The EU Commission says simplifying cookie rules will save businesses €800 million annually (European Commission, 2025). That sounds great—until you realize your Complianz, CookieYes, or WPConsent configuration might need to be rebuilt from scratch to handle it. The Digital Omnibus proposes shifting some cookie categories from opt-in to opt-out using legitimate interest, and every WordPress consent plugin on the market was built for the opposite model.
Currently, 40-70% of EU visitors reject cookies when given a proper Reject All button (Ignite Video consent studies, 2026). That data loss is devastating. But the fix isn’t as simple as removing your consent banner. Three possible consent models are on the table—and your WordPress setup needs to survive whichever one wins.
What the Digital Omnibus Actually Proposes for Cookies
The Digital Omnibus is the EU Commission’s initiative to streamline overlapping digital regulations—GDPR, the AI Act, the Data Act, and now cookie rules that were supposed to live in the ePrivacy Directive. On February 11, 2026, the Commission formally withdrew the ePrivacy Regulation entirely, clearing the path for cookie consent rules to be absorbed directly into GDPR through a proposed new Article 88a.
Here’s what that means in practice. Instead of requiring consent for every non-essential cookie—the current model—the Omnibus proposes that any GDPR-compliant legal basis should work for cookies. That includes legitimate interest (Ailance/2B Advice, 2025). Translation: cookies set by default, with users objecting afterwards instead of agreeing in advance.
The proposal also introduces three specific mechanisms that directly affect WordPress store owners:
- Low-risk cookie exemptions: Cookies used purely for aggregated statistics—counting website visits without individual profiling—would no longer trigger consent pop-ups (European Commission, 2025).
- Browser preference signals: Users set their cookie preferences once in their browser or operating system, and websites must respect those preferences. No per-site banner needed.
- Six-month cooldown: If a user refuses consent, websites cannot ask again for at least six months. No more every-visit banner harassment.
The Osborne Clarke legal analysis puts it bluntly: Article 88a does not replace consent as the general rule. It merely sets out a limited list of low-risk purposes where consent isn’t needed (Osborne Clarke, 2025). Advertising and marketing cookies? Still opt-in. Analytics and performance cookies? Potentially opt-out.
Three Consent Futures Your WordPress Plugin Must Handle
If you’re running Complianz (1 million+ active installations), CookieYes (1.5 million+ websites), or WPConsent on your WordPress store, the Omnibus creates three possible futures—and your plugin needs to handle all of them.
Scenario 1: Partial Opt-Out (Most Likely)
Analytics and performance cookies become opt-out by default. Marketing and advertising cookies stay opt-in. Your consent banner simplifies but doesn’t disappear. You’d still need to request consent for ad tracking while automatically allowing analytics.
What breaks: Every WordPress consent plugin currently blocks ALL non-essential cookies until consent. None of them support a split model where analytics runs freely while advertising waits for permission. Complianz’s wizard, CookieYes’s auto-blocking, and WPConsent’s script detection all treat cookies as binary: blocked or allowed. That logic would need fundamental redesign.
Scenario 2: Browser-Signal Consent
Users configure preferences once at the browser or operating system level. Websites detect the signal and comply automatically. Per-site consent banners become unnecessary for most cookie categories.
What breaks: Your entire consent plugin becomes redundant for users whose browsers send the signal. But not every browser will support it immediately—the technical standards don’t exist yet and won’t be mandatory until around 2028 (Measured Collective, 2026). You’d need your consent plugin to handle both signal-capable and non-signal browsers simultaneously.
Scenario 3: Enhanced Opt-In Under GDPR
Cookie rules move from ePrivacy into GDPR, but consent remains the primary mechanism. The change is mostly administrative: one law instead of two, with better enforcement. Your current setup largely survives—but the EDPB’s 2026 coordinated enforcement focus on transparency means dark patterns in your existing banner could trigger regulatory attention.
75% of WordPress websites already fail basic GDPR consent banner requirements (Secure Privacy, 2025). If enforcement tightens under unified GDPR rules, that failure rate becomes an active liability.
The Consent Rate Problem Nobody’s Solving
Here’s the thing. Whether the model shifts to opt-out or stays opt-in, the underlying problem remains: consent plugins manage consent, they don’t recover the data you lose when visitors reject cookies.
