On November 19, 2025, the European Commission introduced the Digital Omnibus Package, a significant legislative proposal aimed at modernizing the General Data Protection Regulation (GDPR) and the ePrivacy Directive. For developers and site owners like myself, this represents a fundamental shift in how we manage user state and technical consent.
Below is a technical breakdown of the upcoming changes and how they impact the architecture of jasperbernaers.com.
A The technical evolution of consent: from UI to signal
The core objective of the reform is to address "consent fatigue" by moving away from repetitive UI-based interactions toward machine-readable signals.
1. Integration of article 88a and 88b (GDPR)
The proposal effectively absorbs cookie-related rules into the GDPR framework through two new pivotal articles:
- Article 88a: Modernizes the "cookie rules" by mandating a single-click refusal option at the same visual hierarchy as acceptance. If a user rejects consent, the controller is technically barred from re-requesting it for the same purpose for a minimum of six months.
- Article 88b: Introduces machine-readable consent signals. Websites will be required to support and respect automated preferences sent via browsers or operating systems (e.g., Global Privacy Control signals). This shifts the burden of enforcement from the user's repetitive clicking to the website's backend/tag management logic.
navigator.globalPrivacyControl signal will be in the same legal position as one that ignores a user's manual opt-out.
2. The new "whitelist" for low-risk cookies
To streamline web performance, the Commission has proposed a "whitelist" of situations that no longer require a consent prompt. These include:
- First-party aggregated audience measurement: Basic analytics used solely by the service provider for their own online service.
- Security maintenance: Cookies strictly necessary for maintaining or restoring the security of a service.
- User-requested functionality: Such as keeping a shopping cart updated or remembering language preferences.
3. High-stakes enforcement
By moving these rules firmly under the GDPR, the maximum penalties for non-compliant tracking — such as firing tags before consent or using "dark patterns" — are now harmonized at 4% of global annual turnover or €20 million, whichever is higher.
B Implementation on jasperbernaers.com
To align with these emerging standards and current best practices from the EDPB Cookie Banner Taskforce, the technical implementation on this site follows these strict protocols:
- Zero-Load Policy: No non-essential scripts (Marketing, Third-party Analytics) are injected into the DOM until a positive
consent_grantedsignal is received from the Consent Management Platform (CMP). - Visual Parity: The "Reject All" and "Accept All" triggers are styled with identical CSS attributes (font-weight, padding, and contrast ratio) to ensure unbiased user choice, as required by recent rulings from the Belgian and French (CNIL) authorities.
- Preference Persistence: We utilize a 6-month cooling-off period for rejected consent, preventing unnecessary re-prompts and respecting the user's initial decision across sessions.
- GPC Support: The site is configured to listen for
navigator.globalPrivacyControlsignals to automatically opt-out users who have set global privacy preferences in their browser.
- European Commission: Digital Omnibus FAQ (Nov 2025)
- EDPB: Report on the Work of the Cookie Banner Taskforce
- GDPR.eu: Official Guide to Cookie Compliance