available at the time the story first emerged. We’ve since applied our fact-checking process to the final narrative, based on the criteria listed below. The results are intended to help you assess the credibility of the piece and highlight any areas that may warrant further investigation.

Freshness check

Score: 9

Notes: The narrative is recent, published on 24 November 2025, aligning with the European Commission's announcement of the Digital Omnibus proposal on 19 November 2025. ([lemonde.fr](https://www.lemonme.fr/en/economy/article/2025/11/19/european-commission-launches-digital-regulation-simplification_6747624_19.html?utm_source=openai)) The content appears original, with no evidence of prior publication or recycling. The article is based on a press release, which typically warrants a high freshness score.

Quotes check

Score: 10

Notes: The article does not contain direct quotes, indicating original content.

Source reliability

Score: 8

Notes: The narrative originates from Browser Media, a UK-based digital marketing agency. While not a major news outlet, the agency is reputable within its industry. The article is well-researched, citing multiple sources, including Reuters and Le Monde. ([lemonde.fr](https://www.lemonme.fr/en/economy/article/2025/11/19/european-commission-launches-digital-regulation-simplification_6747624_19.html?utm_source=openai))

Plausability check

Score: 9

Notes: The claims about the Digital Omnibus proposal are consistent with recent reports from reputable sources, such as Reuters and Le Monde. ([lemonde.fr](https://www.lemonme.fr/en/economy/article/2025/11/19/european-commission-launches-digital-regulation-simplification_6747624_19.html?utm_source=openai)) The article provides detailed analysis and context, enhancing its credibility.

Overall assessment

Verdict (FAIL, OPEN, PASS): PASS

Confidence (LOW, MEDIUM, HIGH): HIGH

Summary: The narrative is recent and original, with no evidence of recycled content. It is well-researched, citing reputable sources, and the claims are consistent with recent reports from major news outlets. The absence of direct quotes suggests original content. Given these factors, the overall assessment is positive.

Data Privacy
Digital Regulation
Cookie Consent
EU Legislation
MarketingTech