COM(2025) 837 — the Digital Omnibus Regulation — proposes moving cookie and terminal-equipment consent out of the ePrivacy Directive and into the GDPR through two new articles. The changes introduce a single-click refusal requirement, a first-party analytics exemption, a 6-month ban on re-asking after refusal, and a new obligation for browsers and operating systems to support machine-readable consent signals.
PROPOSAL — COM(2025) 837
This page describes proposals in COM(2025) 837 (the Digital Omnibus Regulation) that are not yet law. The ePrivacy Directive Article 5(3) remains the applicable rule until 837 is formally adopted, published in the Official Journal, and the relevant entry-into-force timelines pass. All provisions on this page are subject to amendment during the legislative process.
The ePrivacy Directive is a minimum harmonisation Directive — each Member State implements it differently, producing 27 national frameworks. The Commission's Omnibus impact assessment found this fragmentation creates significant legal uncertainty and compliance costs, particularly for online businesses operating across borders. By migrating to GDPR (a Regulation with direct effect), the same rule applies identically in every Member State and is enforced by the same GDPR supervisory authorities. The GDPR's stronger enforcement powers (fines up to 4% of global annual turnover) would apply to terminal-equipment consent violations.
ePrivacy Article 5(3) will be narrowed: after the GDPR amendment is adopted, it will only apply to storing or accessing non-personal information in terminal equipment. All personal data accessed via cookies or similar technologies will be governed by the new GDPR Articles 88a and 88b.
PROPOSAL — not yet enacted law
The general rule — Art 88a(1)
Storing personal data in, or gaining access to personal data already stored in, the terminal equipment of a natural person is only permitted with the data subject's consent as specified in the GDPR. This replaces ePrivacy Article 5(3)'s consent requirement for personal data.
Four consent exemptions — Art 88a(3)
Consent is not required for the following four purposes:
Where consent is required — Art 88a(4)
When Art 88a applies — Art 88a(5)
Article 88a applies from 6 months after the entry into force of the Regulation. The entry into force date depends on when COM(2025) 837 is formally adopted and published.
PROPOSAL — not yet enacted law
Controller obligations — Art 88b(1)–(2)
Controllers must ensure that their online interfaces allow data subjects to:
Controllers must respect choices made through automated technical means — a browser or OS setting expressing global consent preferences is legally binding on the controller.
Browser and OS provider obligations — Art 88b(3)
Non-micro/small/medium-sized enterprise providers of web browsers, operating systems, and other software enabling internet access must provide and implement technical means for data subjects to express and manage their consent choices. This applies to large browser and OS vendors — Chrome, Firefox, Safari, Edge, Windows, macOS, iOS, Android. SMEs are exempted.
Harmonised standards — Art 88b(4)–(5)
The Commission shall request European standardisation bodies to develop harmonised standards for the technical means. Controllers that implement those harmonised standards will be presumed to comply with Art 88b(1). This creates a safe harbour for compliant implementations.
Media service provider exemption — Art 88b(6)
Media service providers are not obliged to respect machine-readable refusal signals from data subjects. This carve-out reflects the specific business model of ad-supported news and content publishers, where blanket browser-level refusal could threaten the viability of free journalism. Consent banners still apply; the exemption is limited to automated browser-level signals.
PROPOSAL — all dates are relative to entry into force, which has not yet occurred
| Provision | Who | Timeline |
|---|---|---|
| GDPR Art 88a — terminal data consent | All controllers | 6 months after entry into force |
| GDPR Art 88b(1)–(5) — machine-readable signals | All controllers (website/app operators) | 24 months after entry into force |
| GDPR Art 88b(3) — implement signal support | Non-SME browser & OS providers | 48 months after entry into force |
ePrivacy Art 5(3) will be narrowed (no longer applies to personal data) upon adoption. ePrivacy Art 4 (security obligations) will be deleted — those obligations move to NIS2.
AI-powered personalisation and recommendation engines
Most personalisation engines rely on cookies or device identifiers to build user profiles. If personal data is involved, consent remains required — but now under GDPR rules directly. The single-click refusal and 6-month no re-ask rules will require redesigning consent flows and must factor into how personalisation falls back when consent is absent.
