Simplytics

The EU's Digital Omnibus wants to exempt aggregated analytics from cookie consent — what it would and wouldn't cover

If you run web analytics in the EU and you've seen headlines about the Digital Omnibus "ending cookie banners," here's the honest short answer first: a proposed new Article 88a would let a narrow, closed list of low-risk activities run without consent — and one item on that list is aggregated audience measurement carried out by the controller of a website solely for its own use. That description fits cookie-less, first-party, aggregate-only analytics almost to the letter, and it reads tools like Google Analytics 4 out of it.

But — and this is the part most of the excited coverage skips — it is a proposal, not law. Nobody is exempt from anything today. The text is still being negotiated, one of its two consent-related articles has already been cut by member states, and the EU's own data-protection regulators have asked for the exemption to be narrowed and clarified. So this post is a map of what's on the table, what it would and wouldn't cover, and why a cookie-less tool doesn't need the exemption to skip the banner in the first place.

What the Digital Omnibus actually is

On 19 November 2025 the European Commission adopted the Digital Omnibus — a package of "simplification" amendments touching the GDPR, the ePrivacy Directive, the Data Act and more (Commission proposal page). One quick disambiguation, because the press keeps mixing them up: there are two Omnibus files. The Digital Omnibus on AI moved fast and cleared votes in June 2026. The one that matters here is the main Digital Omnibus covering the GDPR and ePrivacy — a separate, earlier-stage file, still in committee and Council negotiation.

Its headline move for analytics: take the cookie- and tracker-consent rules that currently live in Article 5(3) of the ePrivacy Directive and fold them into the GDPR as new Articles 88a and 88b. Instead of "you need consent to store or read anything on a user's device unless it's strictly necessary," Article 88a would set out a closed list of purposes that don't need consent.

The audience-measurement exemption, in plain terms

Article 88a's list includes security, fixing faults, and — the relevant one — audience measurement. As rendered by law firms reading the draft, the carve-out covers:

"Creating aggregated information about the usage of an online service to measure the audience of such a service, where it is carried out by the controller of that online service solely for its own use."

(Taylor Wessing's analysis is a good primary read; that wording is counsel's rendering of the draft, not a certified quote of the final legal text.)

Three conditions do the work, and they're worth reading slowly:

Legal commentators are near-unanimous that the exemption excludes analytics "that operate across multiple services, clients or platforms" (clickport's breakdown; Loyens & Loeff). That's the line GA4 falls on the wrong side of: it sends event data to Google's servers, Google reuses it across its own products and ad systems, and Google Signals enables cross-site, cross-device measurement. It isn't measurement by the site's controller "solely for its own use." This is professional interpretation, not settled law — but it's the consistent reading.

How the criteria map onto real tools

Article 88a criterion Cookie-less first-party analytics GA4 (linked to Google Ads)
Aggregated, not per-person Yes — raw records discarded, only totals kept No — user- and event-level data retained
Measures only this site's audience Yes No — cross-site / cross-device via Google Signals
Controller uses it solely for its own use Yes — no third-party reuse No — Google reuses data for its own products and ads
Reads as "covered" by commentators Likely Unlikely

Read that table as "where the exemption's logic points," not as a compliance verdict. The exemption's exact scope is precisely what's still being argued over.

The part the headlines skip: it isn't law, and it may not survive as written

This matters enough to spell out, because "the EU is scrapping cookie banners" is doing a lot of rounds and it's wrong today.

So the honest status line is: if adopted as drafted, first-party aggregate-only measurement would be explicitly consent-exempt. That "if" is carrying real weight.

Why a cookie-less tool doesn't need this exemption anyway

Here's the pivot, and it's the point worth taking away. Simplytics doesn't need a website to ask for consent — and that has nothing to do with the Digital Omnibus. It's true today, under the rules as they already exist, for a simpler reason: there's no personal data to consent to.

The script sets no cookies and stores nothing in the browser. Visitors are counted with an anonymous hash derived from a truncated IP, the user-agent and the domain, salted with a value that rotates every day — so the same person can't be recognised across days or across sites. Raw visit records are deleted nightly; only anonymous daily aggregates are kept. Because no personal data is stored, no consent banner is required. That's the current basis, and it doesn't depend on any proposal passing.

What the Digital Omnibus adds isn't a new permission slip — it's validation. When EU lawmakers sat down to describe the kind of measurement that shouldn't need consent, they wrote down "aggregated," "measure the audience of this service," "by the controller, solely for its own use." That's not a description of a tool that ships your visitors to an ad network. It's a description of the design a cookie-less, aggregate-only analytics tool already has.

None of this makes GA4 illegal — that's not the claim, and legal posts that lean on fear age badly. It's that the direction of travel keeps rewarding the same thing: collect less, keep it aggregate, share it with nobody. If you want the honest side-by-side on how these tools differ on data handling and price, the Simplytics vs Google Analytics page lays it out — and if the consent machinery itself is what you're untangling, our breakdown of GA4's June 2026 data-controls change covers the settings you'd otherwise have to keep re-checking.

The one-line summary: the Digital Omnibus proposes to exempt exactly the kind of first-party, aggregate-only audience measurement a cookie-less tool already does — but it's a proposal still in negotiation, not a law, so treat "no consent needed" as a fact about how a tool is built, not about a bill that hasn't passed. Cookie-less analytics is the cheapest privacy-friendly Google Analytics alternative that already sits on the right side of that line, at $1/month.

← All posts · Compare Simplytics with alternatives