Fewer than 25% of users in Germany and France accept cookies—the lowest acceptance rates globally (Advance Metrics, 2024). A compilation of 26 cookie consent studies confirms that 40-70% of EU visitors reject tracking when a proper Reject All button is offered (Ignite Video, 2026). That data doesn’t come back because you picked Complianz over CookieYes.
Even if the Digital Omnibus eliminates consent requirements for analytics cookies, marketing pixels still need opt-in. Your Facebook CAPI, Google Ads Enhanced Conversions, and TikTok Events API all depend on advertising consent. The consent plugin handles the asking. Nothing in the plugin recovers what’s lost when the answer is no.
And the implementation quality isn’t helping. 67% of Google Consent Mode v2 implementations have technical errors, with most defaulting to “granted” before users actually choose (Secure Privacy, 2026). Your cookie consent rate is 47%—which means AI only knows half your customers.
What Store Owners Should Do Now
The Digital Omnibus was published November 2025 and must pass European Parliament and Council before anything changes. Optimistic estimates put adoption by late 2026, with enforcement in 2027 at earliest. Browser preference signal standards would add another six months after that (Wilson Sonsini, 2025). Current rules remain fully in force.
That means you have time—but not unlimited time. Three actions matter now:
First, audit your current consent configuration. Check whether your Complianz, CookieYes, or WPConsent setup actually passes GDPR requirements today. Three quarters of WordPress sites fail this test. Fix what’s broken before enforcement tightens.
Second, watch your consent plugin vendor. Complianz, CookieYes, and WPConsent will all need to release updates that support split consent models—allowing some cookie categories while blocking others. Ask your vendor whether they’re tracking the Digital Omnibus timeline and preparing for split-model support.
Third, build tracking architecture that doesn’t depend on getting consent configuration right. Server-side tracking processes data on your own first-party infrastructure before it reaches any platform. Whether the consent model is opt-in, opt-out, or browser-signal-based, your tracking architecture doesn’t change. Transmute Engine™ is a first-party Node.js server that runs on your subdomain—the inPIPE WordPress plugin captures events and sends them via API to your Transmute Engine server, which formats and routes them to GA4, Facebook CAPI, Google Ads, and BigQuery simultaneously. Because data processing happens at the server level, not in the browser where consent plugins operate, the architecture is consent-model-agnostic.
Key Takeaways
- The Digital Omnibus proposes shifting some cookies from opt-in to opt-out using legitimate interest—analytics may become exempt from consent, but advertising cookies stay opt-in.
- 40-70% of EU visitors reject cookies under current rules, and consent plugins don’t recover that lost data—they only manage the asking.
- Every WordPress consent plugin will need redesign to support split consent models where analytics runs freely while ad tracking waits for permission.
- Browser preference signals are coming but not until ~2028—your per-site consent banner isn’t going anywhere for at least two more years.
- Server-side tracking on first-party infrastructure works under any consent model without reconfiguration—the architecture processes data at the server level, not in the browser where consent rules apply.
No. The Digital Omnibus narrows the list of cookie purposes that require consent, but marketing and advertising cookies will still need opt-in consent. Your banner simplifies—but it doesn’t vanish. Analytics cookies may become opt-out, but ad tracking stays opt-in.
Yes, but your plugin’s role changes. Instead of blocking everything until consent, it would need to handle a split model: allowing analytics cookies by default while still blocking advertising cookies until consent. Every major WordPress consent plugin will need updates to support this.
The proposal was published November 2025 and must pass European Parliament and Council. Optimistic estimates put adoption by late 2026, with enforcement in 2027 at earliest. Browser preference signal standards would add another 6 months after that. Current consent rules remain fully in force until then.
Server-side tracking processes data on your own infrastructure before it reaches platforms. Whether the consent model is opt-in, opt-out, or browser-signal-based, your tracking architecture doesn’t change. You control what data gets sent and when—at the server level, not the browser level.
No. Current GDPR rules remain in force, and 75% of WordPress sites already fail basic consent requirements. Fix what’s broken now. When the Omnibus passes, your consent plugin vendor will release updates—but your tracking architecture should already be consent-model-agnostic.
Your consent plugin manages the question. Your tracking architecture determines whether the answer matters. See how Seresa builds consent-proof tracking for WordPress stores.
