The Digital Omnibus and Article 88a(3)(c): What Operators Should Watch in 2026

This is privacy research, not legal advice. See the footer for the full disclaimer.

TL;DR

Article 88a(3)(c) would carve out first-party audience analytics from EU-wide consent — if adopted, the cleanest legal path to no-banner analytics across all 27 Member States.
It is a Commission proposal, not law. No European Parliament plenary vote on COM(2025) 837 has happened (the 26 March 2026 plenary vote was on the separate Digital Omnibus on AI file).
The EDPB and EDPS issued Joint Opinion 2/2026 on 11 February 2026 raising serious concerns about reduced individual protection and legal uncertainty.
The proposal is a layer shift, not a parallel addition — cookie rules move from ePrivacy into GDPR; the two frameworks operate sequentially, not alongside each other.
Architect today for both outcomes — a cookieless, first-party, controller-only-use deployment survives the strictest current Member-State rules and qualifies on day one if Article 88a passes intact.

The proposal everyone wants to read into

On 19 November 2025 the European Commission published COM(2025) 837 final — the Digital Omnibus — a package whose interinstitutional file number is 2025/0360(COD). EUR-Lex carries the consolidated text at eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:52025PC0837, and the Commission’s own landing page is digital-strategy.ec.europa.eu/en/library/digital-omnibus-regulation-proposal. Tucked inside the package is a proposed new Article 88a GDPR that — if adopted as drafted — would carve out the most-asked-about analytics use case from EU-wide consent: creating aggregated information about the usage of an online service to measure the audience of such a service, where it is carried out by the controller of that online service solely for its own use.

That sentence, in Article 88a(3)(c) of the proposal, is what every EU operator with banner fatigue has been waiting six years to read. The previous ePrivacy Regulation proposal — the one that was supposed to harmonise national cookie laws — was finally withdrawn on 11 February 2025 after eight years of failed Council negotiations. The Digital Omnibus is the Commission’s smaller, faster, more pragmatic answer: amend GDPR directly with a limitative list of no-consent purposes and a single-click refusal mechanic.

This post is the operator’s reading. What the text actually says, what status it has in the legislative pipeline as of mid-May 2026, what it would change if it passes intact, and — most importantly — how to design today for either outcome.

What Article 88a(3) would say

The Commission’s text introduces a closed list of purposes for which processing of personal data is permitted without consent. The relevant subparagraph for analytics operators is 88a(3)(c), which permits processing for:

“creating aggregated information about the usage of an online service to measure the audience of such a service, where it is carried out by the controller of that online service solely for its own use”

Four phrases are doing legal work here.

“Aggregated information” — not individual-level event streams. Per-visitor identifiers, per-session cookies and per-user replays would still need a separate consent basis. The carve-out is for counts, distributions, funnels, and similar aggregates.

“The audience of such a service” — audience measurement specifically, not behavioural advertising. The text does not reach retargeting, lookalike modelling, third-party-ID sharing, or any flow whose business purpose is downstream marketing.

“The controller of that online service” — the site’s own analytics. Joint controllership with an ad platform, or processing where the analytics vendor uses the data for its own purposes, falls outside the carve-out.

“Solely for its own use” — the operator’s own analytics, not a tool that pools data across customers or shares with a partner ecosystem. This is the phrase that, if the text survives intact, would settle the long-running argument about whether Google Analytics 4 fits the audience-measurement exemption (CNIL’s current position is that it does not; the Garante reached the same conclusion in its 9 June 2022 Caffeina Media decision).

The refusal mechanic — Article 88a(4)

The proposal does not just permit no-consent analytics in the abstract; it specifies the UX too. Proposed Article 88a(4) requires that operators allow refusal “in an easy and intelligible manner with a single-click button or equivalent means.” Once refused, the operator must not re-prompt for at least six months. Once accepted (where consent is sought), the operator must not re-prompt during the validity period of the consent.

The political effect is to turn the banner from a permanent fixture into a one-time decision per user, per six-month window — and, for the carve-out cases, into something that may not need to appear at the outset at all.

