PrivacyForgeSign In
Back to Blog

GDPR Cookie Consent 2026: Why Banners Are Here to Stay

The EU Council removed automated consent signals from the Digital Omnibus in June 2026. What this means for your cookie banner strategy — and what to do now.

PFMariyan ValevJul 7, 2026 · 11 min read
RegulationRegulation

Key Takeaways

  • The EU Council removed Article 88b from the Digital Omnibus on 18 June 2026 — the clause that would have replaced cookie banners with automated browser consent signals — following lobbying by Germany, France, Poland, and Google.
  • noyb estimates only 3–10% of EU users actually want to be tracked, yet dark-pattern banners achieve consent rates as high as 90%, affecting 450+ million EU citizens (noyb, June 2026).
  • The ePrivacy Directive Article 5(3) and GDPR Article 7 are unchanged: valid cookie consent must be freely given, specific, informed, and as easy to withdraw as to give.
  • The EDPB's Cookie Banner Taskforce (January 2023) confirmed that any banner showing an "accept" button without an equally prominent "reject" button on the same layer constitutes an infringement.
  • Even if Article 88b is eventually restored, mandatory browser signals would not apply before approximately 2029 — the compliance case for a properly built CMP is unchanged.

Introduction

You are halfway through a quote for a new consent management platform when a colleague forwards a headline: the EU is scrapping cookie banners. Should you pause the evaluation?

Do not pause. On 18 June 2026, the EU Council's fifth Digital Omnibus compromise text dropped Article 88b — the provision that would have required every website to recognise automated, machine-readable browser consent signals. Germany, France, and Poland pushed for the removal after Google circulated a lobbying paper warning that automated signals would bring online advertising to a standstill. The European Commission called the accompanying EUR 40–50 billion revenue-loss estimate "highly exaggerated." Privacy advocates called it something stronger.

The immediate legal effect for eCommerce operators is zero change: the ePrivacy Directive and GDPR Article 7 still govern every cookie banner on your site. What changed is the timeline for simplification — and, arguably, the strategic case for getting consent right now rather than later.

This article reflects publicly available regulatory guidance and news as of July 2026. It is informational content, not legal advice.

What Was Article 88b — and What Killed It?

Article 88b, introduced in the European Commission's Digital Omnibus proposal (COM/2025/837, published 19 November 2025), would have required websites to support machine-readable browser signals allowing users to express consent or refusal once — at the browser level — rather than site by site. Set a preference in Chrome or Firefox, and every website would be obligated to honour it. No per-site banner required.

The idea was not born in Brussels. Global Privacy Control (GPC) already does something similar: a browser-based opt-out signal that is legally binding under California's CCPA (Section 1798.135(c)) and recognised by Colorado, Connecticut, New Jersey, and at least seven other US states. As of July 2026, GPC is supported natively by Brave, DuckDuckGo, and Firefox, used by over 150 million people, and honoured by 66,000+ websites. In the EU, it has no binding legal status.

Why the Council Removed It

The EU Council's fifth compromise text, published 18 June 2026, removed Article 88b entirely. Article 88a — a narrower clause that moves the cookie-consent legal basis from the ePrivacy Directive into the GDPR framework without changing the opt-in requirement — was retained.

Google commissioned the Implement Consulting Group to model the impact. Their March 2026 study, "Gone in one click," projected that mandatory browser signals would cost European businesses EUR 40–50 billion in annual advertising revenue — a 30–35% drop, modelled on Apple's App Tracking Transparency. The European Commission publicly described these figures as "highly exaggerated." noyb, citing Max Schrems, noted that the proposal explicitly allowed per-website, per-purpose consent — the opposite of a blanket advertising kill switch — and exempted media outlets.

Germany, France, and Poland voted to remove Article 88b. The European Parliament had not yet taken a position. Ireland, which assumed the EU Council presidency on 1 July 2026, is now tasked with brokering agreement. IAPP's Brussels correspondent reported on 2 July that negotiations remain "challenging" and that "several countries signalled that better aligning the cookie regime between the GDPR and ePrivacy Directive are not a done deal."

What This Means in Practice

Article 88b's removal does not change the legal standard for cookie consent — it removes a mechanism that would have made compliance easier. The rules your CMP must satisfy today are identical to what they were before the proposal existed.

Even if Article 88b is eventually restored, its application window was 24 months from the Digital Omnibus entering into force. Given current negotiation timelines, mandatory browser-based consent signals would not apply before approximately 2029. Building a placeholder now in anticipation of a hypothetical standard is not a sound strategy.

Cookie consent requires a lawful basis under two overlapping frameworks that apply simultaneously to every EU-facing website: the ePrivacy Directive Article 5(3), which mandates opt-in consent for tracking, and GDPR Article 7, which defines what valid consent looks like. Neither overrides the other.

The ePrivacy Directive — Still the Starting Point

ePrivacy Directive Article 5(3) (Directive 2002/58/EC, as amended by 2009/136/EC) is the foundational requirement. It prohibits storing or accessing information on a user's device without consent — "having been provided with clear and comprehensive information...about the purposes of the processing." The only exceptions are technical communication necessity or services the user explicitly requested.

