The EU Council's latest position paper, published on 18 June 2026, has removed from the Digital Omnibus the one provision that would have replaced cookie consent banners with an automated browser signal - after intense industry lobbying in which Google played a central role. The European Parliament, which has not yet taken a position on the measure, now holds the only vote that could restore it.

What was proposed

The European Commission published the Digital Omnibus proposal on 19 November 2025. The package was framed as a broad simplification of digital legislation, consolidating rules across the GDPR, the ePrivacy Directive, the Data Act, and several cybersecurity frameworks. Among its many provisions, one stood out for the advertising and marketing sector: a new Article 88b inserted into the GDPR.

According to the Commission's original proposal (COM/2025/837 final), Article 88b would have required controllers to ensure their online interfaces allow data subjects to give or decline consent through automated and machine-readable means. Crucially, it would also have required controllers to respect those choices once harmonised technical standards become available. The parallel Article 88a would move terminal equipment consent rules - currently residing in the ePrivacy Directive - directly into the GDPR, requiring that storing or accessing personal data on a user's device remain conditional on that person's consent.

The Commission's intent was explicit. Consent would still remain possible on a per-website and per-purpose basis. The automated signal would carry individual choices set once at browser or wallet level, not impose a blanket block. According to the proposed recital in the compromise text reviewed by Politico, such means "can be implemented in the settings of a web browser or in the EU Digital Identity Wallet."

The provision that obligated non-SME browser providers to build in the technical capability to transmit these signals - Article 88b paragraph 6 - carried a longer phase-in: 48 months from the date of entry into force. The core controller obligation in paragraphs 1 and 2 would have applied after 24 months. Article 88a, governing terminal equipment consent, would have taken effect six months after publication. Those timelines are now moot for the Council position.

Why it mattered for advertising

The practical stakes are substantial. According to noyb, the European Centre for Digital Rights, current cookie consent infrastructure involving so-called dark patterns produces consent rates of up to 90%, despite research consistently showing that only 3 to 10 per cent of users genuinely wish to be tracked online. With more than 450 million EU residents and consent interactions numbering in the billions each year, the scale of what noyb describes as a system rigged against informed choice is significant.

Max Schrems, the chair of noyb, was direct: "Cookie banners are not an invention of data protection, but of the tracking industry. Without consent, there is no snooping online. Now there are fears that a simpler way of saying 'yes' or 'no' will result in a loss of revenue for Google and the like. That is why the tracking industry is currently lobbying as hard as it can to keep the cookie banner. Clearly, it wants to retain the ability to directly manipulate users' choices."

On the advertiser side, the numbers cut the other way. Implement Consulting Group published a study in March 2026 titled "Gone in one click," commissioned to assess the socio-economic impact of browser-level consent in the EU. The study estimated that a browser-level consent mechanism - modelled on Apple's App Tracking Transparency - would reduce cookie consent rates by at least 60 to 65 per cent across EU countries. That reduction, the study found, would cost European businesses between EUR 40 billion and EUR 50 billion in annual advertiser revenue, equivalent to a drop of 30 to 35 per cent on the same level of advertising spend.

The mechanism behind that estimate is specific. According to the Implement study, personalised advertising on the open web relies primarily on third-party data to target non-consenters. When consent falls away, spend shifts toward less effective contextual ads. Contextual ads themselves become harder to optimise without the measurement data that cookie-enabled campaigns generate. Social media-based personalised ads suffer an efficiency loss from losing the ability to track conversions from ads shown to non-consenters. The study cited empirical findings showing a 66 per cent reduction in efficiency between personalised and contextual display ads, a 31 per cent increase in cost per incremental customer without offsite tracking data, and a 73 per cent increase in cost per conversion observed on Meta campaigns after Apple's iOS 14.5 rollout. Every further 1 per cent relative reduction in the consent rate, Implement estimated, causes a EUR 600 million to EUR 800 million drop in annual advertiser revenue.

The Implement study was produced on behalf of Google, as the disclaimer on the final page makes clear. Google has not supplied company data for the analysis, and the report relies on third-party academic research and proprietary estimates. That relationship was not lost on noyb. According to noyb's analysis, Google's lobbying paper used "completely far-fetched figures" and assumed a central kill switch for all advertising that the Commission's proposal never contemplated.

