Cookie fatigue is real. We’ve all done it – visited a website, seen yet another cookie banner, and clicked “Accept All” without reading a single word. It’s become a reflex, and it defeats the entire purpose of informed consent.
In November 2025, the European Commission proposed the Digital Omnibus Package to fix this problem. The proposal promises to simplify cookie rules, reduce banner fatigue, and align cookie consent with GDPR. But will cookie banners actually disappear? The short answer is no – but the longer answer is more interesting.
What is the Digital Omnibus?
The Digital Omnibus Package was announced by the European Commission in November 2025 as part of a broader “competitiveness and simplification” initiative. The goal is to reduce regulatory complexity for businesses operating in the EU whilst maintaining data protection standards.
One of the key changes in the package is moving cookie rules from the ePrivacy Directive into the GDPR framework. Currently, cookie consent sits awkwardly between two different laws – GDPR governs personal data processing, whilst the ePrivacy Directive governs the use of cookies and tracking technologies. This creates confusion and duplication.
It’s important to note that this is still just a proposal. The Digital Omnibus must pass through the European Parliament and Council before it becomes law. Based on previous EU legislative timelines, we’re looking at 2026 at the earliest for adoption, with full implementation likely taking several more years.
What’s Actually Changing
The Digital Omnibus introduces four significant changes to how cookies and tracking technologies are regulated:
New exemptions for low-risk cookies. Under the current rules, almost every cookie requires consent. The proposal creates exemptions for security cookies, first-party analytics cookies, and cookies necessary to deliver a user-requested service. These would no longer trigger a consent banner.
Legitimate interest as a legal basis. Currently, cookies almost always require explicit consent. The proposal allows legitimate interest as a legal basis for certain types of cookies – the same approach used elsewhere in GDPR. This gives businesses more flexibility, but they’ll need to demonstrate their processing is proportionate and respects user expectations.
Browser-based consent signals. The proposal envisions a future where users set their cookie preferences once in their browser settings, and websites automatically respect those preferences. No banner needed. However, the technical standards for this don’t exist yet, and won’t be mandatory until around 2028.
A six-month “cooldown” period. If a user refuses consent, websites can’t ask again for six months. This prevents the annoying pattern of seeing the same banner on every single page visit.
Will Banners Disappear? (Short Answer: No)
Here’s the reality check: cookie banners won’t disappear any time soon.
Marketing and tracking cookies – the ones that follow you around the internet and power targeted advertising – will still require consent. These are the cookies that cause banner fatigue in the first place. A fashion retailer can remove the banner for their basic analytics cookies, but they’ll still need consent for Facebook Pixel, Google Ads, and all the other third-party marketing tools they use.
The exemptions apply to low-risk, functional cookies. These are typically the cookies users don’t mind anyway – the ones that remember your shopping basket or keep you logged in. It’s good that these won’t need banners anymore, but it’s not the revolution some headlines suggest.
The browser-based consent mechanism sounds promising, but it’s years away. Browser vendors need to agree on technical standards, build the functionality, and roll it out to users. Even optimistic estimates put this at 2028 or later. Until then, websites will still need traditional consent banners.
The legitimate interest option helps, but it’s not a free pass. Businesses still need to balance their interests against user privacy, and regulators can challenge implementations they consider unfair. It’s a useful tool, but it won’t eliminate the need for careful consideration of what cookies are actually necessary.
What This Means for UK Businesses
If you’re a UK business, here’s what you need to know: the Digital Omnibus doesn’t automatically apply to you.
The UK operates under UK GDPR, which diverged from EU GDPR after Brexit. Changes to EU GDPR don’t automatically change UK law. The Digital Omnibus only matters for UK businesses if you’re serving customers in the EU – and even then, only for those EU customers.
The UK has already made its own adjustments to cookie rules through the Data (Use and Access) Act 2025. This introduced minor relaxations for cookies used for security purposes and age verification. The UK’s approach focuses on narrow, specific exemptions rather than the broader reforms proposed in the Digital Omnibus.
The gap between UK and EU rules is growing. UK businesses serving both markets may need to implement different approaches for each jurisdiction. A website might use legitimate interest for certain cookies when serving EU visitors, but still need consent for the same cookies when serving UK visitors.
This doesn’t mean UK rules won’t change. The UK government watches EU developments closely and sometimes adopts similar approaches. But there’s no guarantee, and the timelines won’t align. UK businesses need to stay informed about both jurisdictions separately.
What You Should Do Now
Don’t expect cookie banners to vanish. Instead, focus on making your current consent process as transparent and user-friendly as possible. This works regardless of whether you’re following UK rules, EU rules, or both.
Design consent banners that are genuinely easy to understand and easy to refuse. Users should be able to reject cookies as easily as they can accept them. Pre-ticked boxes and hidden reject buttons aren’t just poor practice – they’re likely unlawful under both UK and EU rules.
Review which cookies you actually need. Many websites have accumulated cookies over years of adding new tools and services. Some of those cookies might no longer serve a useful purpose. Fewer cookies means less to explain and less friction for users.
When the Digital Omnibus becomes law, you’ll need to review your implementation again. But the fundamentals remain the same: be transparent, respect user choice, and only collect what you genuinely need.
If you need help understanding your obligations under UK GDPR or preparing for EU changes, Measured Collective offers practical GDPR training designed for real-world compliance. Our courses help you build consent processes that work for both your users and your business.
Sources
- European Commission Digital Fairness Package (November 2025)
- Osborne Clarke: Digital Omnibus reshapes EU cookie rules
- UK Data (Use and Access) Act 2025