AI analytics and model training
First-party analytics (Art 88a(3)(c) exemption) may free up behavioural data for training or evaluation purposes without consent — provided data stays with the controller. Transfer to a third-party model-training platform would not qualify and would still need consent.
Browser-based AI assistants
Browser vendors providing built-in AI features (autocomplete, AI search, writing assistance) that access page content or user data are directly in scope of Art 88b(3). They must provide and implement technical consent signals — and must respect machine-readable refusal from users.
EU Digital Identity Wallet
The machine-readable signal framework is designed to be compatible with the EU Digital Identity Wallet's consent mechanisms. AI systems integrated with wallet-based identity flows will be able to receive and respect wallet-expressed consent preferences automatically.
COM(2025) 837 proposes moving cookie and terminal-equipment consent from the ePrivacy Directive into the GDPR through two new articles: Article 88a and Article 88b. Under current EU law, storing or accessing information in someone's terminal equipment (e.g. setting or reading cookies) is governed by Article 5(3) of the ePrivacy Directive. The proposal narrows ePrivacy Article 5(3) so it no longer applies to personal data. Once adopted, the new GDPR provisions will require consent for accessing personal data on devices, introduce a single-click refusal requirement, prohibit re-asking for at least 6 months after a refusal, and require controllers to support machine-readable consent and refusal signals.
Yes. Under proposed GDPR Article 88a(3)(c), accessing or storing personal data on a device for the purpose of creating aggregated information about the usage of an online service to measure its audience does not require consent — provided the measurement is carried out by the controller of that service solely for its own use. This is targeted at first-party analytics where the operator measures their own website traffic using data that goes no further than their own operations. Cookie banners for first-party analytics tools (such as own-hosted Matomo or compliant Google Analytics with data remaining in-house) would no longer be legally required. Cross-site tracking, advertising, and data-sharing analytics would still require consent.
Under proposed GDPR Article 88a(4)(a), where consent is required for storing or accessing personal data on a device, the data subject must be able to refuse consent with a single-click button or equivalent technical means that is simple and intuitive to use. The design must make refusal as easy as acceptance — a core principle that the ePrivacy Directive contained but which has been inconsistently enforced. This directly targets deceptive cookie consent flows (dark patterns) that require multiple clicks to refuse while acceptance is one click.
Under proposed GDPR Article 88a(4)(c), where a data subject declines consent for storing or accessing personal data on their device, the controller cannot make a new consent request for the same purpose for at least 6 months. There is a parallel rule in Article 88a(4)(b): where consent has been given, the controller cannot make a new consent request for the same purpose during the period for which it can lawfully rely on that consent. Together these provisions prevent both repeated rejection harassment and unnecessary periodic re-consent prompts that have become a source of user fatigue.
Proposed GDPR Article 88b requires two categories of actor to support automated consent signals. Controllers (website and app operators) must ensure their online interfaces allow data subjects to give and refuse consent through automated, machine-readable means — in addition to the existing consent banner approach. Non-SME providers of web browsers, operating systems, and other software enabling internet access must provide technical means for users to express and store their consent preferences, which those browsers and systems must implement. The Commission will request harmonised European standards from standardisation bodies. Controllers that meet the harmonised standards are presumed to comply. Media service providers are exempt from the obligation to respect machine-readable refusal signals under Article 88b(6).
Data Breach Notification Changes (837)
COM(2025) 837 also raises the breach notification threshold to 'high risk' and extends the deadline to 96 hours.
GDPR & AI Training Data
Lawful basis requirements for processing personal data in AI training datasets.
AI Act vs GDPR — How the Rules Interact
How the EU AI Act and GDPR overlap and reinforce each other, including data governance obligations.
Transparency Obligations in the AI Act
When and how AI systems must disclose their AI nature to users under Articles 50 and 53.
Regumatrix tracks the 837 legislative progress and will notify you when proposed timelines become certain. Start your consent architecture audit against the proposed requirements today.
Start free analysis