Iubenda, the Milan-based privacy compliance platform trusted by more than 150,000 businesses, published a guide in May 2026 setting out how Europe's cookie consent rules are shifting and what the change means for marketing performance, attribution, and data infrastructure.

The guide arrives as European regulators and legislators move simultaneously on multiple fronts. In November 2025, the European Commission published its Digital Omnibus Regulation proposal, a package intended to simplify EU digital rules without removing the privacy protections built into the General Data Protection Regulation and the ePrivacy Directive over the past two decades. The proposal is not yet law. As of June 2026, the GDPR and ePrivacy Directive remain in force. What the guide does is map the gap between today's requirements and what is coming, and why that gap matters operationally for marketing teams now.

The core argument Iubenda makes is structural. According to the guide, every time a visitor declines cookies or ignores a consent banner, the result is a data point lost, a conversion that cannot be attributed, and a user who cannot be retargeted. Multiplied across a full audience, those gaps affect bidding algorithm quality, attribution model reliability, and return on ad spend.

Four specific performance areas take the hit. Data quality degrades when users withhold consent, leaving analytics systems with partial visibility and bidding systems working from incomplete signals. Attribution and conversion tracking breaks down without consent: retargeting and personalized advertising for those users become technically impossible. Campaign optimization suffers because ad platforms depend on conversion data to tune delivery - less data translates directly into higher acquisition costs and lower efficiency. Brand trust is the fourth area, and the numbers behind it are substantial. According to the Cisco 2024 Consumer Privacy Survey cited by Iubenda, 75% of consumers say they will not buy from companies they do not trust with their data.

Andreea Mandeal, CMO at Iubenda, puts it plainly: "Before joining iubenda, I used to assume cookies and privacy were not a marketing topic. Legal set the rules, and marketing worked around the constraints. I was wrong. If you're a marketer and you can't speak to how you're collecting and using data, that's a gap worth closing."

The implication is direct. Consent rate - the percentage of visitors who actively opt in - functions as a growth metric rather than a compliance output. Iubenda's own platform data, cited in the guide, shows that placing a consent banner at the top of a page rather than the bottom lifts consent rates by 16%. Adding a brand logo to the banner further improves opt-in rates. Small design decisions compound across large visitor volumes.

The ePrivacy Directive and the GDPR operate together to govern cookie deployment in Europe. The ePrivacy Directive requires websites to inform users and obtain consent before storing or accessing information on their devices. The GDPR sets the standards that make that consent valid: it must be informed, explicit, freely given, and granular. Pre-checked boxes and implied acceptance do not qualify.

According to the guide, two categories of cookies exist under EU law. First-party cookies, set by the website itself, handle core functions like login state and shopping cart persistence. Third-party cookies, set by external services such as ad networks, analytics providers, and social media plugins, enable retargeting, conversion tracking, audience segmentation, and personalized advertising. Most third-party cookies require consent before they can run. Strictly necessary cookies - those required for basic site functionality - and, in some member states, certain anonymized analytics cookies with limited scope, are the primary exceptions.

Behind the visible banner, a Consent Management Platform (CMP) handles the technical enforcement. The banner collects the user's decision. The CMP acts on it: blocking or unblocking cookie scripts, storing proof of consent, connecting to analytics tools and ad platforms, and supporting frameworks such as the IAB Transparency and Consent Framework (TCF) and Google Consent Mode. Without a functioning CMP behind the banner, scripts may continue to fire regardless of what the user chose - a state that does not meet regulatory requirements in any EU jurisdiction.

The gap between a banner and a compliant system is not theoretical. PPC Land documented a case in April 2026 where a client's Google Ads conversions collapsed 90% overnight after Google's July 2025 EU enforcement because the consent banner was collecting user choices but failing to transmit them to Google's tag layer. Recovery was partial: roughly 40% of the lost attribution data was recoverable once the configuration was corrected. The remaining 60% was permanently absent.

The Digital Omnibus: a proposal, not yet a law

The European Commission published the Digital Omnibus Regulation proposal on November 19, 2025. The Commission's own Explanatory Memorandum acknowledged that "a regulatory solution on the consent fatigue and proliferation of cookie banners is long-overdue." The proposal addresses three specific problems in the current consent architecture.

First, it would simplify the interaction between ePrivacy rules and the GDPR, reducing the regulatory complexity that currently requires businesses to navigate two overlapping frameworks simultaneously. Second, it would lower consent fatigue by reducing how often users are prompted with the same consent request. Third, it would clarify which limited purposes - first-party aggregated audience measurement is the example cited - can operate without requiring user consent.

Several significant changes are proposed under the new mechanism. The proposal would require a single-click reject option with the same visual prominence as the accept button, eliminating dark pattern designs. If a user declines consent, businesses would be prohibited from re-prompting for the same purpose for at least six months. Browser- or device-level preference signals - where a user sets privacy preferences once and those choices propagate automatically across sites - are explicitly contemplated. Websites would need to be able to read and enforce those signals.

