EU Digital Omnibus Targets Cookie Banner Fatigue: New GDPR Rules Mandate Single-Click Reject and 6-Month Consent Cooldown
The European Commission has proposed the most significant change to cookie consent rules since the GDPR took effect in 2018. The Digital Omnibus package introduces Articles 88a and 88b into the GDPR, replacing the ePrivacy Directive approach that created the cookie banner problem in the first place. If adopted, websites will need single-click reject buttons, face 6-month cooldowns between consent re-requests, and eventually support machine-readable consent signals.
Why the Cookie Banner System Failed
The Commission openly acknowledges the problem. The Digital Omnibus proposal explicitly states that the current approach has led to “consent fatigue and the proliferation of cookie banners.” Eight years of GDPR enforcement produced a paradox: the law designed to protect user privacy created an experience so frustrating that most users click “accept all” without reading — undermining the very consent it was meant to ensure.
The numbers tell the story. European regulators have issued 2,245 GDPR fines totaling EUR 5.65 billion since 2018, with enforcement activity continuing to accelerate year over year. France fined Google EUR 150 million (EUR 90 million for Google LLC plus EUR 60 million for Google Ireland) specifically for making cookie rejection harder than acceptance. Sweden ordered equal visual prominence for accept and reject buttons. Yet cookie banners remain essentially unchanged on most websites.
Article 88a: Cookie Rules Move into the GDPR
The proposal integrates cookie and tracking rules directly into the GDPR through a new Article 88a. This replaces the current reliance on the ePrivacy Directive for cookie consent requirements.
Article 88a does not eliminate consent. It sets out a closed list of low-risk purposes where storage or access to terminal equipment is permitted without consent. For everything else — analytics, advertising, personalization — consent remains mandatory.
Three rules have the most practical impact:
- Single-click reject. Users must be able to refuse consent “in an easy and intelligible manner with a single-click button or equivalent means.” Dark patterns that bury the reject option behind multiple screens would violate this directly.
- 6-month cooldown. If a user declines consent, the same website cannot ask again for the same purpose for at least 6 months. No more banners appearing on every visit after clicking reject.
- Equal prominence. Building on enforcement precedent from France and Sweden, accept and reject options must have equal visual weight. The era of large green “Accept” buttons next to tiny gray “Manage Preferences” links is ending.
Article 88b: Machine-Readable Consent Signals
The more ambitious provision is Article 88b, which regulates how consent must be technically expressed through automated and machine-readable signals. Think of it as a standardized consent protocol built into browsers and operating systems.
Under this model, users would set their privacy preferences once at the browser level. Websites would read these preferences automatically — no banner needed. The concept resembles the now-defunct Do Not Track header, but with legal backing and a requirement for websites to honor the signal.
Article 88b has a longer runway: it applies 24 months after the Digital Omnibus enters into force, compared to 18 months for Article 88a. This gives the industry time to develop and standardize the technical infrastructure.
Timeline and Legislative Process
The Digital Omnibus follows the ordinary legislative procedure, meaning both the European Parliament and the Council of the EU must approve it. Adoption could come in mid-to-late 2026, with Article 88a taking effect 18 months after that.
| Milestone | Expected Timing |
|---|---|
| Legislative adoption | Mid-to-late 2026 |
| Article 88a (single-click reject, cooldown) | 18 months after adoption |
| Article 88b (machine-readable consent) | 24 months after adoption |
Impact on Analytics and Marketing
For data-driven marketers, these changes have immediate strategic implications. The 6-month cooldown rule means that every rejected consent request carries a much higher cost — you lose the ability to ask again for half a year. Consent rates will become a critical KPI.
Machine-readable consent signals under Article 88b could eventually simplify compliance but will likely reduce overall consent rates. When rejecting tracking is as easy as a browser setting, fewer users will opt in. Marketers should accelerate their shift toward privacy-first analytics strategies that work with limited or no consent-dependent data.
The enforcement landscape adds urgency. With GDPR fines reaching EUR 5.88 billion and regulators specifically targeting dark patterns in cookie consent, the compliance risk of maintaining current banner designs is increasing quarterly.
What Marketers Should Do Now
Even before the Digital Omnibus becomes law, the direction is clear:
- Audit your cookie consent UX. If your reject option requires more clicks than your accept option, fix it now. Enforcement is already happening under existing rules.
- Measure consent rates. Start tracking what percentage of visitors accept, reject, or ignore your consent banner. This data becomes critical when the 6-month cooldown takes effect.
- Invest in consent-independent measurement. Server-side analytics, aggregate measurement APIs, and modeled conversions will become essential as consent rates decline.
- Monitor Article 88b standards. When machine-readable consent specifications emerge, early adopters will have an advantage in maintaining user trust and regulatory compliance.
The Digital Omnibus will not eliminate cookie banners overnight. But it will make bad cookie banners — the ones with dark patterns, hidden reject buttons, and daily nagging — explicitly illegal across all 27 EU member states. For marketers willing to treat user consent as a feature rather than an obstacle, the transition represents an opportunity to build trust that competitors are still eroding.
