If you have spent any time on a European website in the last several years, you know the ritual. The banner loads. You are presented with some variation of “We value your privacy” followed by an Accept All button in bright color and a Manage Preferences link in muted gray. You click Accept All because you just want to read the article, and somewhere a data broker logs another consent record.
That experience — repeated billions of times a day across the EU — has a name: cookie fatigue. And the European Commission has decided it has had enough of it.
In the Digital Omnibus package, the EC has outlined a proposal to fundamentally restructure how online consent works across Europe. The idea is to shift consent from the website level — where every publisher runs their own banner — to the browser level, where users set their preferences once and those choices are communicated automatically and machine-readably to every site they visit.
It is an ambitious proposal. It also has the potential to create a new set of problems while solving the old ones. One problem is that the choices are not universal across the board.
What the Digital Omnibus Actually Proposes
The operative provision is Article 88b of the Digital Omnibus, which amends the existing ePrivacy framework to create a centralised consent architecture. Under the proposal, a user would give or refuse consent to data processing through a single-click, machine-readable browser-level control rather than through individual website banners.
The EC also addresses one of the more irritating consent behaviors currently common across the web: the re-ask. Under the new framework, a data controller would only be permitted to re-request consent from a user who has already refused after a minimum interval of six months. No more being asked the same question every time you clear your cookies, visit on a new device, or happen to return to a site you last visited three weeks ago.
The Commission’s own summary of the proposal identifies four expected improvements: fewer cookie banners, more transparency, clearer rules on when consent can be re-requested, and a centralised approach that reduces burden on both consumers and organisations.
The projected savings figures the EC has attached to the proposal are worth noting. The Commission estimates browser-level consent would save European businesses approximately €820 million and the public sector roughly €320 million by eliminating the need to maintain independent cookie-consent mechanisms. A separate productivity estimate puts the figure at €4.98 billion per year — though, as Euronews reports, that calculation is based on multiplying the number of individual user site visits by the average seconds spent clicking banners, which is a generous methodology.
Why Cookie Fatigue Is a Real Compliance Problem
Before getting to the critics, it is worth taking the underlying problem seriously, because it is genuine.
Cookie consent as currently implemented is largely theater. Roughly 54% of Europeans accept cookies without meaningful review, while 26% deny them — figures that suggest the majority of users are making reflexive choices rather than informed ones. The consent that GDPR was designed to make meaningful has, in practice, become a speed bump that users click through as fast as possible.
This is not a minor footnote. The entire legitimacy of consent-based data processing under the GDPR depends on consent being “freely given, specific, informed, and unambiguous.” When more than half of users are clicking Accept All in under two seconds, that premise is strained to the point of incoherence. Consent mechanisms that exist to signal compliance while providing minimal actual user control are, at best, a legal fiction. At worst, they undermine public trust in the entire privacy regulatory framework.
The Commission is right that the current system is broken. The question is whether browser-level consent fixes it or trades one set of problems for another.
The Gatekeeper Problem
The most substantive criticism of the proposal comes from the European Tech Alliance, which has raised concerns that mandatory browser-level consent could concentrate control over the entire European consent infrastructure in the hands of a small number of browser vendors. As the Alliance put it, the proposal risks “centralising consent management in the hands of a few intermediaries, effectively creating new gatekeepers and weakening the direct relationship between users and service providers.”
This is not a theoretical concern. The browser market in Europe is heavily concentrated. Google Chrome alone commands a dominant share of desktop and mobile traffic. Apple’s Safari controls a significant portion of the iOS ecosystem. If consent is mediated through browser-level controls, the companies that build and control those browsers — companies that are themselves significant data processors with direct commercial interests in how consent flows — become the de facto infrastructure of European privacy compliance.
The EC proposal does not resolve this structural tension. It is precisely the kind of question that, as Euronews notes, “requires broader discussion, where policymakers would consult not only technical experts but also institutions that oversee competition.”
From a compliance perspective, organisations that currently maintain direct relationships with their users through their own consent management platforms should be paying close attention to how the final framework addresses browser vendor neutrality. If browser-level consent becomes mandatory and the standards governing those browsers are set by companies with competing interests, the compliance infrastructure European businesses have built over the last several years could be rendered subordinate to decisions made in Cupertino and Mountain View.