How the Council dropped it

According to noyb's press release of 23 June 2026, the Council's latest compromise text - the fifth, published by Politico - removed Article 88b entirely from the Digital Omnibus. Countries including Germany, France, and Poland had pushed for this in advance, according to noyb. Germany, which is among the EU member states publicly calling for simplification and red tape reduction, has simultaneously backed removing what noyb characterises as the one measure that would have made things simpler for consumers.

The fifth compromise text, marked "Annex GIP.B Limite EN" and representing the Council working party's latest consolidated position, does retain Article 88a. Terminal equipment consent rules move to the GDPR, and controllers remain required to accept a single-click refusal to consent requests. Controllers are barred from making a new consent request for the same purpose for at least six months after a refusal. Those provisions remain intact. What is gone is the automated signal mechanism - the piece that would have shifted consent from per-visit pop-up interactions to a persistent, browser-level preference.

Schrems put the political contradiction bluntly: "You really have to let that sink in: the European Commission finally wants to get rid of cookie banners, but Google and some EU Member States are now determined to keep them. For decades, people have been complaining about EU bureaucracy. But in reality, the tracking industry is so terrified of consumers being able to simply say 'no' that, after a bit of lobbying, everyone gives in. It really does raise the question of whether some Member States are primarily representing their voters or the lobbyists."

What remains in the fifth compromise

The fifth compromise text, as extracted from the Council document, retains several other provisions from the Commission's original proposal that affect digital marketing and advertising compliance.

The move of terminal equipment consent rules from the ePrivacy Directive into the GDPR under Article 88a remains. Article 4 of the ePrivacy Directive is deleted in the compromise. Processing stored personal data in terminal equipment without consent is lawful only for a specific set of technical purposes: carrying out transmission over an electronic communications network; providing a service explicitly requested by the data subject; creating aggregated audience measurement carried out solely by the controller for its own use; or maintaining or restoring the security of a service. The first-party aggregated audience measurement exemption is included without requiring consent, provided the measurement is not shared with or carried out jointly with third parties for their own purposes.

The compromise also contains provisions governing consent request frequency. Under Article 88a paragraph 4, if a user declines a consent request, the controller cannot make a new request for the same purpose for a minimum of six months. If consent is granted, no new request can be made while the controller can still lawfully rely on that consent.

On the GDPR changes relevant to AI processing, the fifth compromise retains Article 88c, which establishes that processing personal data for development and operation of an AI system or model may constitute a legitimate interest under Article 6(1)(f), subject to conditions including that interests not be overridden by fundamental rights, that appropriate technical and organisational measures be applied, and that consent be required where explicitly mandated by other legislation.

Data breach notification thresholds are modified in the compromise. Notification to a supervisory authority is only required when a breach is likely to result in a high risk to data subjects' rights and freedoms - a higher threshold than the current GDPR standard. The notification deadline is extended to 96 hours. Notifications are to be filed through a single-entry point operated by ENISA, which becomes operational 18 to 24 months after entry into force, depending on a Commission assessment of the point's reliability.

The media exemption that survived

One technical element that was retained from the Commission's original proposal in connection with Article 88b deserves mention, even as the provision itself has been dropped. The original Article 88b paragraph 3 exempted media service providers from the obligation to respect machine-readable preference signals. That exemption had been a significant point of controversy for news publishers and broadcasters whose advertising revenue depends on consent-based tracking. With Article 88b now removed entirely from the Council text, the exemption is also gone - but the underlying policy question of how media publishers interact with consent rules remains live in negotiations.

What noyb has been tracking

Noyb published the first version of its detailed legal analysis of the Digital Omnibus GDPR and ePrivacy amendments on 24 November 2025, shortly after the Commission proposal was issued. A second version added recommendations. The third version, published on 24 February 2026, supplemented the earlier analysis with comments on the joint EDPB/EDPS opinion issued on 11 February 2026. That joint opinion had pushed back against several Commission proposals, including the narrowing of personal data definitions, while supporting the automated consent signal mechanism in Article 88b as a step toward addressing consent fatigue.

