The EU Digital Omnibus Act: What It Means for Your Analytics (and Whether GA4 Qualifies)

Europeans spend 575 million hours per year clicking cookie consent banners. That is EUR 14.375 billion in lost productivity, gone on a pop-up almost nobody reads. The EU's Digital Omnibus wants to end the banner for analytics that don't track individuals. Here is what it means for your site, and why Google Analytics won't make the cut.

The EU just rewrote the cookie rules

For over two decades, cookie consent has been governed by the ePrivacy Directive from 2002. Each EU member state wrote it into national law its own way. Germany has its TDDDG. France has CNIL's implementation. Belgium has its 2005 Act. Twenty-seven countries, twenty-seven different cookie laws. One website, twenty-seven ways to get it wrong.

The ePrivacy Regulation was supposed to fix that. Proposed in January 2017, it was meant to modernize the rules and give the EU a single framework. Nine Council presidencies took a turn at it. All nine failed. On February 11, 2025, the Commission withdrew the proposal for good. Eight years of drafts, amendments, and debates. Nothing to show for it.

So the Commission tried something else. Instead of writing a new regulation, the Digital Omnibus folds cookie rules straight into the GDPR through a new Article 88a. One regulation, directly applicable in all 27 member states, enforced by the GDPR machinery that already exists. No more twenty-seven versions.

The Digital Omnibus does more than shuffle the rules around. It goes after consent fatigue directly. Websites must offer a single-click refusal button, and once a user declines, the site cannot re-ask for the same purpose for at least six months. A companion Article 88b says browsers must be able to send standardized privacy signals to websites, and websites must honor them. That is Global Privacy Control, only now it would be the law.

But the change that matters most for analytics sits in Article 88a, paragraph 3, subparagraph (c). It is a consent exemption for audience measurement. Get it right, and the analytics banner disappears.

Article 88a: the consent exemption for analytics

Here is the exact wording of the proposed exemption. Consent is not required for:

"Creating aggregated information about the usage of an online service to measure the audience of such a service, where it is carried out by the controller of that online service solely for its own use."

One sentence. Five conditions hide inside it. Here is each one in plain English.

The EDPB and EDPS have asked for the exemptions to be "further specified" before adoption. The shape of it is already clear, though. First-party, aggregated analytics for your own website, with nothing leaking out to third parties. That is the lane.

One nuance trips people up, so it is worth getting right. "Aggregated" describes the purpose of the measurement. It is not a ban on ever touching granular data. Several legal analyses say so. Piwik PRO puts it well: a store can count its customers and see what each one buys to work out the totals, but it cannot follow those people from one store to the next. Session-level collection is fine as long as it rolls up into aggregate reporting and nobody can be re-identified or tracked across sessions.

Does Google Analytics qualify?

No. Privacy lawyers, analytics vendors, and data protection authorities all land in the same place: GA4 does not meet the Article 88a criteria, and no realistic configuration can make it qualify. Several EU countries have already ruled Google Analytics illegal. The exemption criteria show you why.

Let me walk through it, one condition at a time. Here's how it falls apart.

GA4 sets persistent cookies. The _ga cookie has a 2-year expiry. The _ga_<container> cookie runs for 2 years too. Turn on Google Signals and it ties a person's activity across their devices through their Google account data. None of that is a temporary session identifier. It is a two-year leash.

Data flows to Google, a third party. Every event is sent to Google's servers and processed on Google's infrastructure. Google then uses aggregated customer data for its own product development and improvement. Wire that up with Google Ads, DV360, and the rest of the advertising machine, and your analytics data is no longer "solely for your own use." It is working for Google too.

Cross-site tracking is built in. Switch on Google Signals and cross-device tracking comes with it. Cross-domain tracking hands user identifiers from one domain to the next through URL parameters. You do not even need to run Google Ads. The data still feeds Google's wider infrastructure.

Can you configure GA4 into qualifying? No. Turn Google Signals off, turn the advertising features off, unlink Google Ads, and the core problem is still there. The data lands on Google's servers. Google is both the processor and a company with advertising interests in the very same data. CNIL has noted that getting GA4 to comply with GDPR transfer rules takes "proxyfication," meaning you route every hit through a reverse proxy to strip the identifiers before Google ever sees them. For most organizations that is out of reach.

Consent Mode v2 does not save it either. Google's Advanced Consent Mode sends anonymous "cookieless pings" when someone declines consent, then leans on machine learning to model the missing conversions. The data still goes to Google, a third party. The analytics provider still reuses it for product development. "Solely for its own use" and the way GA4 is built simply do not fit together.