One carve-out has drawn significant industry attention. Media service providers whose revenue depends primarily on advertising are explicitly exempt from the obligation to respect machine-readable preference signals. Alliance Digitale, the French digital marketing trade association representing 300 member organizations, published a formal position paper on May 21, 2026, making 17 recommendations on the proposal and calling for deletion of the centralized cookie management mechanism under proposed Article 88b and the six-month ban on re-requesting consent under Article 88a(4).

The rollout, if the proposal becomes law as written, would be phased. New Article 88a GDPR would take effect six months after publication. Article 88b paragraphs 1 and 2 would enter force two years later, with paragraph 6 following four years after publication. Iubenda's guide puts the outer timeline at up to 48 months. Until adoption and implementation, today's GDPR and ePrivacy rules apply in full.

Giulia Stancampiano, Head of Legal (Privacy and Tech) at Iubenda, describes the shift in terms of infrastructure rather than principle: "Consent is no longer just a compliance step, it is the legal gateway to how data can be collected and used. As regulatory frameworks continue to require valid, enforceable user choice, access to data increasingly depends on consent itself. In that context, the ability to capture, interpret, and operationalize consent signals is becoming a determining factor in both compliance and marketing performance."

The enforcement context surrounding the proposal is active. The EDPB's 2025 annual report showed total GDPR fines reaching 1.15 billion euros. CNIL fined SHEIN's Irish subsidiary 150 million euros on September 1, 2025, for deploying advertising and analytics cookies before users could express consent. German courts ruled in January 2026 that third-party cookie providers face direct liability even when website operators fail to obtain consent. The regulatory environment is not waiting for the Digital Omnibus to finalize.

One of the four technical strategies Iubenda's guide covers in detail is Google Consent Mode - a mechanism that adjusts how Google Analytics and advertising tags behave based on users' consent choices. When a user declines consent, Consent Mode sends limited, cookieless signals that allow Google to model conversions in an aggregated way, maintaining measurement continuity without individual-level tracking.

According to the guide, conversion modeling through Consent Mode recovers more than 70% of ad-click-to-conversion journeys lost to cookie refusals. That recovery translates into more accurate bidding, better campaign optimization, and a clearer picture of attribution.

The operational stakes rose sharply in mid-2025. From July 2025, Google began actively disabling advertising features for accounts in the European Economic Area and UK that had not activated Consent Mode. The change was not gradual. Accounts without compliant Consent Mode implementation lost conversion tracking capabilities for non-consented users, with no retrospective data recovery available. Virginie Rivet, Senior GTM and Marketing Strategy Consultant at Cremanski and Company, described the before-and-after in the guide: "Ad tech and privacy used to feel like they were pulling in opposite directions. Then we implemented Google Consent Mode for our clients. When users declined cookies, Google modeled the conversions we'd lost, our bidding algorithms had more to work with, and our campaigns performed better. Privacy compliance and ad performance aren't opposites. Once you understand the tools, you can make them work together."

A separate but related change is scheduled for June 15, 2026. Google is removing Google Signals as co-controller of advertising data, consolidating authority under Consent Mode in Google Ads. For organizations using certified CMPs - Iubenda is among the Google-certified CMP partners listed alongside Cookiebot, OneTrust, Usercentrics, and others - the operational impact is limited. Sites without a CMP routing consent correctly to Google's tag layer face concrete GDPR exposure from the change.

The guide is explicit that neither Consent Mode nor server-side tracking - the second technical strategy covered - replaces the obligation to obtain valid user consent. Both work alongside a CMP, not as substitutes for one. Server-side tracking captures events directly on the server and assigns a server-generated identifier to each action before forwarding signals to analytics and ad platforms. It avoids browser-based constraints and is, according to Iubenda, emerging as the most reliable measurement approach for e-commerce and marketing teams as browser tracking faces further restrictions.

Third-party cookie deprecation has moved more slowly than industry timelines initially suggested - Google reversed its earlier deprecation plans for Chrome - but the regulatory tightening of third-party cookie consent requirements produces a similar effect. Consented first-party data is becoming the primary reliable input for personalization, audience modeling, and attribution.

According to a 2023 Deloitte industry report on first-party data commissioned by Meta, cited in the guide, 82% of marketing leaders are prioritizing first-party data to create immediate value for customers. Businesses that built tailored experiences based on first-party data saw a 27% increase in conversion rate and a 23% increase in customer satisfaction, according to the same research. PPC Land covered IAB's parallel argument in May 2026 that consent management is the foundational infrastructure layer for first-party data strategies - not a downstream compliance function.

The mechanism is straightforward. Data collected under clear, documented consent reflects genuine interest. It holds up under regulatory scrutiny and survives as privacy frameworks tighten. Third-party tracking data faces the opposite trajectory: narrowing legal basis, increasing enforcement risk, and declining reliability as browser and operating system controls evolve.

