Cookie banners will disappear for an estimated 60% of websites. That’s the projected impact of Article 88b in the EU Digital Omnibus, proposed November 2025, which requires websites to accept machine-readable privacy signals from browsers instead of showing per-site consent popups. If your visitor’s browser says “reject tracking,” your website must obey — no banner, no popup, no dark pattern. And this isn’t just an EU story. California’s Opt Me Out Act (AB 566), signed October 2025, requires every major browser to include built-in Global Privacy Control by January 2027.

How the EU Digital Omnibus Replaces Per-Site Popups With Browser Preferences

The Digital Omnibus regulation (COM(2025) 837) is the EU’s most significant privacy reform since GDPR took effect in 2018. Among its changes, two new GDPR articles reshape how cookie consent works for every website targeting EU visitors.

Article 88a moves cookie rules from the ePrivacy Directive directly into GDPR. Consent remains the default for tracking cookies, but the article adds a closed list of exemptions — essential cookies, first-party audience measurement, and security. This applies six months after the regulation enters into force.

Article 88b introduces browser-level consent signals. Users set their privacy preferences once in their browser or operating system. Websites must read and respect those preferences automatically. No banner needed. This applies within 24 months of entry into force.

The combination is specific: consent stays mandatory for advertising, profiling, and cross-site tracking. But the mechanism shifts from per-site popups to automated browser signals.

If a visitor’s browser sends a machine-readable “reject tracking” signal, your site must honor it without ever showing a banner. If the browser sends “accept,” the same applies. The consent interaction moves upstream — out of your website and into the browser itself.

The Cookie Banner System Is Already Broken

Browser-signal consent isn’t just a regulatory curiosity. It’s a direct response to the documented failure of cookie banners to protect anyone.

A study of 254,148 websites across 31 EU countries found that only 15% of cookie banners meet minimum GDPR compliance requirements. Research analyzing over 10,000 consent implementations revealed that 72% contain at least one dark pattern — oversized accept buttons, hidden reject options, or manipulative wording designed to steer users toward tracking acceptance.

The average internet user sees 15-20 consent banners per browsing session across roughly 100 websites per month. The result isn’t informed consent. It’s exhaustion.

For WordPress and WooCommerce store owners, this broken system creates a lose-lose situation. With a legally compliant consent banner (equal-weight accept and reject buttons, no dark patterns), an average of 60% of visit data is lost. Only 25.4% of users across all demographics accept all cookies at the first banner level. In Germany and France, fewer than 25% of users accept cookies at all.

You can read more about how consent rates affect your data quality in Your Cookie Consent Rate Means AI Only Knows Half Your Customers.

The European Commission explicitly acknowledged this failure in the Digital Omnibus proposal, citing “consent fatigue and the proliferation of cookie banners” as a core problem. Article 88b is the direct legislative response.

The US Is Building the Same System Independently

While the EU builds Article 88b, the United States is converging on the same browser-signal approach from the opposite direction.

Global Privacy Control (GPC) is a browser-level signal that communicates a user’s opt-out preference to every website they visit. Unlike the failed Do Not Track header from 2009, GPC has legal enforcement behind it. As of January 2026, 12 US states require businesses to honor opt-out preference signals — and enforcement is already producing real penalties.

Sephora paid $1.2 million in 2022 for failing to honor GPC signals. DoorDash settled for $375,000 in 2024. In September 2025, California, Colorado, and Connecticut launched a coordinated enforcement sweep specifically targeting businesses that ignored browser privacy signals.

Then California went further. The Opt Me Out Act (AB 566), signed October 2025, requires all major browsers — including Chrome, Safari, and Edge — to include built-in Global Privacy Control functionality by January 1, 2027. Once that happens, GPC moves from a niche privacy tool to a default browser feature.

Over 50 million Brave users already broadcast GPC signals by default. When Chrome and Safari add native GPC support, the number of users sending browser-level opt-out signals jumps by orders of magnitude.

This creates a convergence that most WordPress store owners haven’t noticed. The EU mandates browser consent signals through Article 88b. The US mandates browser opt-out signals through GPC and state privacy laws. Both arrive around the same time: 2027. Your WordPress consent plugin needs to understand both.

