The EU Digital Omnibus Act: What It Means for Your Analytics (and Whether GA4 Qualifies)

Europeans spend 575 million hours per year clicking cookie consent banners. That's EUR 14.375 billion in lost productivity. About 0.10% of the EU's entire GDP, gone to clicking "Reject All" on pop-ups that nobody reads.

The European Commission has finally decided this is a problem worth solving. On November 19, 2025, they published the Digital Omnibus, a sweeping proposal to simplify the EU's digital rulebook. Buried inside it is a change that could reshape the analytics market entirely: a consent exemption for audience measurement. If your analytics tool qualifies, you won't need a cookie banner for it. If it doesn't, you'll still need one.

I'm David, founder of Clickport. I've read the proposal, the EDPB-EDPS Joint Opinion, the law firm analyses, and the 133-organization open letter calling it "the greatest rollback of digital rights in EU history." This article covers the full picture. What the exemption actually says, whether your analytics tool qualifies, and what you should do about it.

The EU just rewrote the cookie rules

For over two decades, cookie consent has been governed by the ePrivacy Directive from 2002. Each EU member state transposed it into national law differently. Germany has its TDDDG. France has CNIL's implementation. Belgium has its 2005 Act. Twenty-seven countries, twenty-seven different cookie laws.

The ePrivacy Regulation was supposed to fix this fragmentation. Proposed in January 2017, it was meant to modernize the rules and create a single EU-wide framework. Nine Council presidencies took a crack at it. All nine failed. On February 11, 2025, the Commission formally withdrew the proposal. Eight years of drafts, amendments, and debates. Nothing to show for it.

The Digital Omnibus takes a different approach. Instead of creating a new regulation, it folds cookie rules directly into the GDPR via a new Article 88a. One regulation, directly applicable across all 27 member states, enforced by existing GDPR infrastructure. No more national transposition differences.

The Digital Omnibus does more than just move rules around. It introduces anti-consent-fatigue measures: websites must offer a single-click refusal button, and if a user declines consent, the site cannot re-ask for the same purpose for at least six months. A companion Article 88b mandates that browsers must be able to send standardized privacy signals to websites, and websites must respect them. Think of it as Global Privacy Control becoming legally required.

But the biggest change for analytics is Article 88a, paragraph 3, subparagraph (c). The consent exemption for audience measurement.

Article 88a: the consent exemption for analytics

Here's the exact wording of the proposed exemption. Consent is not required for:

"Creating aggregated information about the usage of an online service to measure the audience of such a service, where it is carried out by the controller of that online service solely for its own use."

That's a single sentence with five conditions baked into it. Let's break each one down.

The EDPB and EDPS have called for the exemptions to be "further specified" before adoption. But the direction is clear: first-party, aggregated analytics for your own website, with no data leaking to third parties. That's the lane.

An important nuance on session-level data: multiple legal analyses confirm that "aggregated" refers to the purpose of measurement, not a ban on ever seeing granular data. SealMetrics explains it well: a store can count customers and see what each person buys to calculate totals, but cannot track individuals across stores. Session-level collection is permitted as long as it feeds into aggregate reporting and individuals cannot be re-identified or tracked across sessions.

Does Google Analytics qualify?

No. The consensus from privacy lawyers, analytics vendors, and data protection authorities is unanimous: GA4 does not meet the Article 88a criteria, and no realistic configuration can make it qualify.

Here's why, condition by condition.

GA4 sets persistent cookies. The _ga cookie has a 2-year expiry. The _ga_<container> cookie also has a 2-year expiry. When Google Signals is enabled, it connects user activity across devices via Google account data. These are not temporary session identifiers.

Data flows to Google, a third party. All event data is transmitted to Google's servers and processed on Google's infrastructure. Google uses aggregated customer data for product development and improvement. The integration with Google Ads, DV360, and the broader advertising ecosystem means your analytics data does not stay "solely for your own use."

Cross-site tracking is structural. When Google Signals is active, cross-device tracking is baked in. Cross-domain tracking passes user identifiers between domains via URL parameters. Even without running Google Ads, GA4 data participates in Google's broader data infrastructure.

Can GA4 be configured to qualify? The short answer: no. Even with Google Signals off, advertising features off, and no Google Ads linking, the structural issue remains. Data is processed on Google's servers. Google is both the processor and a company with advertising interests in the same data ecosystem. CNIL has noted that making GA4 exempt would require "proxyfication," routing all data through a reverse proxy to strip identifiers before they reach Google. This is out of reach for most organizations.

