The European Commission has presented a draft for the second Digital Omnibus, which sets out far-reaching changes in the areas of ePrivacy and cookie regulation. The draft has sparked significant interest across the industry and raises numerous questions about the future of online marketing. The following assessment is based on the analysis of leading data protection lawyer Tilman Herbrich from Spirit Legal, shared in the corresponding JENTIS webinar in German - and here in English.
First-party analytics receive preferential treatment
The draft proposes that the collection of aggregated information about the use of an online service for reach measurement may in the future be permitted without consent. This applies under the following conditions:
- On-premise processing: Data is processed on the organisation’s own server infrastructure.
- No data processors: No transfer of data to external service providers.
- Own use only: Data is used exclusively for internal analytics purposes.
- Aggregation: Processing is carried out only in aggregated form.
- No third-party transfer: No disclosure to third-party systems or platforms.
On-premise analytics solutions would meet these requirements. For companies that already rely on first-party data architectures, this could mean a significant simplification from a legal perspective. Server-side tracking solutions that fulfil these strict criteria would also benefit from this exemption.
Browser settings as a consent mechanism instead of cookie banners
One of the most discussed innovations is the proposed option to use browser settings as a consent mechanism. This approach suggests that central browser preferences could replace traditional cookie banners.
However, the legal requirements for valid consent remain unchanged. Consent must still be informed, specific, and unambiguous. Users must be clearly informed about recipients, data categories, and the purposes of processing.
Browser settings cannot technically meet these requirements, because each website would need to individually reflect the specific recipients and purposes.
Historically, the idea is not new: A comparable concept was already discussed between 2014 and 2016. The recitals of the cookie directive at the time already contained similar considerations. Legal experts unanimously conclude that technical signals cannot replace legally valid consent. Consent is a highly personal declaration of intent, which must be expressed consciously and in an informed manner.
Existing case law will not lower the high legal standards. Consent management platforms and cookie banners will therefore remain part of the compliance landscape for the foreseeable future.
Continuity and tightening of existing requirements
While the draft introduces relaxations in some areas, key compliance requirements remain in place or become stricter:
Tag management systems: Consent requirement remains
The ruling of the Administrative Court of Hannover regarding Google Tag Manager remains relevant. Tag management systems are classified as third-party systems and require consent. The so-called Consent Mode does not replace legally valid consent. It only governs technical behaviour after consent has been given or refused. The draft does not provide any exemption for tag management systems.
Personal nature of IP addresses
The draft proposes an adjustment to the definition of personal data, shifting from an objective to a subjective understanding of identifiability. Under the objective understanding, personal data exists if any party could theoretically identify a person. The subjective understanding, however, focuses on whether the specific recipient of the data can identify a person themselves or through realistic legal means.
For the online context, this leads to no practical changes. IP addresses remain personal data because server operators can assert information requests with authorities in security incidents, and authorities can then request the assignment of the IP address to the connection owner from the telecommunications provider. These legal mechanisms remain in place, and the established case law of the European Court of Justice continues to apply.
Pseudonymised data also continues to be classified as personal data as long as re-identification is possible. This particularly affects large platforms that could theoretically identify users through logins or technical means.
Time restrictions for consent requests
The draft codifies new time limits for consent prompts:
- After consent is given: a 12-month blocking period before asking again
- After refusal: a 6-month blocking period
These rules have already been applied by supervisory authorities as a de facto standard, but they now receive explicit legal grounding.
The practical consequences of these blocking periods are significant: If a user selects “Reject all” in a consent management platform or sends a corresponding signal, they must not be asked again for six months. This removes the ability for companies to prompt users via landing pages or other mechanisms to provide consent. As a result, consent rates are expected to decrease, affecting small and medium sized enterprises in particular.
In addition, there are technical challenges for CMP providers. Consent preferences are stored on the end device. However, since CMPs are third-party providers operating in a first-party context, the question arises whether their cookies are compatible with the new exhaustive regulations. For CMPs, this would mean that A/B testing or pre-consent geolocation would no longer be possible, as accessing the end device without prior consent would be unlawful.
The ambiguities in the wording of the draft, such as what exactly qualifies as first party and on-premise, remain unresolved. However, there is a two-year transition period after entry into force (2026/27), giving CMPs time to address these issues and develop solutions.
Server-side tracking and third-party advertising
Server-side tracking does not automatically fall under the first-party exemption unless it is operated entirely within the organisation’s own system environment and no data is passed on to external systems. For third-party tracking and advertising, consent remains a central requirement. All technologies that transfer or process data externally will continue to require consent in the future.
Curtailing compliance workarounds
Regardless of the final wording of the legislation, a clear regulatory intention can already be identified: the containment of so-called dark patterns and technical workarounds in consent requests.
In recent years, companies have developed various strategies to achieve high consent rates, including UI design optimisation, pre-selected options, or complex rejection processes. The draft signals that lawmakers intend to restrict these practices more strictly in the future.
The strategic consequence for companies: expecting maximised consent rates through optimised banner design will no longer be realistic. Organisations must prepare for a significant share of users not granting consent.
This requires a strategic shift. Developing analytical methods for non-consent traffic will become increasingly important. Companies should assess which insights can be obtained lawfully without consent and what technical solutions are available for that purpose.
Significant simplifications for AI training
The draft introduces substantial simplifications for training AI systems. Even sensitive data is intended to be processed without consent under certain conditions. These provisions are particularly aimed at large technology providers.
However, for the marketing sector this does not produce any direct practical effects, as the rules mentioned in the draft apply to other contexts of data processing. Although discussions around AI training dominate the public debate, they currently have no immediate relevance for operational online marketing.
Assessment and strategic recommendations
A realistic view of the legislative process
A final assessment is essential. The present text is a Commission proposal, not an adopted law. The draft must now pass through a multi-step process: the European Parliament will develop its own position, as will the Council of the 27 Member States. In the subsequent trilogue negotiations, these positions will be merged into a compromise.
The timeline is long-term: the earliest realistic date for the law to enter into force is 2026 or 2027. The browser settings foreseen in the draft as a consent mechanism would only apply 48 months after the regulation is officially published.
The Digital Omnibus is the second part of a broader series of reform initiatives. Further adjustments have already been announced, including a potential reopening of the GDPR in a forthcoming third step. With additional GDPR adaptations expected in 2025, the regulatory landscape will remain in motion.
What this means in the short and long term
In the short term, the draft does not create any immediate need for action. In the long term, however, the importance of first-party infrastructures will grow, especially in areas where consent-free analytics would become permissible.
Recommendations for companies
Despite the long timeline, strategic preparation is advisable:
- Long-term perspective with a proactive approach: The extended timeline allows for strategic planning, but early preparation creates competitive advantages.
- Evaluation of first-party architectures: Solutions that meet the strict criteria for consent-free first-party analytics will become increasingly relevant.
- Non-consent strategies: Developing analytical methods that provide valid insights even at low consent rates.
- Technology assessment: On-premise analytics tools and compliant server-side tracking solutions should be evaluated.
- Compliance monitoring: Continuous observation of the legislative process and timely adaptation of strategies.
Data protection regulation continues to evolve. Companies that engage early with regulatory developments and implement future-proof technical solutions create strategic advantages – regardless of the final design of the legal provisions.