What It Means for SMEs and Digital Marketers
The Digital Omnibus proposal has immediate practical implications for the segment of the European market that has the least capacity to absorb major shifts in online advertising infrastructure: small and medium-sized enterprises.
The current consent regime, for all its friction, supports personalised advertising. Publishers collect consent, share it with ad tech partners, and run targeted campaigns that are priced and measured against specific audience signals. It is a system with serious privacy problems — but it is also the economic substrate that supports a large share of European digital media and SME marketing.
If browser-level consent shifts the default for a significant portion of users toward refusal — or makes granular consent less available to advertisers — SMEs and digital marketing specialists will face pressure to migrate from personalised advertising to contextual advertising. According to a study by the Implement Consulting Group, contextual ads consistently deliver lower performance and carry higher costs than personalised alternatives. For large multinationals with diversified marketing budgets, that is an adjustment. For an SME running a local e-commerce operation on thin margins, it may not be.
This is not an argument against privacy-protective consent reform. It is a reason to take the economic distribution of costs seriously when designing the transition.
An Alternative Path the Commission Should Consider
One constructive alternative raised in the policy debate — and worth elevating for compliance professionals who engage with policymakers — is whether clearer guidance on the legitimate interests basis under the existing GDPR framework could accomplish some of what the Digital Omnibus is trying to achieve without the architectural disruption.
Article 6(1)(f) of the GDPR already provides a lawful basis for processing that is necessary for the legitimate interests of a data controller or third party, where those interests are not overridden by the rights of the data subject. Regulatory clarity on which routine operational data processing activities legitimately qualify under this basis — without requiring individual consent — could reduce the volume of consent requests users face without requiring a complete overhaul of browser infrastructure.
That approach would not solve everything. But it would be a targeted, GDPR-native solution that avoids creating new gatekeepers, does not require browsers to become the administrative backbone of European privacy compliance, and gives businesses a more predictable legal foundation for routine processing activities that do not carry material privacy risk.
What Compliance Teams Should Be Doing Now
The Digital Omnibus is still moving through the EU legislative process, which means organizations have time to prepare rather than react. But that window is narrowing, and the decisions you make about your consent infrastructure over the next year will be easier to adjust if you have been thinking about this clearly.
A few concrete steps worth taking now:
Audit your current CMP implementation. Whatever browser-level consent ultimately looks like, organisations that have clean, well-documented, purpose-limited consent flows today will have an easier time adapting. If your consent management platform is a tangle of undocumented vendor integrations, fix that now — not because of the Digital Omnibus specifically, but because it is a compliance liability regardless.
Model your advertising exposure. If your marketing budget depends heavily on personalised advertising and consent-based targeting, now is the time to scenario-plan what a shift toward contextual advertising would mean for your CAC, your media spend, and your marketing mix. Do not wait for the final text to run those numbers.
Engage on the policy. The Digital Omnibus has not been finalised. The questions around browser vendor neutrality, SME impact, and the gatekeeper risk are live policy questions that the Commission is still working through. Industry associations, compliance bodies, and individual organisations all have legitimate standing to weigh in.
Watch the six-month re-ask rule closely. Regardless of how the broader browser-level consent architecture develops, restrictions on re-asking users who have declined are a near-certainty in some form. If your current consent flows rely on frequent re-requests to build up consent populations, that practice has a limited runway.
Cookie Banner Funeral
Few people outside of the privacy profession would mourn the cookie banners and I would be one of them. The consent theater that passes for informed choice on most European websites is an embarrassment to the GDPR’s original ambitions, and the EC is right to want something better.
But better consent infrastructure is not automatically good consent infrastructure, and the risk of trading 27 years of cookie-banner chaos for a browser-mediated consent duopoly controlled by American tech giants is real enough to warrant serious scrutiny before the proposal is finalised.
The goal — consent that is transparent, meaningful, and genuinely easy to give and withdraw — is the right one. The question is whether the Digital Omnibus gets us there without creating a new set of compliance dependencies that European businesses and regulators will be untangling for the next decade.