Consent Mode v2 doesn't help either. Google's Advanced Consent Mode sends anonymous "cookieless pings" when users decline consent, then uses machine learning to model conversions. But the data still flows to Google, a third party. The analytics provider still reuses data for product development. The fundamental Article 88a requirement of "solely for its own use" is structurally incompatible with how GA4 works.

Google has made no public statement on whether GA4 qualifies for the Article 88a exemption.

The data you're already losing

The consent exemption isn't just a regulatory convenience. It solves a real measurement problem. If your analytics tool requires consent, you're losing the majority of your data in European markets right now.

Germany and France: 75-87% rejection rates. When websites offer a compliant "Reject All" button with equal prominence to "Accept All," fewer than 25% of German and French visitors accept cookies. In some studies, 87% reject in France. The Netherlands and Sweden hover around 77% rejection.

GA4 misses 55.6% of traffic. An independent study by Orbit Media and Plausible compared GA4 against cookieless analytics on the same websites. GA4 failed to capture an average of 55.6% of actual traffic when consent banners were displayed.

The ICO saw a 90.8% drop. The UK's own Information Commissioner's Office measured traffic in Google Analytics at 119,417 users/day. After implementing their own best-practice cookie consent, that number fell to 10,967. A 90.8% drop. The actual visitors didn't decline. They just became invisible.

Consent Mode behavioral modeling has a dirty secret. Google's machine learning model that fills in gaps from non-consenting users requires 1,000+ daily events from denying users for 7 consecutive days AND 1,000+ daily events from consenting users. Most websites under 30,000 monthly visitors never hit these thresholds. The modeling never activates. Data from non-consenting users is permanently lost.

The cost of consent infrastructure. Beyond data loss, consent management platforms themselves are expensive. CookieYes starts at $8.33/month. Cookiebot starts at $8/month for 50 subpages. Enterprise solutions like OneTrust cost a median of $11,500/year. That's money spent to show a pop-up that makes 60-87% of your visitors invisible.

Tools that qualify for the Article 88a exemption eliminate this entire problem. No consent banner for analytics. No CMP cost. No data loss from rejection. 100% of visitors visible from day one.

Which analytics tools actually qualify?

The exemption isn't about which tool you use. It's about how the tool is architecturally designed. Here's how the major analytics tools stack up against Article 88a's five requirements.

The pattern is clear. Tools that were built to be cookieless and first-party from the start qualify by default. Tools that were built for advertising ecosystems structurally cannot. The Article 88a exemption doesn't create a new category. It validates what privacy-first analytics tools have been doing all along.

The Audience Measurement Coalition has actually complained that the exemption is too narrow. Their concern is that the "solely for its own use" restriction blocks independent audience measurement by joint industry committees. If even industry groups think it's too restrictive, that tells you how tight the criteria are.

The UK already did this

While the EU debates, the UK has already acted. The Data (Use and Access) Act received Royal Assent on June 13, 2025. Section 112 introduces a statistical purposes exception: consent is not required for analytics cookies used to gather aggregate statistical information about how a website is used, provided the resulting data cannot identify individuals and an opt-out mechanism is offered.

This is significant. The UK went from requiring consent for all non-essential cookies (under PECR) to explicitly exempting privacy-respecting analytics. And it's already in force.

For businesses serving both UK and EU audiences, the direction is unmistakable. Both jurisdictions are converging on the same answer: first-party, aggregated analytics that don't track individuals should not require consent.

Meanwhile in the US, the California Privacy Protection Agency fined Capital One nearly $350,000 in May 2025 for transmitting financial data to advertising platforms via analytics pixels. Over 1,500 businesses have been sued under CIPA in the past 18 months for website tracking that constitutes "wiretapping." Not a single CIPA lawsuit has targeted a cookieless, first-party analytics provider. Every case targets tools that send data to third parties.

The political battle you should understand

The analytics exemption doesn't exist in a vacuum. It's part of a broader Digital Omnibus package that has become one of the most contentious pieces of EU legislation in years.

133 civil society organizations signed an open letter calling the Omnibus "the greatest rollback of fundamental digital rights in EU history." Max Schrems' organization noyb published three versions of a detailed legal analysis, calling it "the biggest attack on Europeans' digital rights in years." EDRi called it "a major rollback of EU digital protections." The EFF called it "full of bad and confusing ideas that will significantly weaken privacy protections."

Corporate Europe Observatory found that 7 of 8 major changes in the Omnibus "align closely with the positions of major tech corporations." The digital industry spends EUR 151 million per year lobbying the EU, a 33.6% increase since 2023.

