European CMP association

AssociationPosition paper on the Digital Omnibus

by

europeancmps
in

Executive summary

The European CMP Association represents Consent Management Platform (CMP) providers operating across the European Union. On behalf of our members and the hundreds of thousands of businesses and millions of European users we serve, we submit this position paper in response to the European Commission’s Digital Omnibus proposal (COM(2025) 837), specifically regarding 88b of the amended GDPR framework. 

Our members work closely with a wide range of organisations across Europe, from small businesses to large online services, that rely on consent management solutions to implement privacy choices and comply with EU data protection rules. Through the infrastructure we operate and the technical support we provide, we have direct visibility into how consent mechanisms function in practice across different services, devices, and markets. We therefore approach this discussion as technology providers and compliance partners with practical insight into the technical implementation, economic implications, and user experience effects of consent regulation.

We share the European Commission’s core objectives of reducing consent fatigue, simplifying the regulatory landscape, ensuring Europe’s competitiveness, and improving the digital experience for European users and businesses alike. As the operators of CMPs, we work at the operational layer where these objectives must ultimately be implemented in practice. We think article 88b as currently drafted will produce the opposite effect. It risks entrenching consent friction, while simultaneously transferring critical control over European users’ consent flows to a handful of non-European browser vendors, undermining the competitiveness of European businesses. This would be counterproductive to user privacy, harmful to European businesses, and detrimental to European digital sovereignty, particularly as alternative approaches to address consent fatigue already exist.

Article 88b: Browser-level consent signals  

  • The proposal introduces centralized browser-based consent signals that could override website-level consent interactions. This could effectively transfer control of consent infrastructure to a small number of non-European browser vendors.
  • Browser-level signals cannot satisfy GDPR’s requirement for specific, informed and unambiguous consent. A single global preference operates at the wrong level of abstraction.
  • If browser signals override CMP consent flows, businesses could see consent rates drop by up to 80%, with direct consequences for advertising effectiveness and revenues, harming European businesses and publishers in particular and ultimately resulting in reduced tax income for governments.
  • Concentrating consent infrastructure in browser gatekeepers creates a direct conflict with the intention of the Digital Markets Act and raises serious digital sovereignty concerns.
  • Historically, browser-level consent initiatives like Do Not Track (DNT), the 2017 ePrivacy Regulation and the Cookie Pledge, all failed. Article 88b risks enshrining these failures in legislation.

Our constructive alternatives

  • Adopt an interoperable, CMP-centred architecture: open APIs enabling consent assistants, browsers, EUDI wallets, and CMPs to operate as complementary, not competing, layers.
  • Leverage existing consent infrastructure and implementation expertise. CMPs are uniquely positioned as the compliance, enforcement, and auditability layer under any future consent architecture and are actively contributing to the EU standardization process.

Recommendations:

  1. Reconsider or fundamentally revise Article 88b. Browser-level signals risk legal uncertainty, severe economic harm, and risk a de facto non-European gatekeeper over EU consent infrastructure.
  2. Explicitly safeguard European digital sovereignty. Ensure that no single non-European technology provider can control the consent architecture of the European digital market.
  3. Mandate interoperability, not centralization. Require open APIs between consent assistants (browsers, OS tools, EUDI wallet) and CMPs while recognizing CMPs as essential enforcement infrastructure.
  4. Expand targeted consent exemptions for operational processing as an alternative to centralization, consistent with GDPR proportionality.
  5. Include CMPs in the Article 88b(4) standardization process. As primary implementers of consent UX and compliance, but also as only facilitator of consent signal distribution today, CMPs must participate in any expert group defining machine-readable consent signals.
  6. Address practices that unnecessarily multiply consent interfaces and thereby exacerbate consent fatigue. Particular attention should be paid to technical permission mechanisms that operate alongside, or on top of, GDPR and ePrivacy consent flows. Apple’s App Tracking Transparency regime, as well as Safari’s Intelligent Tracking Prevention mechanisms that may trigger renewed consent requests at frequent intervals despite prior user consent. 

