EU Digital Omnibus: New Requirements for Websites and Online Services
Source: Dev.to
Overview
The EU proposed the Digital Omnibus on 19 November 2025, updating consent and cookie‑handling requirements for websites operating in Europe. The changes affect any site that receives EU traffic, regardless of where the company is based, and focus on technical implementation as well as legal compliance.
Machine‑readable consent signals
The Digital Omnibus introduces machine‑readable consent signals. Instead of relying solely on click‑based consent banners, websites must now process automated signals sent by browsers and operating systems.
- Browsers send headers or use APIs to communicate user preferences.
- Websites read these signals and apply them to cookie and tracking decisions.
Sites still need traditional consent interfaces for users who haven’t set browser‑level preferences, but the architecture must support both manual and automated consent flows.
Old vs. new consent flow
| Step | Previous setup | New setup |
|---|---|---|
| 1 | User visits site, sees banner, clicks Accept or Reject. | Browser checks if the user set a global preference. |
| 2 | Site stores the preference in a cookie or local storage. | Browser sends a signal to the site. |
| 3 | Site applies the stored preference. | Site applies the preference automatically; banner is shown only if no signal exists. |
The backend must first check for automated signals and fall back to manual consent collection when none are present.
Integration of GDPR and ePrivacy
Previously, GDPR and ePrivacy operated as separate regulations, leading developers to implement different solutions—sometimes with conflicting approaches. The Digital Omnibus merges these into a single framework, applying the same consent standards to:
- Cookies
- Tracking pixels
- Analytics
- Data‑collection forms
This consolidation simplifies architecture: one consent system now covers all use cases.
Consent logs
Sites must maintain detailed consent logs for every interaction, recording:
- Timestamp
- User identifier
- What was consented to
- Method of consent collection (automated signal or manual action)
Logs must survive server crashes, database migrations, and system updates, and they need to be queryable for audits and accessible for user data requests.
Consent Management Platforms (CMPs) typically provide:
- APIs for consent capture
- Storage systems for logs
- Admin interfaces for audit access
Building this infrastructure from scratch is time‑consuming; most teams integrate an existing CMP.
Essential vs. non‑essential cookies
- Functional cookies (no consent required): session management, authentication, load balancing, security features.
- Non‑essential cookies (consent required): analytics, advertising, social‑media widgets, chat plugins, recommendation engines.
The Digital Omnibus tightens definitions of “essential.” Teams must audit cookie usage and categorize each cookie accurately. Misclassifying a cookie as essential when it isn’t creates compliance risk.
Implementation checklist
- Verify support for machine‑readable signals – many older implementations only handle click events.
- Update consent‑checking logic – before setting any non‑essential cookie, verify consent via automated signals or manual user action.
- Implement proper logging – record every consent decision with full context.
- Test across browsers and operating systems – signal implementations vary.
- Avoid one‑time implementations – regulations evolve; design for updates.
- Don’t rely solely on cookies/local storage for consent state – they can be cleared, losing the record.
- Choose the right CMP – platforms differ in features; the wrong choice adds technical debt.
- Document cookie purposes clearly – users and regulators need to understand each cookie’s role.
Performance considerations
- Cache consent states where possible to avoid repeated database queries.
- Load consent interfaces asynchronously so they don’t block page rendering.
- Monitor consent‑system performance separately from main application metrics; slowdowns affect the entire site.
Security and privacy of consent logs
Consent logs contain personal data and are subject to the same protection requirements as other user information:
- Encrypt sensitive fields.
- Control access to consent records.
- Implement retention policies that match regulatory requirements.
When users request data deletion, consent logs usually remain for legal compliance. This exception must be documented in privacy policies and deletion workflows.
Future‑proofing
- Plan architecture for both current and future consent mechanisms – regulations will continue evolving.
- Prefer established tools over custom implementations to reduce maintenance burden.
Benefits
The technical changes aim to improve user experience: fewer intrusive banners and smoother interactions benefit both users and site owners when implemented correctly.