For context on how US privacy laws are already outpacing most WordPress consent setups, see 19 US States Have Privacy Laws and Your Consent Plugin Only Handles GDPR.

What This Means for WordPress Consent Plugins

Every popular WordPress consent plugin — CookieYes, Complianz, Borlabs Cookie, GDPR Cookie Compliance — is built around the same model: display a banner, capture a click, store a preference cookie, fire or block scripts accordingly.

Article 88b breaks that model. When browser signals replace per-site banners, your consent plugin needs to:

• Detect machine-readable signals — read the browser’s automated preference before displaying anything
• Suppress the banner — if the browser signal is valid, no popup should appear
• Respect six-month rejection periods — under Article 88a, after a rejection, you cannot re-ask for at least six months
• Handle dual signals — the EU browser signal and US GPC signal are different mechanisms that may arrive simultaneously

Most WordPress consent plugins don’t support any of this yet. And the data impact could be severe: consent rates for tracking may drop to 10-30% when browsers deploy default-reject settings.

That 10-30% figure matters. If you’re currently losing 60% of visit data with a compliant banner, browser-signal default rejection could push data loss past 70-90%. Your GA4 reports, Facebook Ads attribution, and Google Ads conversion tracking all depend on consent. When browser signals reject tracking by default, client-side pixel-based tracking becomes nearly invisible.

Server-Side Tracking Doesn’t Care Which Consent Model Wins

There’s an architectural reality that most WordPress store owners miss in this conversation. The consent debate — banners versus browser signals, opt-in versus opt-out, GDPR versus CCPA — is fundamentally a client-side problem. It’s about what happens in the browser.

Server-side tracking processes events at the server level. Your tracking data flows through your own infrastructure, not through browser scripts that consent mechanisms can block. When a customer completes a purchase on your WooCommerce store, the order data exists in your database regardless of what the browser’s consent signal says.

This doesn’t mean server-side tracking ignores consent — it means the architecture gives you control over how consent decisions affect data flow. You can still respect browser signals and GPC while maintaining accurate event processing for purposes that don’t require consent (first-party analytics, order processing, security).

Transmute Engine™ processes events through a dedicated Node.js server on your subdomain. Events arrive via API from WordPress, not from browser-loaded scripts. When Article 88b makes browser signals mandatory and consent rates drop to 10-30%, client-side tracking plugins lose most of their data. Server-side architecture doesn’t face the same constraint because events are captured at the application level, not the browser level.

We’ve covered the broader Digital Omnibus implications for WordPress consent in From Opt-In to Opt-Out: What the Digital Omnibus Means for WordPress Consent.

The Timeline: What Happens When

The Digital Omnibus is still a proposal. It was published November 19, 2025 and faces EU legislative negotiations expected through 2026. But the direction is clear and the timeline is specific:

• Article 88a (cookie rules in GDPR): Applies 6 months after entry into force
• Article 88b (browser consent signals): Applies within 24 months of entry into force
• California AB 566 (GPC in all browsers): January 1, 2027
• 12 US states requiring OOPS compliance: Already in effect (January 2026)

Even if the Digital Omnibus gets delayed or narrowed during negotiations, the US browser-signal mandates are already law. GPC is coming to Chrome and Safari regardless of what happens in Brussels.

Key Takeaways

• Article 88b of the Digital Omnibus requires websites to respect browser-level consent signals — moving consent from per-site popups to automated browser preferences
• Cookie banners disappear for an estimated 60% of websites once browser-signal consent is implemented
• California’s Opt Me Out Act requires Chrome, Safari, and Edge to include GPC by January 2027 — making browser-level opt-out a default feature, not a privacy add-on
• Consent rates for tracking may drop to 10-30% when browsers deploy default-reject settings, devastating client-side tracking
• Server-side tracking architecture processes events regardless of browser consent model — making it the only architecture that survives both the EU and US browser-signal mandates

Browser-signal consent is arriving from both sides of the Atlantic by 2027. Your WordPress store’s consent plugin will need rebuilding. Your client-side tracking will lose even more data. The only tracking architecture that doesn’t depend on which consent model the browser uses is the one that processes events at the server. That’s the architecture worth investing in now — before the banners disappear and take your conversion data with them.