Summer Connection 2026 - An exclusive vineyard experience for eCommerce merchants Register now 

On Tap
search
menu
The EU Digital Omnibus and GDPR changes: an eCommerce compliance playbook for 2026
Insight

The EU Digital Omnibus and GDPR changes: an eCommerce compliance playbook for 2026

clock June 16, 2026
21 min read

The European Commission's Digital Omnibus Regulation, formally proposed in February 2026, is the most significant shake-up to EU data-privacy rules since the GDPR took effect in 2018. Its headline change: cookie and tracking-consent rules are being pulled out of the ageing ePrivacy Directive and folded directly into the GDPR itself, through new Articles 88a and 88b. For eCommerce merchants, this means the consent banners, tracking scripts, and data-handling workflows on your store will need to change, not today, but well before enforcement begins.

If you sell to EU customers, this affects you regardless of where your business is based. The legislative process is underway now, with final text expected by late 2026 or early 2027 and an enforcement window following. The time to prepare is while the rules are settling, not after they land.

What this means

  • Cookie consent moves into the GDPR: Today, cookies are regulated under the ePrivacy Directive (the "cookie law"), which sits alongside the GDPR. The Digital Omnibus merges cookie-consent rules into the GDPR via a new Article 88a, as outlined by Taylor Wessing. This means one law, one enforcement framework, and one set of fines of up to €20 million or 4% of global turnover.

  • Fewer banners, but consent is still required for tracking: According to analysis by Usercentrics, the Commission estimates that consent will no longer be needed for roughly 60% of cookies, specifically "strictly necessary" and certain audience-measurement cookies. Marketing, advertising, and cross-site tracking cookies still require explicit opt-in consent.

  • Browser- and OS-level consent signals: The proposal introduces a mechanism for users to set their consent preferences once, at the browser or operating-system level, rather than clicking through a banner on every site. Websites will need to detect and honour these signals. But as the EDPB's joint opinion makes clear, the technical standards for this do not exist yet, and browser adoption will take time.

  • Legitimate-interest changes for analytics: Basic audience measurement (think: page-view counts, session duration) may be permitted under a legitimate-interest basis without consent, provided the data stays first-party and is not used for profiling or ad targeting.

  • Stricter rules on consent design: "Reject all" must be as prominent as "Accept all." The proposal targets dark patterns, including pre-ticked boxes, confusing button hierarchies, and "consent walls" that block content. Your Consent Management Platform (CMP) configuration will need to reflect this.

  • SME record-keeping simplification: If you are a business with fewer than 250 employees, the Digital Omnibus aims to reduce some GDPR documentation burdens, though the details are still being refined.

The playbook

These steps are platform-agnostic. Work through them in order.

Scan your store, both staging and production, with a cookie-scanning tool (your CMP likely has one built in, or use a free scanner such as Cookiebot's free scan. Document every cookie and tracking pixel: name, purpose, duration, first- vs third-party, and whether it is "strictly necessary." You cannot plan changes without knowing your baseline.

Re-classify cookies against the new categories 

Under the Digital Omnibus framework, cookies fall into clearer tiers:

  • Exempt (no consent needed): strictly necessary cookies (session, cart, authentication, security) and basic audience-measurement cookies that stay first-party and are not used for profiling.

  • Consent required: advertising, remarketing, cross-site tracking, social-media embeds, personalisation beyond basic analytics.

Map every cookie from Step 1 into one of these two buckets. Where you are unsure, default to "consent required."

Ensure your CMP is configured so that:

  • "Reject all" is equal in size, colour, and prominence to "Accept all."

  • No boxes are pre-ticked.

  • Consent categories are clearly labelled in plain language.

  • Users can change their preferences at any time via a persistent link (in the footer or via a floating icon).

  • The banner does not block the full page ("consent walls" are being targeted).

This is a configuration task, not a code rewrite, for most modern CMPs.

The browser-signal mechanism does not have finalised standards yet, but you should plan for it now:

  • Confirm your CMP vendor is tracking the Digital Omnibus developments and has committed to supporting browser-level consent signals when available.

  • If you use Google Consent Mode v2, you are partially prepared, as this already passes consent state to Google tags. Ensure it is active.

  • Document your plan to read and respect incoming signals (this will likely involve a CMP update, not custom code).

Review your analytics setup for legitimate-interest use

If you want to run basic audience measurement without consent under the new rules:

  • Use a first-party analytics tool or configure your existing tool (e.g. GA4 in cookieless mode, Matomo, Plausible) to avoid cross-site identifiers.

  • Disable advertising features, remarketing audiences, and Google Signals in any analytics property you plan to operate without consent.

  • Document your legitimate-interest assessment. You will need to show why your analytics use is proportionate and poses minimal risk to users.

Update your privacy policy 

Your privacy policy must reflect:

  • The legal basis for each category of data processing (consent vs. legitimate interest).

  • Specific cookies and tracking technologies in use.

  • How users can withdraw consent or exercise data-subject rights.

  • Reference to the GDPR (not the ePrivacy Directive) as the governing framework for cookies, once the new rules are in effect.

Brief your marketing and analytics teams 

Your marketing team needs to understand that remarketing pixels, social-media tracking, and personalisation tools still require opt-in consent. The common misconception that the Digital Omnibus "gets rid of cookie banners" is wrong. It gets rid of unnecessary banners. Brief them on what will and will not change for their campaigns.

