The EU just proposed the biggest change to cookie consent since GDPR. The Digital Omnibus, published November 19, 2025, would move cookie rules from the fragmented ePrivacy Directive into GDPR itself—creating a single framework across all 27 EU member states. And it explicitly exempts internal analytics from consent requirements.
The EU Commission’s reasoning is blunt: Europeans spend 334 million hours on cookie banners annually, costing €11.2 billion in lost productivity. Fewer than 15% of top European websites even have compliant banners. The current system is broken.
Cookie banners won’t disappear entirely. But they’re about to get much simpler—if you’re collecting the right way.
What the Digital Omnibus Actually Proposes
The Digital Omnibus isn’t just tweaking cookie rules. It’s restructuring how the EU handles online privacy. Here’s what matters for WordPress site owners:
Cookie Rules Move Into GDPR
Currently, cookie consent is governed by the ePrivacy Directive—a separate law that each EU country implements differently. France has different rules than Germany. The UK (post-Brexit) has different rules than both.
The Digital Omnibus absorbs cookie rules into GDPR itself. One framework. One set of rules. Same enforcement across the entire EU. The Commission explicitly states this “consolidates all data rules into two major laws: the Data Act and GDPR.”
For WordPress owners, this means less guesswork about which country’s interpretation to follow.
Explicit Exemption Whitelist
The proposal creates a closed list of purposes that don’t require consent:
- Communication transmission — Technical cookies needed for the website to function
- Providing a service requested by the user — Shopping cart, login session, user preferences
- Aggregated audience measurement for controller’s own use — Internal analytics
- Security — Fraud prevention, attack detection
That third item is the game-changer. “Aggregated audience measurement for controller’s own use” means analytics that stay on YOUR servers, produce aggregate statistics, and aren’t shared for advertising purposes.
The Commission’s FAQ puts it plainly: “Cookies used only for non-risk purposes like counting website visits will no longer trigger consent pop-ups.”
You may be interested in: Google Consent Mode V2 Is Killing Your Analytics
New Consent Requirements (When Consent IS Needed)
The Digital Omnibus doesn’t eliminate consent—it makes it work better. When consent IS required (advertising, cross-site tracking, data sharing), new rules apply:
Single-Click Opt-Out
If you ask for consent, you must offer an equally easy way to refuse. No more “Accept All” in a big green button next to “Manage Preferences” in tiny gray text. Rejecting must be as easy as accepting.
Browser-Based Consent Signals
The proposal requires websites to respect machine-readable consent signals—like Global Privacy Control (GPC). If a user’s browser sends a “do not track” signal, websites must honor it.
Non-SME browsers must support these signals. Chrome, Firefox, Safari, Edge will need to provide consent signal mechanisms. Users could set preferences once at the browser level instead of clicking through banners on every website.
Six-Month Consent Rejection Period
Once a user rejects consent, you cannot re-ask for at least six months. No more “consent banner every visit” dark patterns. Reject once, and the website must remember that rejection.
Media Services Exception
Media service providers (news sites, content publishers) get special treatment. They’re not required to respect automated consent signals—acknowledging that ad-supported media needs some ability to show relevant advertising to survive.
This doesn’t mean media sites can ignore consent entirely. It means they can still ask for consent through banners even when browser signals say “no.”
What This Means for WordPress Analytics
The practical implications depend on what you’re tracking and where that data goes.
Google Analytics: Still Needs Consent
Standard GA4 sends data to Google’s servers. Google uses that data for benchmarking, ad product improvement, and their advertising ecosystem—even if you never run a Google Ad. This is NOT “aggregated audience measurement for controller’s own use.”
GA4 will still require consent under Digital Omnibus. The exemption is for analytics that stay under YOUR control, not analytics that feed a Big Tech advertising machine.
First-Party Server-Side Analytics: Likely Exempt
Analytics that meet these criteria will likely qualify for exemption:
- Data collected by your domain, stored on your servers
- Never shared with third parties for their purposes
- Produces aggregated statistics, not individual user profiles
- No cross-site tracking
- Used only for your own website improvement
Server-side tracking to your own BigQuery instance fits this description. The data is first-party (your server to your database), aggregated (you analyze patterns not individuals), and never leaves your control for advertising purposes.