Article 88a, if enacted, would move this requirement into the GDPR framework. The practical effect for most stores would be limited, but it would bring cookie enforcement explicitly within GDPR's accountability and audit structures.

GDPR Article 7 — What Valid Consent Looks Like

GDPR Article 7 applies to every processing activity that uses consent as its lawful basis:

ConditionWhat It Requires
Art. 7(1) — DemonstrabilityYou must be able to prove consent was given: a log with timestamp, purpose, notice version, and withdrawal event
Art. 7(2) — ClarityWhere consent is part of a written declaration, the request must be clearly distinguishable, intelligible, and in plain language
Art. 7(3) — Easy withdrawalWithdrawing consent must be as easy as giving it — a "manage preferences" link four clicks deep does not satisfy this
Art. 7(4) — No bundlingConsent is not freely given if services are conditional on accepting non-essential processing

The EDPB Rules: What a Compliant Banner Must Include

EDPB Guidelines 05/2020 and the Cookie Banner Taskforce report (January 2023) set the specific requirements that DPAs audit against:

  • No pre-ticked boxes. Consent requires a "clear affirmative action"; a box ticked by default fails this.
  • No scrolling or swiping as consent. Passive engagement cannot substitute for a deliberate choice.
  • No cookie walls. Blocking content unless users accept tracking is not freely given consent under GDPR Article 7(4).
  • Equal visibility for accept and reject. If an "accept all" button is visible on the first banner layer, a "reject all" button must be equally visible on the same layer. A reject option on a second screen is an infringement — the Taskforce confirmed this explicitly.
  • Consent separate from terms of service. Bundling cookie consent with account registration or checkout completion invalidates it.

Say you run an online homewares retailer and your banner shows "Accept all" as a prominent green button alongside a small grey "Manage cookies" link. Every EU DPA surveyed in the 2023 Taskforce report identified this asymmetry as non-compliant. The investigation may not arrive tomorrow — but the structure fails the moment it goes live.

Here is why the Article 88b debate is not merely a Brussels procedural question.

EU cookie consent acceptance rates average 42–47%, according to CookieYes's 2026 Global Cookie Consent Trends report. Germany and France sit below 25%. These are the numbers operators see when banners are designed to EDPB standards — equal-prominence accept and reject, no dark patterns. When banners are designed to manipulate, acceptance rates reach 90%, noyb estimates, generating "several billion" coerced clicks per year across 450+ million EU internet users.

The share of EU websites offering equally visible accept and reject buttons rose from 27% in 2023 to 52% in 2025, per CookieYes. Progress — but it also means nearly half of EU websites still fail the EDPB's baseline requirement.

The commercial implication: a compliant banner with equal-prominence options will record lower acceptance rates than a dark-pattern banner. That gap is not a problem to engineer away. It represents the honest measurement of users who genuinely want to be tracked, and it is the only number defensible in a DPA inquiry. Regulators have done the same arithmetic.

These steps apply regardless of what happens to Article 88b — and regardless of what CMP you currently use.

  1. Audit your first layer for equal prominence. Accept and reject options must be visually equivalent: same button size, same colour contrast, same position. If your CMP vendor's default template buries reject, push back in writing or change vendors.
  1. Implement consent logging. GDPR Article 7(1) requires demonstrability. Your CMP must record per-user session: consent timestamp, the notice version displayed, each purpose accepted or refused, and the withdrawal event when applicable. A banner without a consent log is a legal liability, not a compliance tool.
  1. Audit withdrawal paths. Time how many clicks it takes to withdraw consent after accepting. If withdrawal takes more clicks than acceptance, your banner fails GDPR Article 7(3). The EDPB has been explicit about this requirement since 2020.
  1. Remove cookie walls. If your site blocks content or functionality until a user accepts tracking, this is a structural infringement under EDPB Guidelines 05/2020 — not a configuration setting to revisit during the next redesign.
  1. Consider GPC for US visitors now. GPC is legally binding in California and at least nine other US states as of mid-2026. If you serve US customers, honouring GPC is a CCPA requirement. Implementing it now also positions you ahead of any eventual EU browser-signal mandate — the underlying technology is the same.

Common Mistakes to Avoid

The worst mistake: treating the banner as the compliance. Banner design is visible and measurable, so it attracts disproportionate attention — but the consent record, downstream data flows, and processor agreements are where audits actually find actionable gaps. A compliant banner that generates consent logs you cannot produce on request is not compliance; it is a well-designed gap.

Bundling consents without segregation. If your checkout requires a single tick covering both terms of service and marketing email consent, neither consent is valid. GDPR requires each purpose to be freely given and separately recorded. Bundling two obligations into one tick invalidates both.

Waiting for legislative certainty. Every version of the Digital Omnibus maintains the opt-in consent requirement. The debate is about mechanism — banners versus browser signals — not about whether consent is required. Operators who defer CMP investment pending legislative resolution are deferring a live obligation.