Browser-level signals — Article 88a(b)

The package also proposes a new Article 88b requiring controllers to enable data subjects to give or refuse consent “through automated and machine-readable means.” Once technical standards are in place, controllers must honour those signals after a six-month grace period, and a presumption of compliance attaches to operators who do.

This is the long-awaited legal anchor for Global Privacy Control. If 88b survives in current form, the GPC signal becomes presumptively binding in EU jurisdictions — a position the CCPA already takes in California and several US state laws but which the EU has, until now, left to operator discretion. Recital 46 carves out media service providers from being bound by automated signals, which is a meaningful narrowing.

Where the file is — May 2026

This is where the article gets less satisfying for operators waiting on a green light.

As of mid-May 2026, the Digital Omnibus is a Commission proposal, not law. The file is moving through the ordinary legislative procedure with joint files in the European Parliament’s:

ITRE committee (Industry, Research and Energy), with Aura Salla (EPP/FI) as rapporteur, and
LIBE committee (Civil Liberties, Justice and Home Affairs), with Marina Kaljurand (S&D/EE) as rapporteur.

The European Economic and Social Committee adopted its opinion on 18 March 2026. Council Working Party discussions are ongoing — file WK 3736/2026 INIT of 19 March 2026 shows the Netherlands, Estonia and Finland delegations actively debating the precise scope of Article 88a(3)(c).

There is no European Parliament plenary vote on COM(2025) 837 yet. A plenary vote held on 26 March 2026 approved Parliament’s negotiating position on the separate Digital Omnibus on AI file — a different proposal in the same digital simplification package. The data/privacy file in this post remains at committee stage as of mid-May 2026. Realistic adoption window — assuming the file does not stall in trilogue — is late 2026 to 2027, with entry into force likely 2027 to 2028. Proposed Article 88a would apply six months after entry into force; Article 88b within twenty-four months.

For the operator’s purposes, that means: the Digital Omnibus is a roadmap, not a present legal basis. It is the right thing to design toward, and the right thing to communicate to customers about. It is the wrong thing to bet a compliance posture on for a 2026 launch.

The file also faces serious political headwinds.

The EDPB and EDPS issued Joint Opinion 2/2026 on 11 February 2026 — a coordinated position from the European Data Protection Board (combining all 27 national DPAs) and the European Data Protection Supervisor. The joint opinion raises serious concerns that the proposed changes “may adversely affect the level of protection enjoyed by individuals,” create “legal uncertainty,” and “make data protection law more difficult to apply.” It is the most authoritative pre-trilogue DPA position possible on the file. NOYB published its Report V3 on 24 February 2026 building on the joint opinion under the framing “EU DPAs reject many proposed changes to the GDPR.”

The ITRE rapporteur appointment is contested. Seven civil-society watchdog organisations — including Transparency International EU, Corporate Europe Observatory and The Good Lobby — have jointly called for the withdrawal of Aura Salla’s appointment, citing her May 2020–April 2023 executive lobbying role at Meta Platforms as a potential conflict of interest under Article 3 of the European Parliament Code of Conduct. Salla remains the appointed rapporteur as of May 2026; the controversy is unresolved.

Media industry coalitions argue 88a(3)(c) is too narrow. A May 2026 European Broadcasting Union joint statement — joined by egta and other European media associations — argues that the audience-measurement carve-out as drafted excludes Joint Industry Committee third-party audience measurement, which is standard practice in European media. The “solely for its own use” phrase is the focal point of media-industry lobbying for amendment. The political battle is therefore live in both directions — DPAs and NGOs pushing back against the broader package, and media-industry coalitions pushing for the carve-out to be broadened.

Three sources of friction will keep operator caution warranted even if Article 88a passes substantially as drafted.