Europe should take pride in having fostered an ecosystem of European Consent Management Platforms, which translate the principles of the GDPR into practical tools that allow individuals to exercise meaningful control over how their data is used online. CMPs have emerged as a trusted, independent, interoperable operational layer through which users’ privacy choices can be expressed, communicated, and respected across the digital environment.
Consent fatigue is a complex, multifactorial challenge that demands the in-depth technical analysis and operational insight uniquely provided by Consent Management Platforms, as operators of the consent infrastructure. The CMP industry is committed to making this essential expertise available, dedicated to improving the compliance landscape for all European users and businesses.

About the European CMP Association and the role of Consent Management Platforms in the European digital ecosystem

The European CMP Association was founded to provide a stronger, shared voice of Consent Management Platforms and related infrastructure in the regulatory discussion. Our members represent the companies that build and operate the systems through which hundreds of millions of European users express their privacy preferences every day.

We contribute to this discussion as technology providers that design and operate consent management solutions used by organisations across the European economy. Through our daily collaboration with companies of all sizes and sectors, we have a clear understanding of how consent rules are implemented in practice and which actors will be most directly affected by changes to the regulatory framework. For many of these organisations, CMP solutions constitute a core component of the consent and compliance infrastructure that supports their obligations under the GDPR, the ePrivacy Directive, and an increasing number of related regulatory requirements.

CMPs provide the technical and operational layer through which businesses communicate privacy choices to users, record consent decisions, manage vendor relationships, ensure auditability, and adapt to regulatory change. Without CMPs, the compliance burden on individual businesses would increase dramatically to ensure compliance with GDPR requirements for informed, specific, and freely given consent.

Our association is actively engaged in the development of open CMP standards and fully committed to working collaboratively with European standardization bodies to define interoperable, technology-neutral consent infrastructure. We stand ready to contribute technical proposals to the standardisation process envisaged under Article 88b(4) of the Digital Omnibus. 

Understanding consent fatigue

The Commission has rightly acknowledged consent fatigue as an important issue to be tackled by the Digital Omnibus. CMPs share this diagnosis and are directly invested in solving it.

However, it is essential to distinguish between two related but distinct aspects of the problem.

Cookie banner fatigue is a symptom: users are frustrated by repeated, inconsistent prompts.

Cookie banner fatigue is a structural problem: users are overwhelmed by unclear, complex, or manipulative workflows driven by inconsistent regulatory expectations and inadequate implementation.

Crucially: the GDPR does not require consent for cookies as such, it requires consent for specific data-processing purposes. Cookies and similar technologies are merely technical vehicles. Focusing narrowly on cookie banners oversimplifies the problem and obscures its real drivers:

  • High volume of data-intensive processing across website and apps
  • Absence of unified mechanisms for expressing durable privacy preferences
  • Inconsistent enforcement and interpretations across Member States
  • Widespread manipulative UX patterns in low-quality, non-compliant consent tools
  • Browser-imposed cookie lifetime restrictions that force repeated prompts regardless of user choice

The goal should be fewer manipulative requests, fewer repetitive prompts, and more meaningful user-controlled choices. CMPs are already addressing these root causes through layered UX design, purpose standardisation, suppression of repeated requests, and dark pattern prevention.

Consent fatigue persists despite the widespread adoption of Consent Management Platforms because CMPs operate within a broader regulatory and technical environment they do not control. CMPs implement consent interfaces required under GDPR and ePrivacy rules, but they do not determine when consent is legally required, how frequently consent must be renewed, or how browsers and operating systems treat stored consent preferences. As a result, many of the drivers of repeated consent prompts, including fragmented regulatory interpretations across Member States, browser-imposed storage limitations, and overlapping device-level permission frameworks, originate outside the CMP layer itself. Reducing consent fatigue therefore requires addressing these structural factors, not only the interface where consent is collected.