Mismatching cookie lifetimes and consent record retention. Your consent record is only valid for the processing described when consent was given. If analytics cookies expire after 13 months but your consent records expire after 6, you have a provable gap. Align cookie expiry to the period covered by the stored consent record.

How PrivacyForge Helps

PrivacyForge's consent management module handles the consent record requirements that most CMP implementations miss. Every consent event is logged with timestamp, notice version, purpose granularity, and withdrawal — in a format that satisfies GDPR Article 7(1) and can be exported for a DPA inquiry.

The platform also manages the downstream data-mapping implications: when a user withdraws consent for a given purpose, PrivacyForge flags the processor agreements and data flows associated with that purpose for review, so your ROPA stays aligned with your actual consent state.

For operators monitoring the Digital Omnibus negotiations, PrivacyForge's compliance dashboard tracks open cookie and consent obligations against your current configuration, giving you a gap view without a manual audit.

→ Explore PrivacyForge's [consent management features](/features/consent-management) or review our [GDPR compliance checklist for eCommerce stores](/resources/blog/gdpr-compliance-for-ecommerce-practical-checklist) for the broader picture.

Frequently Asked Questions

No. The EU Council removed Article 88b — the provision mandating automated browser consent signals — from the Digital Omnibus on 18 June 2026. Cookie banners remain the legally required mechanism under the ePrivacy Directive. Even if Article 88b is eventually restored, its 24-month implementation window means mandatory browser signals would not apply before approximately 2029.

What does GDPR Article 7 require for cookie consent?

GDPR Article 7 requires that consent be demonstrable (you must be able to prove it was given), clearly distinguishable in any written consent declaration, as easy to withdraw as to give, and not bundled with unrelated conditions such as accepting terms of service. These requirements apply alongside the ePrivacy Directive opt-in rule and the EDPB's guidance on banner design.

No. EDPB Guidelines 05/2020 confirm that cookie walls — blocking access to content or services unless a user consents to tracking — make consent involuntary and therefore invalid under GDPR Article 7(4). Consent must be freely given; conditioning service access on non-necessary processing consent fails this test.

What is Global Privacy Control, and does it apply in the EU?

Global Privacy Control (GPC) is a browser-based signal that communicates an opt-out of data selling and targeted advertising. It is legally binding under California's CCPA (Section 1798.135(c)) and recognised by at least ten US states as of July 2026. GPC has no binding legal status under EU/GDPR law. Article 88b would have created an EU-equivalent obligation, but it was removed from the Digital Omnibus in June 2026.

Under EDPB Guidelines 05/2020 and the Cookie Banner Taskforce report (January 2023): no pre-ticked boxes; no scrolling or swiping accepted as consent; a "reject all" option as visually prominent as "accept all" on the first banner layer; no cookie walls; and cookie consent separate from acceptance of terms of service. Withdrawal must be achievable in no more steps than giving consent.

Conclusion

Article 88b's removal from the Digital Omnibus resolves exactly one uncertainty: cookie banners will not be replaced by browser signals this year, next year, or likely the year after. The underlying consent obligation — opt-in, freely given, demonstrable, with equally accessible withdrawal — is the same as it was before the Commission proposed automated signals, and the same as it will be if the provision is eventually restored.

The operators who fare best in DPA inquiries are not the ones who waited for legislative certainty. They are the ones who built consent records, removed dark patterns, matched cookie lifetimes to documented processing purposes, and stopped treating the banner as the compliance. Those steps look identical whether the long-term future is banners or browser signals.

The consent stack worth building in 2026 is the one that satisfies EDPB Guidelines 05/2020 today.

Sources

  • [noyb: EU Member States and Google Suddenly Want to Keep Cookie Banners](https://noyb.eu/en/eu-member-states-and-google-suddenly-want-keep-cookie-banners) (23 June 2026)
  • [IAPP: A View from Brussels — An Irish Return to the Future](https://iapp.org/news/a/a-view-from-brussels-an-irish-return-to-the-future) (2 July 2026)
  • [ePrivacy Directive Article 5(3) — EUR-Lex](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32002L0058) (Directive 2002/58/EC as amended)
  • [GDPR Article 7 — Conditions for Consent](https://gdpr-info.eu/art-7-gdpr/) (Regulation (EU) 2016/679)
  • [EDPB Guidelines 05/2020 on Consent](https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-052020-consent-under-regulation-2016679_en)
  • [Global Privacy Control — Official Specification](https://globalprivacycontrol.org/)
  • [CookieYes: 2026 Global Cookie Consent Trends](https://www.cookieyes.com/blog/cookie-consent-trends/)
  • [Digital Watch Observatory: EU Cookie Banners and the Digital Omnibus](https://dig.watch/updates/eu-cookie-banners-digital-omnibus)
  • [PPC Land: EU Council Drops Cookie Signal After Google Lobbying](https://ppc.land/eu-council-drops-cookie-signal-after-google-lobbying-eur-40-50-bn-at-stake/)