First, the proposal is a layer shift, not a parallel addition. Per Taylor Wessing’s reading of the proposal, “the ePrivacy rules will no longer apply when personal data is being processed. In those situations, only the GDPR will apply. The two frameworks will operate sequentially, not in parallel.” In other words: for personal-data terminal-equipment access (the vast majority of cookie cases, because most cookies process personal data under Breyer), Article 88a GDPR governs and ePrivacy 5(3) stops applying. For non-personal-data terminal-equipment access (a smaller, purely-technical residual), ePrivacy 5(3) continues to govern via its national transpositions (Loi 78-17 Article 82 in France, § 25 TDDDG in Germany, Article 11.7a Telecommunicatiewet in the Netherlands). The practical effect for the operator is the same shape: a cookieless first-party server-side architecture sidesteps both layers, but the legal route through them changes.

Second, Member-State implementation will vary. The CNIL has spent the last decade building Sheet n°16 into a detailed national exemption with specific lifespan caps, retention windows and aggregation requirements. The Garante and AEPD have built their own. The Digital Omnibus introduces a floor across the Union; whether national regulators retreat from their stricter positions, harmonise around the new text, or interpret the carve-out narrowly, will determine the real day-one operator burden.

Third, opposition is loud, coordinated and senior. As covered above: the EDPB-EDPS Joint Opinion 2/2026 of 11 February 2026, the NOYB Report V3 of 24 February 2026, and the civil-society call for withdrawal of the ITRE rapporteur all run against the broader package. The audience-measurement carve-out itself enjoys relatively broad DPA support; whether Parliament can decouple individual provisions, or votes the package as a whole, will shape the final text. A package vote with last-minute amendments is a worse outcome for legal certainty than a clean Article 88a passage.

What changes for operators if 88a(3)(c) passes intact

Run a quick mental delta against the current 2026 posture.

EU-wide consent exemption for first-party aggregated analytics. A single configuration would satisfy France, Germany, Italy, Spain, the Netherlands and the remaining Member States simultaneously — without each one’s national carve-out test. The CNIL’s seven-point Sheet 16, the AEPD’s audience-measurement guide, the Garante’s 10 June 2021 cookie guidelines and the AP’s analytical-cookie position would all be subsumed by a stricter EU-level rule that is also stricter than today’s UK ICO line. Because Article 88a is a layer shift — cookie rules move from ePrivacy into GDPR for any personal-data case — Germany’s § 25 TDDDG no-consent-without-strict-necessity bar would, for personal-data cookies, be superseded by the new Article 88a GDPR rule. The much narrower residual ePrivacy 5(3) layer would still cover purely-non-personal-data terminal-equipment access, but that is a narrow class in practice.

Refusal becomes a six-month opt-out, not a per-session friction. The Article 88a(4) “one-click refusal, no re-prompt for six months” rule makes the consent UX a once-per-half-year decision. For operators currently re-prompting on every session because their CMP defaults to a 30-day cookie lifetime, this is a meaningful UX win.

Browser-level signals (GPC) become presumptively binding. Article 88b grants a presumption of compliance to controllers honouring machine-readable consent signals. The plausible operator move is to honour GPC immediately rather than wait for standards adoption.

The IAB Europe TCF battle becomes narrower. If aggregated audience measurement does not need a TC string, the surface area of the TCF dispute (which has already produced the CJEU’s IAB Europe judgment, C-604/22, 7 March 2024) shrinks. Operators relying on legitimate-interest-only audience analytics get a clean GDPR basis without IAB-TCF entanglement.

What does not change: the Article 5(3) ePrivacy “storage and access on terminal equipment” layer for cookies and localStorage; the Article 28 processor relationship for any SaaS analytics provider; the Article 33 breach-notification clock; the Article 35 DPIA trigger for high-risk processing; and the Article 15/17 data-subject rights — all of which continue to apply on top of the new no-consent carve-out.

Designing today for either outcome

The robust operator position right now is to design a configuration that survives both the current 2026 patchwork AND the proposed Digital Omnibus text, so that the day Article 88a applies, nothing in the analytics stack needs to change.

