With the Digital Omnibus, the European Commission is pursuing an ambitious reform package designed, amongst other things, to fundamentally overhaul the regulations governing cookie banners and online tracking. The stated aim is to reduce bureaucracy and \u2018consent fatigue\u2019 \u2013 that is, user fatigue caused by excessive consent prompts. Whether this will succeed, however, is questionable. An initial analysis shows: it will become more complicated, not simpler.<\/p>\n\n\n\n
What is the Digital Omnibus?<\/strong> A new definition of personal data<\/strong> The new key element: Article 88a GDPR<\/strong> Furthermore, compared to the previous law, the general threshold is being lowered: whereas consent was previously generally dispensable only for data processing that was \u2018strictly necessary\u2019 \u2018for the sole purpose\u2019 of the provision of an online service, in future \u2018necessary\u2019 data processing will suffice. This could mean a noticeable, albeit moderate, simplification.<\/p>\n\n\n\n New obligations regarding consent management: Article 88a(4) GDPR<\/strong> Automated consent management: Article 88b GDPR<\/strong> An exemption applies to media service providers: they are not required to take these automated signals into account. The explanatory memorandum to the Commission\u2019s draft refers to the advertising-based financing of media services. In practice, this means for media services: no obligation to process consent automatically, but also no new privilege.<\/p>\n\n\n\n A regulatory gap is striking: the automated withdrawal of consent already given is not expressly provided for. However, Article 7(3), fourth sentence, of the GDPR requires that withdrawal must be as easy as giving consent. If consent can be given automatically, withdrawal should consequently also be possible automatically \u2013 the draft is silent on this point.<\/p>\n\n\n\n Two regimes remain in place<\/strong> The paradoxical consequence is that non-personal data will continue to be subject to the ePrivacy Directive with its generally stricter requirements, whilst personal data will in future be treated under the \u2013 somewhat more flexible \u2013 GDPR regime. This is difficult to justify under privacy law.<\/p>\n\n\n\n What does this mean in practice?<\/strong> For businesses that already deploy a carefully designed consent management system, this initially means: waiting until the new regulations have been finally adopted and then carefully reassessing their own tracking setup. The need for advice arises primarily in relation to the question of which cookies and tracking technologies fall under which exemption of the new Article 88a(3) of the GDPR, how the interaction between the two regimes must be structured for specific services, and what requirements apply to automated consent management for non-media services.<\/p>\n\n\n\n For media companies, there is also the strategic question of whether the exemption from automated consent management is a privilege or \u2013 given the growing prevalence of browser signals \u2013 a commercial risk.<\/p>\n\n\n\n One thing remains unchanged: tracking without valid consent is and will remain costly. Four of the ten highest GDPR fines up to 2024 were directly related to tracking breaches.<\/p>\n\n\n\n (Dr. Frank Eickmeier, Head of Legal ePrivacy)<\/p>\n","protected":false},"excerpt":{"rendered":" With the Digital Omnibus, the European Commission is pursuing an ambitious reform package designed, amongst other things, to fundamentally overhaul the regulations<\/p>\n
The Omnibus package is an amending act that updates several existing EU regulations in a single draft \u2013 including the General Data Protection Regulation (GDPR), the AI Act and the Data Act. Of particular relevance to practice regarding cookies and tracking are the new articles 88a and 88b of the GDPR, as well as an amendment to the definitions in Article 4 of the GDPR. Adoption is currently expected by the end of 2026. The consultation phase for industry associations was concluded in March.<\/p>\n\n\n\n
The GDPR is to be subject to a so-called relational restriction: information will no longer be considered personal data for everyone simply because some entity could identify the data subject through it. The decisive factor is whether the data controller in question can itself identify the individual using reasonably available means. This clarification primarily implements the ECJ case law in the Breyer, Gesamtverband Autoteile-Handel and SRB cases and could provide practical relief for first-party cookie scenarios.<\/p>\n\n\n\n
The new Article 88a GDPR would incorporate large parts of the previous Article 5(3) of the ePrivacy Directive (implemented in Germany as Section 25 TDDDG) into the GDPR regime. For the practical operation of websites and digital services, this results in the following scenarios where consent is not required: <\/p>\n\n\n\n
When consent is sought, clear requirements will apply to the design of consent banners in future. It must be possible to refuse consent with a single click (\u201csingle-click button or equivalent means\u201d). If consent has already been given, no further consent banner may be displayed for the same purpose whilst the consent remains valid. If consent has been refused, no new consent request may be made for the same purpose for at least six months. Practically, this means that a \u201cdo-not-track\u201d cookie may \u2013 and indeed must \u2013 be set for this period.<\/p>\n\n\n\n
Deployers are obliged to design their interfaces in such a way that users can grant or withhold consent via automated, machine-readable signals \u2013 such as browser settings. This approach corresponds to the Global Privacy Control (GPC) concept, which has so far only been accepted by a few data protection authorities.<\/p>\n\n\n\n
The central problem with the draft from the perspective of legal application remains: the ePrivacy Directive (in Germany implemented in Section 25 of the TDDDG) is apparently to continue to apply in parallel with the new Articles 88a and 88b of the GDPR. This is because both regimes cover different scenarios: Article 5 of the ePrivacy Directive covers access to and storage of information in terminal equipment in general, including non-personal data. Article 88a of the GDPR, on the other hand, applies only to personal data and the terminal equipment of natural persons.<\/p>\n\n\n\n
The hoped-for simplification is unlikely to materialise. Instead, complex hybrid scenarios are emerging in which different regulations apply to the same website visit. Depending on whether personal data is involved, whether a natural person\u2019s device is involved, and whether the provider is a media service, up to six different banner variants \u2013 which are lawful or required depending on the specific circumstances \u2013 may be necessary.<\/p>\n\n\n\n