But here's the nuance that matters for analytics: the consent exemption for audience measurement is the least controversial part of the package. Even the EDPB and EDPS "strongly support the objective of providing for a regulatory solution to address consent fatigue and the proliferation of cookie banners." The opposition is primarily about the broader changes: narrowing the definition of personal data, expanding "legitimate interest" for AI training, and weakening data subject rights.

The analytics exemption itself is doing what CNIL has already been doing in France since 2020. It's not a new concept. It's an EU-wide harmonization of a proven approach.

This political context matters for timeline predictions. The analytics exemption has broad support even from privacy advocates who oppose the rest of the package. Whether it survives the legislative process depends on whether Parliament decouples the individual provisions or votes on the package as a whole.

The CNIL already proved this works

France hasn't been waiting for the Digital Omnibus. The CNIL has operated a consent exemption for audience measurement tools since 2020. And they've been enforcing the boundaries aggressively.

In 2025, the CNIL imposed EUR 486.8 million in fines, nearly 9x the EUR 55 million in 2024. Cookie violations were a primary focus. Google was fined EUR 325 million. Shein was fined EUR 150 million for loading 10 types of cookies before visitors interacted with the consent banner. American Express was fined EUR 1.5 million for placing cookies despite explicit user refusal.

The message is clear: the CNIL is not softening enforcement. They're creating a two-lane system. First-party analytics that meet strict criteria can run without consent. Everything else faces record fines.

On July 4, 2025, the CNIL replaced its formal certification program with a self-assessment model. The public list of CNIL-validated tools was retired on January 1, 2026. Under the new regime, providers must independently self-assess compliance using the CNIL's published criteria. Previously validated tools included Matomo, Piano Analytics, Piwik PRO, and several European vendors. Google Analytics was never on the list.

The CNIL exemption requires: first-party cookies only, no cross-site tracking, no combining data with other systems, no transmitting identifiable information to third parties, cookie lifespan limited to 13 months, data retention limited to 25 months, and an opt-out mechanism. The Digital Omnibus Article 88a is essentially the same principles, codified at the EU level.

This is not an experiment. It's been running for five years in the EU's second-largest market. The Digital Omnibus just makes it the law everywhere.

When this takes effect: the timeline

The Digital Omnibus is not law yet. Here's where it stands and what the realistic timeline looks like.

There's one additional factor that could accelerate the shift regardless of the Omnibus timeline. The EU-US Data Privacy Framework is on shaky ground. President Trump dismissed three Democratic members of the Privacy and Civil Liberties Oversight Board (PCLOB) in January 2025, leaving it without a quorum. The PCLOB's annual report was a key safeguard that the Commission relied on when approving the framework. Norway's DPA has warned that if the framework is revoked, "there will most likely not be a transition period." If a "Schrems III" scenario materializes, every EU business using US-based analytics would be in violation of GDPR overnight.

What you should do today

Don't wait for the Digital Omnibus. The consent rejection rates alone mean GA4 is already broken for EU businesses. The Omnibus just makes it official.

Here's a practical decision framework.

If you're in France, Spain, Italy, or the Netherlands: You can already run qualifying analytics without consent under existing national exemptions. Switch to a cookieless analytics tool and remove the analytics portion of your consent banner today.

If you're in the UK: The DUAA Section 112 exemption is already in force. You can run aggregate analytics without consent as long as you provide an opt-out mechanism.

If you're anywhere else in the EU: The Omnibus hasn't passed yet, so technically you still need consent for analytics in countries like Germany. But the direction is set. Switching to a cookieless tool now means you start seeing 100% of your traffic immediately (no consent required for tools that don't use cookies or collect personal data), and you'll be ready for Article 88a the day it takes effect.

If you're in the US: The aggregate data exemption under CCPA/CPRA already excludes de-identified and aggregate consumer information from scope. Cookieless analytics that produce only aggregate statistics fall into this lane. And you eliminate your CIPA wiretapping exposure entirely.

The math is simple. A consent-dependent analytics tool shows you 13-40% of your EU traffic. A cookieless analytics tool shows you 90-100%. The data gap is not a rounding error. It's the difference between making decisions with a partial picture and making decisions with the full one.

The regulatory environment is building a moat around privacy-first analytics. Every new enforcement action, every consent rate study, every CIPA lawsuit makes the case stronger. The EU Digital Omnibus doesn't create the trend. It validates it.

If you're interested in the broader case against GA4, see Why You Should Stop Using Google Analytics in 2026. For the full legal picture, see Is Google Analytics Legal in 2026?. And for a deep dive into how cookieless tracking works technically, see What Cookie-Banner-Free Analytics Actually Means.