The configuration that survives both:

No cookies, no localStorage, no fingerprinting. Satisfies Germany’s strictly-necessary bar today (because no terminal-equipment storage or access happens at all); after the layer shift, the same architecture satisfies Article 88a GDPR for any residual personal-data processing.
First-party data collection on the operator’s own domain. Aligns with CNIL Sheet 16’s first-party condition; aligns with Article 88a(3)(c)‘s “controller of that online service” phrase.
Aggregated rollups, not individual event streams. Aligns with CNIL’s aggregation-to-nearest-10 recommendation and with the Article 88a(3)(c) “aggregated information” phrase.
No cross-customer data pooling. Aligns with CNIL Sheet 16’s prohibition on shared raw data; aligns with the “solely for its own use” phrase.
Honour GPC and DNT at the ingest layer. Aligns with the proposed Article 88b “automated and machine-readable means” — and gives the operator a credible “we already honour browser signals” answer if a regulator asks today.
Bounded retention. CNIL’s 25-month ceiling is the strictest current European bar; Article 88a does not specify a retention cap directly but the GDPR Article 5(1)(e) storage-limitation principle still applies. Designing to the CNIL ceiling now gives the broadest forward compatibility.
A documented Legitimate Interest Assessment under Article 6(1)(f). Because the storage/access layer (ePrivacy 5(3)) is bypassed and the operator processes pseudonymous identifiers (an IP, a hashed cookie ID), the GDPR Article 6 basis remains a live question today and probably tomorrow. The EDPB Guidelines 1/2024 three-step test (interest identification → necessity → balancing) is the durable template.

This is also the architecture Statnive Live ships by default. Its consent-free site-policy preset turns off cookies and localStorage, derives daily-rotating BLAKE3-HMAC visitor hashes that destroy themselves at salt rotation, truncates IPs server-side, reduces User-Agents to major versions, and stores only the host portion of the referrer. Its hybrid preset adds a server-enforced upgrade path for operators who want anonymous aggregate analytics first, then full attribution after a visitor accepts a banner — a pattern Google rolled out in March 2024 as “Consent Mode v2” but ships in Statnive Live with server-side enforcement instead of client-side trust.

The eleven-jurisdiction site-policy enum that Statnive Live exposes — DE, FR, IT, ES, NL, BE, IE, UK, OTHER-EU, IR, OTHER-NON-EU — has a hard-rule validator that prevents German operators from selecting permissive mode (§ 25 TDDDG forbids it) and from selecting consent-required without an active consent integration. The same enum maps cleanly to a future Article 88a world: every cell that today derives to consent-free continues to apply; the operator’s burden does not change.

What to watch through 2026 and 2027

A short watchlist for operators tracking the file:

Resolution of the Salla rapporteur controversy. Whether ITRE coordinators respond to the civil-society call for withdrawal — and whether a substitution, delegated drafting role, or no-change outcome — will shape the political tenor of the file.
Parliament rapporteur reports from ITRE and LIBE. These will shape the trilogue position. Aura Salla (EPP) and Marina Kaljurand (S&D) have different political baselines and the audience-measurement carve-out may attract amendments from either side. Media-industry lobbying argues 88a(3)(c) is too narrow (excludes Joint Industry Committee third-party measurement); privacy NGOs are more comfortable with the current narrow scope.
Council Working Party scope debates on Article 88a(3)(c). Working Document WK 3736/2026 INIT signals the Dutch, Estonian and Finnish delegations are probing what “solely for its own use” means in practice. Watch whether the Council narrows or broadens it.
EDPB and EDPS follow-up positioning. The Joint Opinion 2/2026 of 11 February 2026 is the most authoritative pre-trilogue DPA position possible. Any follow-up — supplementary opinion, individual national DPA statements, or a coordinated alternative text — will be a strong signal.
NOYB Report V4 and litigation strategy. Report V3 of 24 February 2026 supplements V1 and V2 with explicit commentary on the joint opinion. NOYB has not opposed the audience-measurement carve-out itself but may challenge the implementation: TC-string-style entanglements, dark-pattern refusal UIs, or operators conflating audience measurement with retargeting.
National regulator pre-emption. CNIL, Garante and AEPD may publish guidance ahead of adoption, signalling how each will read Article 88a within its own national legal order. Watch the CNIL especially; its post-1-January-2026 audience-measurement self-assessment guidance is the most operator-facing reading of any EU regulator and would normally be the first to update.
Trilogue calendar. If the file enters trilogue in late 2026, watch for substantive amendments to Article 88a(3)(c). Past experience with the ePrivacy Regulation suggests the cleanest text out of the Commission is often diluted by the time the Council and Parliament reach a deal.

