For years, the rules governing cookies on European websites lived in two separate places: the GDPR for personal data, and the older ePrivacy Directive for cookies and tracking. That split is now ending. On 19 November 2025 the European Commission published its Digital Omnibus package – a sweeping set of proposals to simplify EU digital law – and in February 2026 it formally withdrew the long-stalled ePrivacy Regulation, clearing the way for cookie consent rules to be folded directly into the GDPR.
If the package is adopted as proposed, it will change how cookie banners work, how long you can keep asking visitors for consent, and how browser-level privacy signals are handled. For WordPress site owners, that means the consent banner you configured last year may need rethinking. This article explains what the Digital Omnibus actually proposes and what it means for your site. For the wider picture, see our guide to WordPress GDPR and website compliance in 2026.
- The Digital Omnibus entered the EU legislative procedure in November 2025 and still has to be reviewed and agreed by the European Parliament and the Council.
- Adoption is expected in mid-to-late 2026, and different provisions will have different effective dates.
- The cookie consent changes are expected to take effect roughly six months after the legislation enters into force.
- Until then, your current GDPR and ePrivacy obligations remain fully in force. Do not switch off your cookie banner.
What Is the Digital Omnibus?
The Digital Omnibus is a package of “simplification” proposals from the European Commission aimed at reducing overlap and administrative burden across the EU’s digital rulebook. Rather than rewriting each law from scratch, it amends several at once – touching the GDPR, the ePrivacy rules, NIS2, DORA and the AI Act – so that obligations like incident reporting and consent are more consistent and less duplicated.
For website owners, the headline change is that cookie consent moves out of the separate ePrivacy regime and into the GDPR itself. One regulation, one enforcement framework, one set of penalties. The European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) have broadly welcomed the simplification goal while warning that protections must not be weakened in the process.
The Cookie Consent Changes That Affect Your WordPress Site
This is the part most site owners will feel directly. Four proposed changes stand out.
Change 1Single-click accept and reject
Consent banners would need to offer “accept all” and “reject all” options with equal prominence – a single click either way. The common dark pattern of a bright “Accept” button next to a buried or hidden “Reject” link would be explicitly non-compliant.
Change 2A six-month moratorium on re-asking
If a visitor declines consent, your site would not be allowed to ask again for six months. The familiar tactic of re-showing the banner on every page load or every new visit to wear users down would no longer be permitted.
Change 3Browser-level consent signals
The proposals introduce machine-readable, browser-level preference signals – similar in spirit to Global Privacy Control. Instead of clicking through a popup on every site, a visitor could set their preference once in the browser, and your WordPress site would be expected to read and respect that signal automatically. Over time, this could reduce the need for individual banners altogether.
Change 4Some analytics without a banner
Cookies used purely for security and for aggregated, anonymised audience measurement could be used without a consent banner – provided no personal profiles are built and only statistics such as visitor counts are collected. This is a meaningful relief for owners who only want basic, privacy-respecting traffic numbers.
Beyond Cookies: Other GDPR Changes in the Package
The Digital Omnibus reaches further than banners. The most relevant proposals for site owners include:
- A narrower definition of personal data in some contexts, which could take certain pseudonymised or genuinely anonymised data outside the GDPR’s scope.
- Higher breach-notification thresholds and extended reporting deadlines, easing the pressure of the current tight reporting window for lower-risk incidents.
- Clearer rules on legitimate interest, including for training AI systems on certain data.
- Unified incident reporting across GDPR, NIS2 and DORA, so overlapping notifications are streamlined. If NIS2 is on your radar, see our explainer on the NIS2 Directive for WordPress site owners.
Cookie Violations Now Carry GDPR-Level Penalties
Moving cookies into the GDPR has a sharp edge: enforcement. Cookie breaches would be policed under the same regime – and the same fines – as any other GDPR violation.
What is at stake
- Fines of up to EUR 20 million or 4% of global annual turnover, whichever is higher.
- EU supervisory authorities are coordinating cross-border audits more frequently, so a single non-compliant banner can attract attention from regulators in multiple member states.
- “Set it and forget it” cookie banners are exactly what enforcement is targeting in 2026.
What WordPress Site Owners Should Do Now
You should not rebuild everything around proposals that are not final. But there are sensible, low-regret steps you can take today that will hold up whether or not the package is adopted unchanged.
- 1
Fix dark patterns now. Make “Reject all” as easy and visible as “Accept all”. This is already best practice under current GDPR and will be mandatory if the Omnibus passes.
- 2
Check your consent plugin’s roadmap. Confirm your consent management platform (CMP) supports – or plans to support – equal-prominence buttons and browser-level signals. Reputable CMPs are already updating for this.
- 3
Stop re-prompting visitors who declined. Configure a sensible consent lifetime instead of re-asking on every visit.
- 4
Review your analytics setup. If you only need aggregate traffic numbers, consider a privacy-respecting, anonymised configuration that may not require a banner at all.
- 5
Keep your documentation current. Make sure your GDPR-compliant privacy policy and cookie notice describe what you actually do.
Quick readiness checklist
- “Accept all” and “Reject all” have equal prominence
- Declined visitors are not re-prompted constantly
- Your CMP has a plan for browser-level consent signals
- Analytics are configured for the least personal data you need
- Privacy policy and cookie notice match reality
- Someone on your team is tracking the Omnibus timeline
For a step-by-step look at consent specifically, read our companion guide on GDPR and cookie consent in 2026, and use our free homepage scanner to check where your site stands today.