Google has made no public statement on whether GA4 qualifies for the Article 88a exemption.

The data you're already losing

The consent exemption isn't just a paperwork win. It fixes a real measurement problem. If your analytics tool requires consent, you're losing most of your data in European markets right now.

Germany and France: 60 to 77% rejection rates. Put a compliant "Reject All" button up next to "Accept All," same size, same weight, and fewer than 25% of visitors accept cookies. The etracker Consent Benchmark 2025 measured an average 60% data loss from compliant banners. More than half your visitors, gone before you count them.

GA4 misses 55.6% of traffic. Orbit Media ran an independent study, GA4 against cookieless analytics on the same website. With consent banners showing, GA4 missed 55.6% of the traffic. It saw fewer than half the people who came.

The ICO saw a 90.8% drop. The UK's own Information Commissioner's Office, the privacy regulator itself, had Google Analytics counting 119,417 users a day. Then they put up a best-practice cookie banner. The count fell to 10,967. That is a 90.8% drop. The visitors did not go anywhere. They just stopped showing up in the numbers.

Consent Mode modeling has a catch most people miss. Google's machine learning model, the one that is supposed to fill in the gaps from people who decline, needs 1,000+ daily events from denying users across 7 days in a row, plus another 1,000+ daily events from consenting users. Most sites under 30,000 monthly visitors never clear that bar. So the modeling never switches on. The data from non-consenting users is just gone, for good.

Then there is the bill for the banner itself. Consent management platforms are not free. CookieYes starts at $8.33 a month. Cookiebot starts at $8 a month for 50 subpages. Enterprise tools like OneTrust run a median of $11,500 a year. You are paying that to show a pop-up that makes 60 to 87% of your visitors disappear.

Tools that qualify for the Article 88a exemption make this whole mess go away. No consent banner for analytics. No CMP bill. No data lost to rejection. You see 100% of your visitors from day one.

Which analytics tools actually qualify?

The exemption does not care which brand name is on your tool. It cares how the tool is built. Here is how the major analytics tools line up against Article 88a's five requirements.

The pattern jumps out. Tools that were cookieless and first-party from day one qualify without you touching a setting. Tools built for advertising ecosystems can't get there no matter what you toggle. Article 88a doesn't invent a new category. It blesses what privacy-first analytics tools have been doing all along. If you want the mechanics of how this category works, see our privacy-friendly analytics guide.

The Audience Measurement Coalition has complained that the exemption is too narrow. Their gripe is that "solely for its own use" blocks independent audience measurement run by joint industry committees. When even the industry groups say the rule is too strict, you know the criteria are tight.

The UK already did this

While the EU is still debating, the UK has already moved. The Data (Use and Access) Act got Royal Assent on June 19, 2025. Section 112 adds a statistical purposes exception: you do not need consent for analytics cookies that gather aggregate statistical information about how a website is used, as long as the data cannot identify anyone and you offer an opt-out.

This matters. The UK used to demand consent for every non-essential cookie under PECR. Now it carves out privacy-respecting analytics by name. And it is already law.

If you serve both UK and EU audiences, the message is hard to miss. The two jurisdictions are arriving at the same answer: first-party, aggregated analytics that do not track individuals should not need consent.

Over in the US, the story rhymes. The California Privacy Protection Agency fined Todd Snyder $345,178 in May 2025 over CCPA violations tied to tracking pixels. More than 1,500 businesses have been sued under CIPA in the past 18 months, the claim being that their website tracking counts as "wiretapping." Now look at who got sued. Not one of those CIPA suits has gone after a cookieless, first-party analytics provider. Every case targets tools that ship data to third parties.

The political battle you should understand

The analytics exemption does not float free of everything around it. It rides inside a much bigger Digital Omnibus package, and that package has turned into one of the most fought-over pieces of EU legislation in years.

127 civil society organizations signed an open letter calling the Omnibus "the biggest rollback of digital fundamental rights in EU history." Max Schrems' organization noyb put out three versions of a detailed legal analysis and called it "the biggest attack on Europeans' digital rights in years." EDRi called it "a major rollback of EU digital protections." The EFF called it "full of bad and confusing ideas that will significantly weaken privacy protections."

Corporate Europe Observatory found that 7 of the 8 major changes in the Omnibus "align closely with the positions of major tech corporations." The digital industry spends EUR 151 million a year lobbying the EU, up 33.6% since 2023. Read those two numbers together and the shape of the thing gets clearer.