You may be interested in: First-Party Data Strategy: The Marketing Manager Guide
Advertising Tracking: Always Needs Consent
Nothing changes for advertising. If you’re sending data to:
- Google Ads (via GA4 or Enhanced Conversions)
- Meta/Facebook (via Pixel or CAPI)
- TikTok Events API
- Any platform that uses your data for ad targeting
You still need consent. The Digital Omnibus exemption is for internal analytics, not advertising infrastructure.
Timeline: When Does This Happen?
The Digital Omnibus is a proposal, not law. Here’s the realistic timeline:
- November 2025: Commission publishes proposal
- 2026: European Parliament and Council negotiations
- Late 2026 or 2027: Potential adoption (if negotiations go smoothly)
- Transition periods: Some provisions (like browser signal requirements) have additional implementation time
Don’t rip out your consent banner tomorrow. The current rules still apply. But if you’re making infrastructure decisions now—choosing analytics platforms, building data pipelines—choose architecture that aligns with where regulations are heading.
How to Prepare Now
Even though Digital Omnibus isn’t law yet, the strategic direction is clear. Here’s how to position yourself:
Separate Advertising from Analytics
Stop treating all tracking the same. Use consent and Consent Mode v2 for advertising platforms (GA4 → Google Ads, Meta Pixel → Facebook). Build separate first-party analytics infrastructure that could qualify for exemption.
Build First-Party Data Infrastructure
Server-side tracking to your own BigQuery creates analytics that you control completely. Even if Digital Omnibus takes years to pass, first-party data is more accurate, more reliable, and increasingly required by advertising platforms anyway.
Transmute Engine™ already aligns with Digital Omnibus exemption criteria: first-party collection from WordPress, server-side processing, data stored in your own BigQuery, no third-party advertising data sharing. When the exemption becomes law, you’ll already qualify.
Know Your Audience Geography
Digital Omnibus affects EU visitors. If your audience is primarily US or Asia, EU rules may be less urgent for you. But if you have significant EU traffic, the simplification is coming—and first-party architecture will let you take advantage of it.
Don’t Over-Invest in CMPs
Complex consent management platforms are built for the current fragmented system. If Digital Omnibus passes with browser-based consent signals, much of that complexity becomes unnecessary. The €1,200-per-website-every-three-years CMP industry may shrink significantly.
Key Takeaways
- Digital Omnibus moves cookie rules into GDPR—creating one framework instead of 27 different national implementations
- Internal analytics get explicit exemption—”aggregated audience measurement for controller’s own use” won’t require consent
- Google Analytics still needs consent—the exemption is for data YOU control, not data that goes to advertising platforms
- Single-click opt-out becomes mandatory—rejecting cookies must be as easy as accepting
- Browser consent signals must be respected—users can set preferences once instead of clicking banners everywhere
- Six-month re-consent ban—once rejected, can’t ask again for six months
- Not law yet—needs Parliament and Council approval, but direction is clear
No. The Digital Omnibus creates exemptions for low-risk purposes like internal analytics and security, but advertising and marketing cookies still require consent. Cookie banners will become simpler, not eliminated. You’ll still need consent for tracking that shares data with advertising platforms.
The Digital Omnibus was published November 19, 2025 but still requires European Parliament and Council approval. Final adoption could take 12-24 months, with additional transition periods for some provisions. It’s not law yet, but the regulatory direction is clear.
The proposed exemption whitelist includes: communication transmission, providing a service requested by the user, aggregated audience measurement for controller’s own use, and security. Standard Google Analytics likely does NOT qualify as data goes to Google—true exemption requires first-party analytics that stay on your own servers.
Not immediately—the Digital Omnibus isn’t law yet. But if you’re making infrastructure decisions, choose architecture that aligns with where regulations are heading: first-party server-side tracking to your own data warehouse. This positions you for exemption once the rules pass.
The bottom line: The EU finally recognized that treating internal analytics the same as advertising tracking was overkill. Cookie banners cost Europeans 334 million hours annually—that’s about to change. Position yourself with first-party server-side tracking that qualifies for the coming exemption.