Article 88b: critical concerns on centralised browser-level consent signals

The concept of allowing users to express durable privacy preferences at the browser or device level, reducing the need for repeated banner interactions, is a direction the CMP industry welcomes in principle. The question is not whether to modernise the consent experience, but how to do so in a way that is legally coherent, technically sound, and does not create unintended structural consequences.

Article 88b raises three important key issues that we believe require careful consideration before the provisions are finalised.

1. Contextual consent and GDPR compatibility

Under Article 4(11) and Article 7 GDPR, valid consent must be specific, i.e. granular, purpose-bound, and given in relation to identifiable processing operations by an identifiable controller. Browser-level consent inverts this logic entirely. A single upstream decision, made before any interaction with any specific website, controller, or set of purposes, cannot by construction satisfy a requirement that presupposes context. A user setting a global preference has no meaningful way to distinguish between consenting to analytics on a trusted news site and consenting to behavioural profiling by an ad network they have never encountered. The consent is given in a vacuum, which in practice will drive most users toward blanket refusal, which might be the point.

Proponents argue that specificity could be preserved through a standardised taxonomy of purposes and vendors embedded in the browser signal. This is theoretically conceivable. But what it would require, in practice, is nothing less than a comprehensive mapping of every processing purpose, every data category, and every vendor operating across the entire global digital ecosystem, maintained at a level of legal precision sufficient to satisfy GDPR requirements, and stable enough to serve as the basis for automated signals. Every actor in the chain, publishers, advertisers, technology providers, browser vendors, operating system vendors, and even regulators across jurisdictions, would need to agree on a shared protocol, a governance model, and an enforcement mechanism. In practice, this is an attempt to classify and govern the web. No undertaking of comparable scope and complexity has ever been attempted. Under any realistic timeline, it extends well beyond the four-year horizon envisaged by the Omnibus, and what would emerge, if it emerged at all, would be the opposite of simplification, in direct tension with the “simplicity by design” principle underlined by the European Council in its Conclusions of 26 June.

Without contextual awareness and fine-grain controls, no browser-level mechanism can satisfy the GDPR’s specificity requirement. The only remaining path is to remove that requirement, a legislative choice that cannot be taken lightly, if it is to be taken at all.

2. The cost of consent centralisation for the European digital economy: A de facto “Reject All” mechanism

Beyond the legal incompatibility of browser-level consent with the GDPR’s specificity requirement lies a second, equally serious concern: its likely economic consequences for the European digital industry.
The value of site-specific consent interactions lies precisely in their contextual nature. Users must be able to make more nuanced, trust-calibrated decisions when engaging with a service they know and use regularly than when configuring a global preference for the entirety of the internet. This contextual dynamic is not merely a behavioural observation, it is also a market mechanism. 

Because consent rates directly affect revenue, publishers and service providers have a structural incentive to invest in transparency, user experience, and trust-building in order to improve them. Browser-level consent, by collapsing this feedback loop into a single upstream preference, eliminates that incentive entirely. It would not empower users, it would simply remove the conditions under which empowerment and accountability reinforce each other.

The likely scale of this effect is not purely theoretical. When Apple introduced its App Tracking Transparency framework in 2021, requiring users to actively opt in to tracking at the system prompt level, approximately 80% of users declined (according to Flurry Analytics). This outcome should not be understood primarily as a matter of interface design. ATT illustrates the structural effect of moving consent decisions away from the context of a specific service and into a generic system-level permission. When users are asked to make a broad decision about tracking in the abstract, refusal becomes the rational default. Browser-level consent mechanisms risk reproducing the same dynamic. There is little reason to believe that a browser-level consent mechanism, similarly binary, would produce materially different results. The European digital industry would, in practice, be operating with roughly 20% of the consent base it currently relies upon.