Set a calendar reminder to re-check before enforcement (before Q2 2027)

The Digital Omnibus is still in the legislative process. The European Parliament and Council will negotiate the final text through 2026. Set a quarterly review to track progress and adjust. We expect enforcement to begin no earlier than mid-2027, but the timeline could shift.

Platform-specific guidance

Magento / Adobe Commerce

Adobe Commerce has built-in GDPR compliance features, including cookie restriction mode and a cookie-law compliance framework that classifies cookies as exempt or non-exempt. This is a solid baseline, but it is not a full CMP.

For a production-grade solution, you will need a dedicated consent-management extension:

  • Amasty Cookie Consent (GDPR): blocks first- and third-party cookies until consent is granted, supports granular category control, and integrates with Google Consent Mode. One of the most mature Magento 2 options.

  • Mirasvit GDPR Extension: covers cookie consent, data deletion requests, and consent logging.

  • Third-party CMPs such as CookieHub, Usercentrics, or Cookiebot can be integrated via their JavaScript snippets and will likely be the first to support browser-level consent signals when standards are finalised.

If you are on Adobe Commerce Cloud, ensure your CMP implementation does not conflict with Fastly or full-page cache. Test cookie-blocking behaviour in your staging environment before pushing live.

Shopify

Shopify does not provide native GDPR cookie consent beyond a basic banner. You need a third-party app:

  • Consentmo: a "Built for Shopify" CMP that supports GDPR, CCPA, Google Consent Mode v2, TCF 2.2, and region-based logic. Consentmo has explicitly stated they are preparing for Digital Omnibus changes and will act as the "translation layer" between browser-level signals and your store's compliance workflow.

  • Pandectes GDPR Compliance: another mature option with auto-detection of cookies, consent logging, and Google Consent Mode v2.

  • CookieYes: well-known cross-platform CMP with a Shopify app.

Whichever app you choose, verify it supports: granular category consent, script blocking (not just banner display), consent logging for audit purposes, and equal-prominence reject/accept buttons. Many free or low-tier cookie apps only show a banner. They do not actually block scripts, which means you are not compliant.

Common pitfalls

  1. Confusing "fewer banners" with "no banners." The Digital Omnibus reduces unnecessary consent prompts for strictly necessary and basic analytics cookies. You still need consent for marketing, advertising, and personalisation tracking. If your store runs Meta Pixel, Google Ads remarketing, or TikTok Pixel, you need a consent banner.

  2. Using a cookie banner that does not actually block scripts. A banner that says "We use cookies" but loads all tracking scripts regardless is not compliant, and never was. Verify your CMP blocks non-essential scripts until consent is granted. Test this in an incognito browser window.

  3. Ignoring Google Consent Mode v2. Since March 2024, Google requires Consent Mode v2 for any site using Google advertising or analytics services in the EEA. If you have not implemented this yet, you are already behind. The Digital Omnibus reinforces, not replaces, this requirement.

  4. Forgetting server-side tracking. If you have moved tracking server-side (e.g. via Google Tag Manager server containers or Shopify's Customer Events), you still need consent before firing marketing tags. Server-side does not bypass consent requirements. It just moves where the code runs.

  5. Waiting for the final text to start preparing. The broad direction, including cookie rules in the GDPR, browser-level signals, and stricter consent design, is clear. Merchants who start auditing and updating now will avoid a scramble when the enforcement date arrives.

About On Tap

On Tap is a growth-focused eCommerce consultancy helping mid-market and enterprise merchants build compliant, high-performing stores. From consent and tracking audits to CMP implementation across Magento, Adobe Commerce, and Shopify, On Tap helps merchants meet GDPR requirements without breaking marketing performance.

If you are unsure whether your store is ready for the Digital Omnibus changes, get in touch.

The AI advertising land grab: What OpenAI's ChatGPT ad expansion means for eCommerce merchants Previous Post
Bots now outnumber humans online: What eCommerce merchants need to do about it Next Post

Read more

All blogs chevron-right
Increase eCommerce Traffic

The Ultimate Guide to Increasing eCommerce Traffic in 2026
clock May 15, 2026
58 min read
OpenAI Adds Product Feed Ads To ChatGPT

OpenAI Adds Product Feed Ads To ChatGPT: The AI ​​Commerce Advertising Era Just Got Real
clock May 20, 2026
10 min read
Magento 2.4.9

Magento 2.4.9 Is Here: Everything Merchants Need to Know Before Upgrading
clock May 12, 2026
11 min read
Security Patch APSB26-49

Adobe Drops Critical Security Patch APSB26-49 For Adobe Commerce And Magento
clock May 18, 2026
10 min read
Shopify's Agentic Storefronts

Shopify's Agentic Storefronts: The Admin Panel That Signals Where Commerce Is Heading
clock May 22, 2026
8 min read
dirty-frag-vulnerability

Dirty Frag Linux Kernel Vulnerability: What Magento and Adobe Commerce Merchants Need to Do Right Now
clock May 12, 2026
18 min read
Hyva 1.4.6

Hyvä 1.4.6: PHP 8.5 Compatibility Arrives Just In Time For The Magento 2.4.9 Upgrade Wave
clock May 19, 2026
9 min read
improve eCommerce conversion rate

How to improve eCommerce conversion rate: 17 best practices and a practical CRO strategy
clock February 27, 2026
82 min read
Vertical_banner

On Tap Wins Big at the 2025 eCommerce Awards

Blog_Post_Promo_Badge_1 Blog_Post_Promo_Badge_2 Find out more
Topic
Case Studies
Services
Insight
Company
Events
B2B
Hyvä
Shopify
Magento
Hyva
Livechat