The European Commission’s “Digital Omnibus” proposal, unveiled in November 2025 and still under legislative review, could significantly alter the so-called “ePrivacy” landscape across the EU, applicable in particular to the use of cookies but also to other interferences with the integrity and privacy of smart devices (e.g. connected cars and TVs, smart glasses, mobile phones).
The proposal includes a move to replace the current two-step framework based on national implementations of Art. 5(3) of the ePrivacy Directive and the EU General Data Protection Regulation (GDPR), with a single, harmonised set of rules for accessing and storing personal data on user devices and their subsequent processing. This shift promises both operational simplification and significant changes to legal obligations for organisations, as long-standing national standards for cookie consent may soon be overtaken by directly applicable EU law.
1. Background: two-step device privacy in the EU
Under the current regime, organisations must navigate a two-step compliance process. First, they must secure prior consent for device access under national implementations of Art. 5(3) of the ePrivacy Directive, unless one of two rather limited exceptions is applicable, and subsequently ensure that any processing of personal data meets the GDPR requirements.
This system has produced complex, and often confusing “cookie consent banners”, leading to widespread “consent fatigue” among users who simply accept requests for consent to get rid of these bothersome banners without actually reading the information provided, high compliance costs for businesses, and split supervisory competences between different national authorities for the ePrivacy Directive and the GDPR in some EU Member States. For businesses, these regulatory requirements are particularly challenging as the broad scope of the ePrivacy Directive goes far beyond the mere use of cookies. Instead, its restrictive requirements also apply to a variety of smart devices that have not even been existent and whose particularities could not have been taken into account when the ePrivacy Directive was adopted more than two decades ago.
2. The Digital Omnibus: what would change?
The Digital Omnibus proposes to shift the regulation of personal data from end-user devices to the GDPR by introducing a new Article 88a GDPR. This provision, in conjunction with Recital 44 of the proposal, would:
- establish an expanded, exhaustive list of exceptions where device access and data processing may occur without consent (for example for communication transmission, explicitly requested services, certain audience measurements, or security maintenance),
- ensure that lawful access also permits the associated personal data processing,
- clarify that (contrary to current guidelines of EU data protection supervisory authorities) for the subsequent processing of personal data for other purposes than those defined in the limitative list, all legal bases, including legitimate interests, may be applied, and
- centralise oversight under GDPR supervisory authorities.
For EU Member States, this shift would necessitate them to narrow or repeal their implementations of Art. 5(3) ePrivacy Directive. To the extent that their provisions currently govern terminal device access in situations falling within the scope of Art. 88a GDPR, they would duplicate rules in a fully harmonised field. If the national provisions are to be retained, their scope would need to be limited to non-personal data or other residual cases.
The proposal further aims to address ‘consent fatigue’ by introducing clear standards for user consent requests, including:
- requiring data controllers to provide a straightforward mechanism, such as a single-click button through which users can refuse consent,
- prohibiting repeated consent requests for the same processing purpose within a six-month period, and
- mandating that data controllers respect machine-readable consent signals (e.g., from browser settings), and that browser providers support these features, subject to limited exemptions for media organisations.
In Germany, for instance, only recently in early 2025 a national regulation has been adopted which is intended to facilitate the management of consent for users of digital services (including by using machine-readable consent signals). However, contrary to the current Digital Omnibus proposal, providers of digital services are not obliged to interact with such consent management services and so far their actual use is still very limited with only one provider being acknowledged yet.
3. Practical impact for organisations
The Digital Omnibus proposal could substantially reshape device privacy regulation in the EU. However, its ultimate impact will depend on the outcome of the ongoing Trilogue negotiations and how concerns around ambiguous boundaries, technical implementation, and the risk of fragmented protection are resolved.
With respect to the current proposal, businesses would benefit from enhanced legal certainty regarding the permissibility of further processing of personal data that have been accessed from terminal devices as it would be clarified that such processing would be subject to GDPR standards. Yet, the proposal would not fully harmonize the GDPR and ePrivacy regimes, so that the access to (personal) data on terminal equipment would still be subject to more restrictive requirements than the processing of personal data in general. Additionally, in practice the chances to obtain consent from a user to access personal data on their terminal equipment would be limited significantly as businesses would not be allowed to make a request for consent (e.g. by displaying the cookie consent banner again) for six months once a user has declined an initial request.
Also, the proposal would entail that different provisions apply to the access to personal data (the new Article 88a GDPR) and to non-personal data (the current ePrivacy regime) on terminal equipment which in practice might make it difficult for businesses to clearly determine whether the relevant accessed data constitutes personal or non-personal data and thus which provision would be applicable.
For organisations, early engagement with the proposed changes is essential. Reviewing current consent management processes, preparing for the potential integration of machine-readable signals, monitoring legislative developments but also assessing the potential for expanding future data processing activities will all be sensible in the months ahead.
The Digital Omnibus constitutes an important step towards a unified digital privacy landscape within the EU. Its successful implementation will require collaborative effort from regulators, businesses, and policymakers to strike the right balance between simplification, compliance, and user empowerment. The coming period will be pivotal for shaping the future of terminal device privacy and cookie regulation in the EU.