This dynamic also raises broader questions in relation to the stated objectives of the Omnibus package. The Omnibus is explicitly framed as a response to the Draghi report’s diagnosis that Europe “claims to favour innovation, but continues to add regulatory burdens onto European companies, which are especially costly for SMEs and self-defeating for those in the digital sectors” (The Future of European Competitiveness, September 2024). 

Yet Article 88b, under the cover of simplifying the consent experience for users, risks depriving European publishers and advertisers, SMEs, and digital operators of the revenue conditions necessary for their survival, while leaving large platforms, which rely primarily on first-party data and authenticated user relationships, largely untouched. A provision that structurally disadvantages the most exposed actors in the digital ecosystem, in a package designed to strengthen European competitiveness, is a contradiction that should give pause. Validating Article 88b is a decision that should be approached, if at all, with the full awareness of what is being surrendered.

3. Sovereignty and governance: Ensuring a European architecture

Over the past decade, the European regulatory framework has contributed to the emergence of a specialised ecosystem of privacy technologies. Consent Management Platforms, preference management tools, and other privacy-by-design infrastructures have been developed largely in response to the operational requirements introduced by the GDPR. In practice, the regulation has not only set standards for data protection but has also stimulated the development of a market dedicated to enabling those standards to function effectively at scale.

This ecosystem has attracted significant investment and supported the growth of European companies operating in the privacy technology sector, including the members of the European CMP Association. Its development demonstrates how regulatory frameworks can drive innovation and create technical solutions that allow individuals to exercise their rights while enabling businesses to comply with increasingly complex regulatory obligations.

The introduction of browser-level consent mechanisms under Article 88b could materially alter this landscape. By relocating key consent management functions to the browser layer, the proposal risks reducing the operational role currently performed by independent consent infrastructure providers. This would represent a structural shift in the consent architecture of the European digital ecosystem, driven not by market dynamics but by regulatory design.

The structure of the browser market is also relevant in this context. Browser technologies are largely controlled by a limited number of global technology companies headquartered outside the European Union. Centralising consent signalling at this layer, in the absence of strong interoperability safeguards and technology-neutral standards, could concentrate control over a critical element of Europe’s consent infrastructure in the hands of a small number of non-European actors.

This concern is not abstract. The Global Privacy Control (GPC) signal, developed by US-based technology companies for US state privacy regulations, is already being positioned as a candidate standard for browser-level consent signalling in Europe. Enshrining it in EU law without a European governance framework would risk encoding foreign-developed infrastructure as the compliance baseline, with limited accountability to European regulators or users.

Such an outcome would merit careful consideration in light of broader EU policy objectives, including those reflected in the Digital Markets Act and in the Union’s wider efforts to strengthen technological sovereignty and competitiveness in digital markets. The design of Article 88b should therefore ensure that efforts to simplify the consent experience do not weaken Europe’s privacy technology ecosystem or increase structural dependence on a limited number of dominant intermediaries.

The landscape of existing levers to reduce consent fatigue

Before legislating a new centralised architecture, it is worth acknowledging that consent fatigue already has multiple addressable causes, many of which can be tackled without the structural risks of Article 88b. The following levers exist today, each with distinct advantages, limitations, and implications for CMPs and the broader ecosystem.

Addressing browser-imposed restrictions: ITP, ETP and ATT

A significant and often overlooked driver of consent fatigue is the unilateral shortening of cookie lifetimes by major browsers through mechanisms such as Intelligent Tracking Prevention (ITP) and Enhanced Tracking Protection (ETP). These browser-side interventions regularly invalidate stored consent preferences, forcing users to re-engage with consent banners far more frequently than necessary, often on sites they regularly visit and trust.
Apple’s ITP in particular, implemented across Safari and all WebKit-based browsers, is particularly consequential in this regard. Since ITP 2.1, any first-party cookie set via JavaScript (i.e. the method used by virtually all CMPs to store user preferences) is capped at a 7-day lifetime, regardless of the expiry date originally declared. This means that a user who has deliberately and explicitly rejected to give their consent on a given website will have that preference silently erased after seven days of inactivity, with no notification and no acknowledgment that they had previously engaged. On return, they are presented with a consent banner as if they were a first-time visitor. Given that Safari accounts for a substantial share of browser usage, particularly on mobile devices, this mechanism structurally undermines the stability of consent records and generates repeated, unnecessary friction for users who have already exercised their rights under the GDPR and ePrivacy.

