EU Digital Omnibus moves cookie consent rules into GDPR Articles 88a and 88b, forcing CMPs to ingest browser signals

The European Commission’s Digital Omnibus proposal, published in November 2025, is reshaping how consent management platforms must operate across the EU — and late May 2026 finds the industry racing to interpret what the draft Articles 88a and 88b GDPR will mean in practice for OneTrust, Cookiebot, Usercentrics and Didomi. Legal analyses from Taylor Wessing, Osborne Clarke and Loyens & Loeff published this month converge on one conclusion: cookie governance is moving out of the ePrivacy Directive and directly into the GDPR, and the consent management category will not look the same eighteen months from now.

Article 88a of the proposal sets out a narrow list of cases where storing or accessing information on a user’s device does not require consent — transmission of electronic communications, services explicitly requested by the user, first-party aggregated statistics produced by the controller for its own service, and security maintenance. Everything else, including the bulk of advertising, analytics and personalisation tags currently deployed through CMPs, continues to require freely given, specific, informed and unambiguous consent. What changes is the mechanism: Article 88a(4) requires that a refusal be possible through “a single-click button or equivalent means,” and bars websites from re-prompting users for the same purpose for at least six months after a refusal has been recorded.

What Article 88b actually demands

The more disruptive provision is Article 88b, which would require controllers to allow consent or refusal to be expressed “through automated and machine-readable means” and obliges web browser providers — with an explicit carve-out for small and medium-sized enterprises — to provide the technical infrastructure that lets users configure those preferences once at the browser level. In other words, a signal close in spirit to Global Privacy Control, but anchored in EU law rather than a US industry standard. Once a user has expressed a preference through that signal, controllers must respect it rather than show another banner.

For consent management vendors, this is not a deprecation event but a re-platforming one. Browser signals do not replace the CMP; they become another input the CMP must ingest, reconcile with on-site choices, and propagate to downstream tag managers and server-side endpoints. Analyses published this month by iubenda and consentmanager.net describe the same architectural shift: CMPs that today treat the banner as the sole source of truth will need to add a signal-arbitration layer, and the contractual responsibility for honouring a browser-level “no” will sit squarely with the data controller — meaning the website operator, not the vendor.

CMP vendors begin to reposition

Cookiebot, the SMB-focused brand that Usercentrics acquired in 2021, has already updated its public guidance to flag the inbound machine-readable requirement, and OneTrust’s product communications throughout May 2026 have leaned on the message that “installing a CMP does not ensure compliance” — a notable softening of the historical pitch that a CMP plus a generic policy template was sufficient. Both vendors face the same engineering question: how to expose granular per-purpose consent state in a way that browsers, ad-tech vendors and analytics platforms can consume without round-tripping through a visible banner on every visit.

Vendor benchmarks circulating this week now grade CMPs not just on banner UX and template coverage but on whether they ship a documented integration path for inbound preference signals and a server-side mode that does not depend on client-side scripts running before consent. Mid-tier products without that roadmap risk being benched by enterprise privacy teams during 2026 procurement cycles.

Enforcement context: regulators have not paused

Cookie enforcement under the existing ePrivacy framework has continued to harden while the Digital Omnibus moves through the legislative process. The French Commission Nationale de l’Informatique et des Libertés (CNIL) issued €27 million and €15 million fines against Free Mobile and Free in January 2026, following its September 2025 €325 million penalty against Google and €150 million penalty against Shein, both tied to advertising cookies dropped without valid consent under Article 82 of the French Data Protection Act. CNIL has also published recommendations on multi-device consent in December 2025 and announced that cross-domain consent — a single choice valid across sites in the same corporate group — will be the subject of public consultation in 2026.

Dark-pattern banners, asymmetric “Accept all” versus buried “Reject” flows, and pre-ticked vendor lists are now treated as operational failures rather than legal grey zones. Article 88a codifies that interpretation by making the single-click refusal a textual requirement rather than guidance.

What website operators should be doing now

The proposal is still a proposal — the Council and Parliament have not adopted it, and the Digital Omnibus has drawn substantive comments from industry groups including the International Center for Law & Economics. Even so, the practical to-do list for late 2026 is clear. First, audit current CMP deployments against the single-click refusal standard and verify that no advertising or analytics tag fires before a positive consent state is recorded. Second, confirm that the CMP does not re-prompt within a six-month window after a refusal — a setting many out-of-the-box deployments still get wrong. Third, document the controller’s plan for ingesting browser-level signals once they become technically available.

Vendors who can answer those three questions with shipping product features rather than slideware will define the next generation of the CMP category. The Digital Omnibus does not abolish cookie banners — information and withdrawal obligations remain, and as Osborne Clarke notes, banner fatigue is unlikely to disappear substantially in the short term. What it does abolish is the assumption that consent management is purely a website-side problem.