Back to blog
4 min readLaw & Regulationprivacygdprcompliancetrackingarchitecture

The Digital Omnibus Wants to Exempt First-Party Analytics From Consent

The EU's November 2025 Digital Omnibus proposes a consent exemption for first-party, internal-use audience measurement. It describes the model cookie-free analytics already runs.

Izac CavalheiroFounder

On 19 November 2025 the European Commission published the Digital Omnibus, a proposal that rewrites where cookie and tracking consent rules live. The headline for developers is buried in a draft article: first-party, aggregate, internal-use audience measurement would no longer require consent at all.

That carve-out does not describe some future tool. It describes the data model cookie-free analytics has been running the whole time.

What the proposal actually moves

Today, the duty to ask before reading or writing on a user's device comes from Article 5(3) of the ePrivacy Directive — the legal root of the cookie banner. The Digital Omnibus pulls that rule out of ePrivacy and folds it into the GDPR through a new Article 88a.

The practical effect is a single regime. Where personal data is processed, ePrivacy consent stops applying and only the GDPR governs. The Commission frames this as simplification of an overlapping rulebook, and it draws on more than a year of stakeholder feedback about banner fatigue.

This is a Commission proposal, not law. It entered the ordinary legislative procedure on the day it was published and now goes to the European Parliament and the Council, where the text can change substantially before anything binds anyone.

The audience-measurement exemption

Article 88a keeps consent as the default for device access, then lists narrow exceptions. Alongside strictly necessary transmission and security, it adds one that matters for analytics: storing or accessing information to generate aggregated audience measurement data, where the provider does it solely for its own online service and its own internal use.

Legal analyses converge on the conditions that exemption carries:

  • First-party only. The site operator controls the data; the analytics provider acts as a processor and never uses it for its own purposes.
  • No third-party sharing. Nothing flows to advertisers, ad platforms, or cross-site measurement networks.
  • Statistics only. The purpose is web statistics and site optimization — not marketing activation, not profiling.
  • Easy opt-out. Users can decline the measurement, explained plainly in the privacy policy.
  • Short retention. Data is kept only as long as the statistics need it.

The framing is deliberately tight. Commentators reading the draft note it appears to exclude any tool that measures across multiple services, clients, or platforms — which is most ad-tech measurement. The exemption rewards a specific architecture, not a category of vendor.

Why this maps onto cookie-free analytics

Read that list against how a privacy-first tracker is built and the overlap is near-total. There is no identifier to share, because visitor identity is a one-way daily hash — SHA-256(IP | UA | SALT_SECRET | YYYY-MM-DD) — that cannot be reversed and rotates out of existence every night.

visitor_hash = SHA-256( IP | UA | SALT_SECRET | "2026-06-08" )

Raw IP and User-Agent are used only in memory to compute that hash; the database stores the hash, never the raw values. There is no cross-site graph because there is nothing to join on tomorrow. Retention is bounded — pageviews older than two years are purged — and the data is aggregate by construction: counts, durations, coarse device type, country from the edge.

The /collect beacon carries timing and page metadata, not a person. That is exactly the "aggregated audience measurement, internal use only" the draft singles out.

Article 88b and the end of per-site banners

The companion provision, Article 88b, targets consent fatigue from the other side. It requires that refusal and objection be expressible through automated, machine-readable signals, with browser and OS vendors (small enterprises excepted) obligated to support the infrastructure.

This is the same direction Global Privacy Control already pushed in US state law: move the decision from a thousand banners to one device-level setting a site must honor. A tool that sets no cookies and builds no profile has little to honor here — there is no storage to gate and no consent record to keep.

What to do before it lands

Nothing in the Digital Omnibus is enforceable yet, and the timeline stretches across staggered application periods after any final text. But the direction is set, and it favors a single design: collect aggregate statistics first-party, share nothing, identify no one, and retain briefly.

If your analytics already meets that bar, the reform is a tailwind — the law moving toward the architecture rather than the architecture scrambling after the law. If it does not, the cheapest compliance path is not a better banner. It is collecting less.

Sources

Related posts

5 min readLaw & Regulation

When Is a Hash Personal Data? The CJEU's SRB Ruling and Analytics Identity

The CJEU's EDPS v SRB judgment made identifiability a relative, contextual test. Here is what that means for hash-based analytics — and why a daily-rotating salted hash survives both the court's reading and the EDPB's stricter one.

Read more
5 min readLaw & Regulation

Consent Mode v2 and the June 2026 Google Signals Sunset

On June 15, 2026, ad_storage becomes the sole control over advertising data in Google's stack. Here is what the Google Signals sunset changes for developers — and why the whole machinery is something cookie-free analytics never had to build.

Read more
5 min readLaw & Regulation

Storage Limitation Is the 2026 Enforcement Frontier for Analytics

Regulators stopped asking whether you collected data lawfully and started asking when you deleted it. After the CNIL's €42M Free ruling and the EDPB's erasure sweep, analytics retention is the audit target.

Read more

Comments

Loading comments…