A similar dynamic plays out on mobile through Apple’s App Tracking Transparency (ATT) framework, introduced with iOS 14.5. ATT requires apps to present a system-level prompt asking users whether they wish to allow tracking across third-party apps and websites. ATT is a permission that operates entirely outside the existing consent infrastructure established under the GDPR and the ePrivacy Directive. The result is that users are routinely confronted with two distinct consent interactions within the same app session: the ATT prompt, governed by Apple’s own framework, followed by a CMP-served consent banner required under EU law. Critically, these two layers are not interchangeable. Even where a user grants permission through the ATT prompt, this does not constitute valid legal consent under the GDPR, and a separate CMP interaction remains mandatory. This duplication is not a minor inconvenience, it is a structural design flaw that fragments the consent experience, increases cognitive load, and accelerates consent fatigue. The proliferation of overlapping technical permission layers (which are not required under EU law), each governed by a different set of rules and controlled by different non-European actors, undermines the clarity and coherence that effective consent requires.

Addressing ATT, ITP and ETP would materially reduce fatigue without any change to the current consent architecture. The Digital Omnibus could clarify that browser and operating system vendors must not unilaterally override consent storage decisions made by the user, and that consent records maintained by CMPs must be respected across browser sessions for their lawful retention period. CMPs are technically positioned to detect and respond to ITP/ETP behaviour, but cannot override browser/operating system vendor decisions without regulatory clarity.

In-app browser interoperability

Many mobile applications open external links within in-app browsers, embedded web views that are isolated from the user’s primary browser and cannot access consent preferences already recorded there. As a result, users are repeatedly asked for consent even on services they have already engaged with, simply because they arrived via a different technical environment.

This is a structural problem that can be solved through interoperability requirements, mandating that in-app browsers respect or communicate with consent records held by the user’s primary browser or CMP, or mandating that app developers only open external links inside the default browser that has been configured by the user. CMPs are already working to bridge this gap operationally, but the absence of a regulatory standard makes consistent implementation impossible.

Privacy wallets and consent assistants

The coming EU Digital Identity Wallet (EUDI Wallet) and related consent assistant tools represent a genuinely European path to durable, portable privacy preferences. A user could express granular preferences once (with criteria, rules, and algorithms customized by the users themselves) and have those preferences automatically applied when interacting with participating services, through a European-governed infrastructure rather than through a US browser vendor.

This architecture is technically viable, legally coherent, and consistent with the GDPR’s specificity requirements, precisely because preferences can be stored at the device level and applied contextually, rather than as a binary global toggle. CMPs are the natural integration point for wallet-based consent signals: they already manage purpose-level consent logic, vendor relationships, and auditability for controllers. Connecting a consent wallet to a CMP is architecturally straightforward; connecting it directly to every controller independently is not.

Cross-device and cross-domain consent 

A further lever, already explored by a few European data protection authorities including the CNIL, is the recognition of consent portability across devices and domains. Under current frameworks, a user who has already expressed their consent within a service’s mobile application may be asked to repeat that choice when accessing the same service through a desktop browser or a connected TV, despite interacting with the same data controller, for the same purposes. Similarly, a media group operating multiple editorial properties under a shared data controller may be required to collect consent independently on each domain, multiplying interactions without meaningfully advancing user protection. Enabling consent to travel with the user across devices and across the domains of a single controller, provided that the scope of that consent is clearly communicated and the relationship between entities is transparent, would materially reduce the volume of consent interactions without altering their legal substance. 