Iubenda's guide frames first-party data in terms of a trust loop. Transparency at every touchpoint - clear cookie policies, an accessible preference center, a straightforward opt-out flow - produces willing opt-ins. Those opt-ins generate accurate consented data. That data drives smarter marketing. Smarter marketing builds stronger customer relationships, which increases the likelihood of further consent. Diana Dee Rabba, VP of Marketing at Accessiway, summarized the orientation: "Privacy compliance is often treated as a legal obligation and nothing more. We see it differently. It's a commitment to our audience: give people a genuine choice over their data, respect it, and the benefits follow."

What the IAB TCF integration means in practice

For programmatic advertising specifically, the IAB Transparency and Consent Framework (TCF) carries consent signals from a publisher's CMP through to the ad tech stack - demand-side platforms, supply-side platforms, data management platforms, and measurement providers. A misconfigured TCF setup means consent signals do not reach the ad tech stack. Users who declined tracking may still be tracked, creating both regulatory exposure and data quality problems.

Google mandated the transition to TCF v2.3 by March 1, 2026. Publishers who missed that deadline face ad requests defaulting to limited ads or being dropped entirely, according to PPC Land's coverage of the IAB position piece. Iubenda's guide notes this as a specific integration check: if programmatic advertising is running, the TCF setup warrants verification that signals are propagating correctly through the stack.

Eurostat's 2025 data, cited in the guide, puts the user context in numerical terms: 76.9% of EU internet users actively took steps to protect their personal data online, up from 73.2% in 2023. Users are not passive in this environment. Consent frameworks that treat them as frictionless data sources face both regulatory exposure and a measurable trust deficit. According to Ipsos research cited in the guide, more than two-thirds - 68% - of survey respondents felt skeptical about the way companies used their data in marketing. Only 3% believed they had complete control over the disclosure and removal of their data online.

Why this matters for the marketing community

The Iubenda guide arrives at a specific moment in the consent infrastructure debate. The Dutch regulator published final letters from five cookie banner investigations on July 15, 2025French authorities ordered websites to fix misleading banner designs in December 2024German courts extended liability to third-party cookie providers in a December 2025 decision. Enforcement is not theoretical, and the Digital Omnibus, when finalized, will not reduce the underlying requirement for consent - it will change the mechanism through which that consent is collected and communicated.

The marketing implication is structural. Consent infrastructure - the CMP, the banner design, the TCF configuration, the Consent Mode integration, the first-party data architecture - is not a legal department problem that marketing can hand off and ignore. Each component directly affects data quality, attribution accuracy, campaign optimization, and the efficiency of ad spend. Adam Taylor, UK Privacy Lead at Google Marketing Platform, described the shift for The Drum, quoted in the guide: "Privacy is no longer a specialist subject in marketing, it's a core competency. That comes through in a number of ways - the way you hire, train, and upskill yourself and your team, the decisions you make on technology and partners, and how you communicate effectively across disciplines and functions."

Shelby Torrence, Group Marketing Director at team.blue - the parent company of Iubenda - spoke to the business case: "Many marketers see compliance as a constraint, but we see it as an opportunity to strengthen trust with customers. Transparent consent and responsible data practices lead to better relationships and ultimately better performance. That's why we're making it a priority across team.blue and our 60+ brands."

The Iubenda guide's disclaimer is precise: the content reflects the company's interpretation as of May 2026 and does not constitute legal advice.

Timeline

Summary

Who: Iubenda, a Milan-based privacy compliance software company founded in 2011, now part of team.blue and trusted by more than 150,000 businesses across 27 languages. The guide draws on perspectives from Iubenda's own legal and marketing teams, as well as marketing professionals at Cremanski and Company, team.blue, and Accessiway.

What: A practical guide examining how Europe's cookie consent rules are changing, covering the technical structure of the current consent system, the Digital Omnibus proposal published by the European Commission in November 2025, and four marketing strategies - compliance as trust infrastructure, privacy-aware measurement, first-party data development, and consent rate optimization - that affect marketing performance regardless of how the legislative timeline unfolds.

When: The guide was published in May 2026. The Digital Omnibus proposal it analyzes was published by the European Commission on November 19, 2025. The current GDPR and ePrivacy Directive remain in force. The Digital Omnibus, if adopted, would phase in over up to 48 months, with key provisions entering force between six months and four years after publication.

Where: The regulatory changes apply across the European Union and European Economic Area, with direct consequences for any business operating websites or apps targeting EU-based users. Enforcement actions are proceeding in France, Germany, Austria, the Netherlands, and other member states concurrently with the legislative process.

Why: Cookie consent decisions directly affect marketing data quality, attribution accuracy, and campaign optimization efficiency. The Digital Omnibus proposal signals that the mechanism through which consent is collected and communicated will change - moving toward browser- and device-level preference signals - while the underlying requirement for opt-in consent to advertising, profiling, and cross-site tracking remains intact. Marketing teams that understand the technical infrastructure - CMPs, Consent Mode, TCF integration, server-side tracking, first-party data architecture - are better positioned to maintain measurement continuity as enforcement tightens and the legislative framework evolves.