PPC Land has tracked the Digital Omnibus extensively since the package was launched, including the European Commission's machine-readable consent signal proposal in November 2025the joint EDPB and EDPS opinion rejecting key GDPR amendments in February 2026, the French advertising industry's position paper calling for deletion of Article 88b, and a broader overview of what the consent changes mean for marketers.

The Implement Consulting Group study cited figures derived from Apple's App Tracking Transparency rollout as a proxy for browser-level consent. ATT required app developers to ask users for permission before accessing their IDFA (Identifier for Advertisers). Academic research by Kraft et al. (2023) examined tracking outcomes across seven EU markets following ATT's introduction, finding a weighted average reduction of approximately 45 percentage points in the share of trackable versus untrackable traffic. That is described by Implement as a conservative estimate for browser-level consent, since ATT still required users to opt out multiple times across different apps, while a browser-level signal would apply with a single setting across all websites.

What the Parliament will decide

According to noyb, the Digital Omnibus is currently the subject of parallel negotiations in the Council and the European Parliament. The Parliament has not yet taken a position on Article 88b. When both institutions finalise their positions, they will negotiate a compromise in trilogue. The EPP - the largest grouping in the Parliament - is also, according to noyb, under pressure from the tracking lobby.

Schrems: "In a democracy, what the majority of people want should actually happen - in this case, getting rid of cookie banners. If decision-makers prefer to follow the will of the tech lobby rather than that of their voters, then something is very, very wrong here."

The Commission's original proposal was clear that even in California - the home state of most large technology companies - a similar automated preference mechanism is already in place. Global Privacy Control, a browser-level signal recognised under the California Consumer Privacy Act and several other US state laws, communicates opt-out preferences to websites automatically. PPC Land covered the GPC's relationship with the proposed Article 88b in May 2026, noting that GPC's legal effect in the EU remains limited precisely because Article 88b was still a proposal.

Timeline

  • 19 November 2025 - European Commission publishes the Digital Omnibus proposal (COM/2025/837 final), including proposed Article 88a and Article 88b GDPR, replacing cookie banner rules under ePrivacy Directive
  • 24 November 2025 - noyb publishes its first legal analysis (Version 1) of the Digital Omnibus GDPR and ePrivacy amendments
  • 11 February 2026 - EDPB and EDPS adopt joint opinion supporting automated consent signals in Article 88b while pushing back on other GDPR amendments
  • 24 February 2026 - noyb publishes Version 3 of its Digital Omnibus report, supplementing earlier analysis with comments on the joint EDPB/EDPS opinion
  • March 2026 - Implement Consulting Group publishes "Gone in one click," estimating browser-level consent would cost European businesses EUR 40-50 billion in annual ad revenue
  • 21 May 2026 - Alliance Digitale publishes position paper calling for deletion of Article 88b and Article 88a(4)
  • 18 June 2026 - EU Council publishes fifth compromise text removing Article 88b entirely from the Digital Omnibus
  • 23 June 2026 - noyb publishes press release identifying Council member states including Germany, France, and Poland as having pushed to remove Article 88b

Summary

Who: The EU Council of member states, with Germany, France, and Poland identified as key actors pushing for the removal, alongside industry lobby participation including a paper from Google. noyb (European Centre for Digital Rights), chaired by Max Schrems, leads public opposition.

What: Article 88b GDPR - the provision that would have required controllers to accept automated, machine-readable consent signals transmitted at browser level and replaced individual cookie banners - was removed from the fifth EU Council compromise text on the Digital Omnibus.

When: The Council position was published on 18 June 2026. The European Commission had originally proposed Article 88b on 19 November 2025. The European Parliament has not yet voted on the matter.

Where: The Digital Omnibus is a European Union legislative proposal, applying across all 27 member states. The Council compromise removes a provision that would have affected every website operator, advertiser, browser provider, and consent management platform operating in the EU.

Why: Industry lobbying - including a paper from Google arguing that browser-level consent would cause a collapse in advertising revenue - appears to have influenced member states into opposing the provision. Implement Consulting Group estimated losses of EUR 40-50 billion in annual advertiser revenue from a 60-65 per cent reduction in consent rates. noyb argues those figures are based on a false assumption that automated consent means a universal opt-out with no per-site override, which the Commission's proposal explicitly rejected.