What to do, and what to skip

Do	Don’t
Treat Article 88a(3)(c) as a roadmap — design today’s architecture so it qualifies on day one if the text passes intact.	Treat Article 88a(3)(c) as a present legal basis. It is a Commission proposal; the Parliament has not voted.
Architect to satisfy the strictest current Member-State regime (§ 25 TDDDG in Germany) so the configuration is forward-compatible.	Build for the most permissive future text and discover at trilogue that the Council narrowed the carve-out.
When the file moves, re-read the EDPB-EDPS Joint Opinion 2/2026 alongside it — DPA positioning will shape the final scope.	Cite the carve-out as if it were settled law. Every reference to Article 88a should carry “proposal, no Parliament plenary vote.”
Stamp every regulatory-update page with the retrieval date so readers know which snapshot they are reading.	Conflate the 26 March 2026 Parliament vote on the Digital Omnibus on AI with COM(2025) 837 — they are separate files.
Subscribe to the Legislative Train Schedule for COM(2025) 837 status changes.	Bet a product launch on the Omnibus adoption timeline. Realistic entry into force is 2027 to 2028.

The operator takeaway

Article 88a(3)(c) is the most operator-friendly text on EU cookie reform since 2018. It would, if adopted intact, retire the per-country audience-measurement compliance puzzle and replace it with a single Union-wide rule. It is also a proposal, not law; the file has not yet seen a Parliament plenary vote; adoption is unlikely before 2027; and the ePrivacy Article 5(3) terminal-equipment layer continues to apply alongside it.

The robust position is to architect today for the strictest current regime (Section 25 TDDDG in Germany) and the proposed carve-out simultaneously — so that whether the Digital Omnibus passes intact, passes diluted, or stalls, the operator’s analytics stack continues to operate unchanged. That is what we built Statnive Live to be: a configuration that does not depend on the Digital Omnibus passing, but is positioned to qualify on day one if it does.

For the deeper how-to behind each Member-State carve-out — France’s CNIL Sheet 16, Germany’s § 25 TDDDG server-side-only constraint, and the country-by-country map — see the linked posts in this series. For the full architecture the Commission’s text would let an operator standardise on, the 2026 EU Consent-Free Analytics Playbook is the pillar piece.

This is privacy research, not legal advice. The configurations described qualify under regulator guidance when deployed per a documented Legitimate Interest Assessment and the relevant per-country self-assessment. Every Statnive customer remains the data controller and bears responsibility for its own configuration and DPIA. Cross-reference with qualified counsel in your jurisdiction before publication.

Status of regulatory references as of 13 May 2026: Digital Omnibus COM(2025) 837 final — Commission proposal of 19 November 2025; joint files in ITRE (rapporteur Aura Salla EPP/FI — appointment contested by seven civil-society organisations as of February 2026) and LIBE (rapporteur Marina Kaljurand S&D/EE); EESC opinion adopted 18 March 2026; Council Working Party file WK 3736/2026 INIT of 19 March 2026; EDPB-EDPS Joint Opinion 2/2026 of 11 February 2026 raising concerns about individual protection and legal certainty; NOYB Report V3 of 24 February 2026; European media associations joint statement May 2026 (88a(3)(c) too narrow); no European Parliament plenary vote on COM(2025) 837 (the 26 March 2026 plenary vote was on the separate Digital Omnibus on AI file). ePrivacy Directive 2002/58/EC as amended by 2009/136/EC — in force; under the Digital Omnibus proposal, the cookie-rule layer shifts into GDPR Article 88a for personal-data cases. EDPB Guidelines 2/2023 v2.0 of 7 October 2024 and EDPB Guidelines 1/2024 of 8 October 2024 — in force. CJEU C-621/22 KNLTB (ECLI:EU:C:2024:857) — decided 4 October 2024. The earlier ePrivacy Regulation proposal was withdrawn by the Commission on 11 February 2025.