Expanding consent exemptions

One of the levers also available to EU institutions to structurally address consent fatigue is the use of targeted exemptions to the consent requirement. Article 88a of the Digital Omnibus proposal already illustrates this approach, by establishing a closed list of processing purposes for which storage or access to personal data on terminal equipment may proceed without consent. Rather than treating this as an isolated measure, EU legislators and supervisory authorities should explore how the exemption model could be extended and systematised across a broader range of processing activities, provided that adequate safeguards are in place.

This approach is not without precedent. Supervisory authorities have already carved out consent-free pathways in specific processing contexts, acknowledging that not all data operations carry the same implications for individuals. Building on this established practice, a pre-defined and periodically reviewed list of processing categories deemed compatible with a high level of data protection could offer a principled alternative to the current regime. By removing the obligation to seek consent where the processing meets clearly defined criteria and poses no disproportionate burden on individuals, such a framework would reduce the frequency of consent requests encountered by users, and thereby alleviate consent fatigue at its root rather than merely managing its symptoms.​​​​​​​​​​​​​​​​

The common thread: CMPs as the compliance layer

What the approaches above share — whether consent exemptions, ITP mitigation, in-app browser interoperability, or privacy wallet integration — is a common requirement: a trusted, independent, interoperable compliance layer that can interpret signals, enforce purposes, maintain auditability, and ensure controllers meet their obligations. That layer is the CMP.

Today, CMPs already translate user consent decisions into machine-readable signals communicated across complex digital supply chains. This operational role places CMPs in a unique position to contribute to the development of any future standardised consent signalling framework.

Regardless of which combination of approaches regulators pursue, CMPs are already positioned — technically and operationally — to serve as the enforcement and accountability infrastructure. We are not proposing one specific solution. We are observing that across all viable paths, the CMP role is not optional.

How the Architecture Works Together

The diagram below illustrates how different actors in a future interoperable consent ecosystem interact, with CMPs as the essential compliance and enforcement layer regardless of which consent channel a user employs.

We are the European experts and have the resources to develop an open, interoperable consent signalling standard, including as part of Article 88b(4)’s standardisation process if that persists, and to work alongside regulators, browser vendors, wallet providers, publishers, and civil society.

Conclusion

The European CMP industry strongly supports the Commission’s objective of simplifying the EU’s digital regulatory framework and improving the online experience for users. Consent fatigue is real and must be addressed. CMPs are part of the solution, not part of the problem.

But Article 88b, as currently drafted, risks entrenching consent friction, undermining European digital sovereignty, concentrating market power in non-European browser gatekeepers, and causing severe economic harm to European publishers, advertisers, and SMEs. Multiple better paths exist and CMPs are the common thread across all of them.

Europe has been right to encourage the growth of a European Consent Management Platform ecosystem — one that turns GDPR principles into practical, everyday tools through which individuals can exercise real control over how their personal data is used. In doing so, CMPs have become an established, independent, trusted and interoperable layer of the digital environment: the infrastructure through which users’ privacy choices are expressed, communicated, and honoured. This is something Europe should be proud of.

Addressing consent fatigue is not straightforward. It is a complex, multifactorial problem, and solving it well requires precisely the kind of deep technical knowledge and hands-on operational experience that CMPs hold as the organisations actually running the consent infrastructure. That essential expertise is something the CMP industry is both willing and committed to contribute, in service of a better, clearer compliance environment for users and businesses across Europe.Board of Directors
European CMP Association
Brussels, Belgium
www.ecmpa.eu

European CMP Association

A unified voice for European Consent Management Platforms, advancing privacy, transparency, and innovation across the EU and globally.

Brussels, Belgium

Non-profit association

© 2026 European CMP Association. All rights reserved. • Privacy Policy