Here is the part that matters for analytics, though. The consent exemption for audience measurement is the least controversial piece of the whole package. Even the EDPB and EDPS "strongly support the objective of providing for a regulatory solution to address consent fatigue and the proliferation of cookie banners." The fight is over the other parts: narrowing what counts as personal data, stretching "legitimate interest" to cover AI training, and trimming back data subject rights.

The analytics exemption is just doing what CNIL has been doing in France since 2020. It is not a new idea. It is an EU-wide version of an approach that already works.

All of this shapes the timeline. The analytics exemption has broad support, even from the privacy advocates fighting the rest of the package. Whether it makes it through comes down to one procedural question: does Parliament split the provisions apart and vote on them one by one, or does it vote on the package as a single block?

The CNIL already proved this works

France did not wait for the Digital Omnibus. The CNIL has run a consent exemption for audience measurement tools since 2020. And it has policed the edges of that exemption hard.

In 2025 the CNIL handed out EUR 486.8 million in fines, nearly 9 times the EUR 55 million it issued in 2024. Cookies were front and center. Google was fined EUR 325 million. Shein was fined EUR 150 million for loading 10 cookies before a visitor had even touched the consent banner. American Express was fined EUR 1.5 million for dropping cookies on people who had explicitly said no.

So the message is not subtle. The CNIL is not easing off. It is running two lanes. First-party analytics that meet the strict criteria run without consent. Everything else risks record fines.

On July 4, 2025, the CNIL swapped its formal certification program for a self-assessment model. The public list of CNIL-validated tools was retired on January 1, 2026. Now providers assess their own compliance against the CNIL's published criteria. The old list had Matomo, Piano Analytics, Piwik PRO, and a handful of other European vendors on it. Google Analytics never made the list at all.

The CNIL exemption sets out what counts: first-party cookies only, no cross-site tracking, no combining the data with other systems, no sending identifiable information to third parties, a cookie lifespan capped at 13 months, data retention capped at 25 months, and an opt-out. Article 88a in the Digital Omnibus is the same set of principles, written up at the EU level.

This is not a thought experiment. It has been running for five years in the EU's second-largest market. The Digital Omnibus just takes that and makes it the law everywhere.

When this takes effect: the timeline

The Digital Omnibus is not law yet. Here is where it stands and what a realistic timeline looks like.

One more thing could speed all of this up, no matter what the Omnibus does. The EU-US Data Privacy Framework is wobbling. President Trump dismissed three Democratic members of the Privacy and Civil Liberties Oversight Board (PCLOB) in January 2025, which left it without a quorum. That board's annual report was one of the safeguards the Commission leaned on when it approved the framework. Norway's DPA has warned that if the framework is revoked, "there will most likely not be a transition period." Should a "Schrems III" scenario materialize, every EU business running US-based analytics would be in breach of GDPR overnight. No warning, no grace period.

What you should do today

Don't wait for the Digital Omnibus. The consent rejection rates on their own already mean GA4 is already broken for EU businesses. The Omnibus just makes it official.

So here's how I'd decide, depending on where you are.

If you're in France, Spain, Italy, or the Netherlands: You can already run qualifying analytics without consent under the national exemptions you have today. Switch to a cookieless analytics tool and take the analytics part out of your consent banner now.

If you're in the UK: The DUAA Section 112 exemption is in force. You can run aggregate analytics without consent, as long as you offer an opt-out.

If you're anywhere else in the EU: The Omnibus hasn't passed, so in a country like Germany you still need consent for analytics today. But the direction is set. Move to a cookieless GA alternative now and you start seeing 100% of your traffic right away, because tools that don't use cookies or collect personal data don't need consent. You're also ready for Article 88a the day it lands.

If you're in the US: The aggregate data exemption under CCPA/CPRA already puts de-identified and aggregate consumer information out of scope. Cookieless analytics that only ever produce aggregate statistics sit right in that lane. On top of that, you clear your CIPA wiretapping exposure entirely.

The math isn't complicated. A consent-dependent tool shows you 13 to 40% of your EU traffic. A cookieless analytics tool shows you 90 to 100%. That gap is not a rounding error. It's the difference between deciding on half a picture and deciding on the whole one.

The regulators are quietly building a moat around privacy-first analytics. Every new enforcement action, every consent rate study, every CIPA lawsuit makes the case stronger. The EU Digital Omnibus does not create the trend. It validates it.

If you want the broader case against GA4, read Why You Should Stop Using Google Analytics in 2026. For the full legal picture, read Is Google Analytics Legal in 2026?. And for a deep dive into how cookieless tracking works under the hood, read What Cookie-Banner-Free Analytics Actually Means.