For nearly two decades, cookie consent rules in Europe lived in a separate legal universe from GDPR. The ePrivacy Regulation (or Directive, depending on your jurisdiction) sat alongside the GDPR as its own framework, creating complexity for compliance teams who had to juggle two different sets of rules. That changed on February 11, 2026, when the EU withdrew the ePrivacy Regulation. The digital omnibus GDPR cookie rules now consolidate cookie governance directly into the GDPR itself through new Articles 88a and 88b. This shift reshapes how organizations obtain consent for tracking and how websites communicate with users.
The end of ePrivacy: What happened?
The ePrivacy Regulation was never fully harmonized across EU member states. Some implemented it as a directive, others as a regulation and the fragmentation created a compliance headache. Moreover, its role as a companion framework to GDPR meant many organizations were essentially administering consent twice. When the EU withdrew ePrivacy on February 11, 2026, it signaled a decision to consolidate electronic communications privacy rules back into the main GDPR structure.
This withdrawal did not mean privacy protections for cookies disappeared. Rather, the rules migrated. The mechanism for obtaining consent for non-essential cookies, tracking and marketing data collection now flows through GDPR Articles 6(1)(a) and 7, which govern lawful basis and consent. The technical details of how that consent gets implemented, however, changed significantly.
What the Digital Omnibus GDPR reform actually is
The Digital Omnibus Directive is the EU’s vehicle for updating the GDPR itself in response to evolving technology and enforcement challenges. Think of it as a formal amendment package. Within that directive sit Articles 88a and 88b, which redefine the landscape for cookie consent specifically.
Article 88a establishes that cookie consent must remain granular, easy to withdraw, and obtained before cookies are set. Furthermore, it clarifies that pre-ticked consent boxes violate GDPR principles and that website visitors must actively opt in to non-essential tracking. This is not new in spirit, but the codification in the GDPR itself (rather than in ePrivacy) signals a shift in regulatory emphasis.
Article 88b introduces something genuinely novel: browser consent signals, also called machine-readable consent or the Global Privacy Control standard. Instead of filling out a cookie banner every time a person visits a website, visitors can configure their browser or device once to communicate their consent preferences. In simple terms, that signal tells websites “this user has not consented to tracking cookies” without the website having to show a banner.
Articles 88a and 88b Explained
Article 88a: Strengthening Granular Consent
Article 88a establishes that consent for cookies and similar tracking technologies must meet the same standards as other GDPR consent. This means it must be freely given, specific, informed and unambiguous. The article explicitly forbids pre-ticked boxes, dark patterns designed to nudge users toward consent and bundled consent where users cannot refuse one type of tracking without refusing all.
Additionally, Article 88a creates a legal obligation to honor browser consent signals. When a user’s browser communicates a do-not-track preference or consent signal, websites must recognize that signal as valid consent information. For the first time, the privacy preferences someone sets in their browser settings have legal standing.
Article 88b: Browser Consent Signals and Machine-Readable Consent
Article 88b formalizes the use of standardized, machine-readable consent signals. Rather than each website parsing its own consent strings, Article 88b aligns with the Global Privacy Control (GPC) standard and similar signals that browsers and privacy tools can emit on behalf of users.
This change has immediate implications. Websites will still technically need to provide a cookie banner for legal transparency, but the function of that banner shifts. Instead of being the only way users communicate their preferences, the banner becomes one channel among several. A user who has configured their browser to communicate “no consent for tracking” will not need to see a cookie banner at all on compliant websites.
What changes for your website
The shift from ePrivacy to GDPR Articles 88a and 88b means several operational changes for organizations managing websites:
Consent Technical Implementation
Your cookie consent solution must now respond to browser consent signals. If your current system ignores what a user’s browser is communicating about their consent preferences, you are out of compliance. Moreover, the consent strings your system generates and stores must be compatible with GDPR audit requirements. Where the old ePrivacy framework relied on consent receipt databases, GDPR Article 88b expects real-time signal recognition.
Banner Redesign and Messaging
While cookie banners are not disappearing, their design and function are changing. You may no longer require a banner to appear before cookies are set if a user’s browser has already communicated valid consent signals. However, you still need to provide clear information about which cookies your website uses and why. This information can appear in your privacy policy, in a drawer that users can access, or in a redesigned consent interface that respects the browser signal without demanding repeated interaction.
Consent Withdrawal and Documentation
GDPR Article 7(3) requires that withdrawal of consent be as easy as giving it. Article 88a makes this obligation more specific in the cookie context. If your website makes it difficult to decline cookies or to change preferences later, you are violating both ePrivacy’s legacy and the new GDPR articles. Consequently, your website must provide a clear, always-accessible way for users to withdraw consent or modify their tracking preferences. This is not a best practice; it is now a legal requirement codified in the GDPR itself.
The transition period and timeline
The EU did not impose an immediate digital omnibus GDPR compliance deadline for all organizations. However, browser vendors and privacy tools have already begun implementing the standards that Articles 88a and 88b reference. Firefox, Safari and privacy-focused browser extensions now send standardized consent signals. Websites that do not recognize these signals are already creating a gap between what users think they have configured and what websites are actually doing.
From a practical standpoint, you should treat the Digital Omnibus withdrawal of ePrivacy as an urgent signal to audit your current consent setup. Additionally, if you have not yet integrated browser consent signal recognition into your technical stack, you should prioritize this. The transition is not binary; it is gradual. Legacy systems will continue to operate for several months, but the regulatory momentum is clear.
What DPOs and Legal teams should do
First, review your current cookie consent solution against Articles 88a and 88b. Does it recognize browser consent signals? Does it allow granular consent per tracking purpose? Can users withdraw consent easily?
Second, conduct a website privacy audit to document which cookies and trackers your organization currently deploys. You may discover that your website is setting cookies you have no business basis for, or that your consent flow is bundling multiple purposes together when they should be separate. Our website privacy audit guide walks through this process step by step.
Third, coordinate with your web development and marketing teams. This change affects cookie consent systems, analytics implementations, ad tech integrations and marketing technology stacks. The sooner these teams understand that ePrivacy is gone and GDPR now governs cookies, the sooner you can avoid compliance gaps.
Finally, stay informed about how national data protection authorities are interpreting Articles 88a and 88b. The European Data Protection Board publishes guidance and organizations like Taylor Wessing and Loyens & Loeff publish analyses as enforcement patterns emerge. The first months after February 2026 will reveal how regulators expect these new articles to work in practice.
The Bottom Line
The EU’s withdrawal of ePrivacy and the codification of cookie rules into GDPR Articles 88a and 88b mark a consolidation, not a weakening, of privacy protections. Users now have the ability to configure consent preferences once in their browser and have websites recognize those preferences. Organizations must move from a model where cookie banners are a one-time interaction on every website visit to a model where consent is granular, transparent and honored across channels.
For DPOs and privacy teams, the immediate action is clear: audit your consent flow against the new GDPR articles, verify that your systems recognize browser signals, and ensure your website treats consent withdrawal as a technical priority. If your organization needs to monitor ongoing compliance with cookie rules across your digital properties, Nixon Platform helps you track consent implementation across your website portfolio and detects when tracking behavior changes or consent configurations break.
The digital omnibus GDPR reform is not a complete overhaul. It is a clarification and modernization of rules that have always applied. For teams still running 2010-era cookie consent systems, it is a wake-up call. The time to move is now.
Related reading: Browser consent signals explained | Cookie banner audit: does yours actually work? | CMP comparison 2026
