Privacy and marketing are often treated as opposing forces. They’re not.
For example, as a marketer, cookie consent probably isn’t the first thing on your planning roadmap. But it should be much higher on your radar.
Every time a visitor declines cookies or dismisses your banner, that’s a data point you lose, a conversion you can’t attribute, and a visitor you can’t retarget. Multiplied across your entire audience, the impact on campaign performance, attribution, and return on ad spend adds up fast.
And now, Europe’s cookie consent rules are evolving. In November 2025, the European Commission published the Digital Omnibus proposal, a package designed to simplify how consent works online without weakening the privacy protections European law has built over the past two decades. While it’s not a final law yet, the direction is clear.
Marketing teams that understand what’s changing now will be in the strongest position when things do shift.
This post covers everything marketers need to know: how cookie consent works today, what’s changing and why, and four practical strategies to protect your data and grow your performance as Europe’s rules evolve.
Want the complete PDF guide?
In this guide:
– How cookie consent works today
– Cookie consent sits at the heart of privacy and marketing
– Cookie consent is at a turning point
– What will differentiate winning marketers in 2026 and beyond
– 1. Rethink compliance as trust built in
– 2. Use privacy-aware measurement
– 3. Use first-party marketing data
– 4. Optimize your consent rate
– The teams in the strongest position start now
Before getting into what’s changing, it helps to be clear on how the current system works. Whether you’re new to this or just need a refresher, these are the foundations everything else builds on.
What cookies are (and why some need consent)
Cookies are small text files that websites store on your device when you visit. They remember things like your login details, language preferences, and shopping cart contents. Some cookies are set directly by the site you’re on. Others come from external services embedded on the page, such as an ad network, a social media plugin, or an analytics provider.
This distinction matters because EU privacy law treats them differently.
In marketing, third-party cookies are the ones that power most of your day-to-day tools: retargeting pixels, conversion tracking, audience segmentation, and personalized advertising. They’re also the ones most affected by consent requirements.
The rules around cookie consent in Europe
Two EU laws work together to protect users’ data when it comes to cookies:
- The EU ePrivacy Directive (often called the “cookie law”) requires websites to inform users and get their consent before storing or accessing information on their devices.
- The General Data Protection Regulation (GDPR) sets strict rules for processing personal data, including data collected through cookies.
Together, they establish a clear principle: before any non-essential cookie runs on a user’s device, you need their informed, explicit consent.
The only exceptions are strictly necessary cookies (required for basic site functionality, like keeping a user logged in) and, in some EU Member States, certain analytics cookies that meet strict conditions around anonymization and limited scope.
Everything else needs a “yes” first.
So what does “informed, explicit consent” look like in practice? If your website targets EU-based users and uses non-essential cookies, here are the main requirements:
The role of cookie banners and CMPs
When people hear “cookie consent,” they usually think of the banner that pops up on their first visit. But the banner is just one piece of a larger system.
| Cookie banner | Consent Management Platform (CMP) |
| The cookie banner is what your visitors see. It informs them about cookies and gives them the option to accept, reject, or customize their preferences. Think of it as the front door of your consent setup. | The Consent Management Platform (CMP) is the system behind the banner. It collects and stores consent preferences, blocks or unblocks cookie scripts based on user choices, keeps proof of consent for your records, and connects with your ad platforms, analytics tools, and marketing stack. It also supports frameworks like the IAB Transparency and Consent Framework (TCF) and Google Consent Mode. |
The banner asks the question. The CMP enforces the answer.
Without a proper system, your banner is just a pop-up with no follow-through. Scripts would still fire regardless of what the user chose, and that doesn’t meet regulatory requirements.
“Many marketers see compliance as a constraint, but we see it as an opportunity to strengthen trust with customers. Transparent consent and responsible data practices lead to better relationships and ultimately better performance. That’s why we’re making it a priority across team.blue and our 60+ brands.”
Shelby Torrence, Group Marketing Director at team.blue
Cookie consent directly affects your marketing performance. Here’s where the impact hits hardest:
- Data quality. When users don’t consent, you lose visibility into their interactions. Your analytics show an incomplete picture, and bidding algorithms work with partial information.
- Attribution and conversion tracking. Without consent, you can’t track conversions, retarget visitors, or personalize ads for those users. Your attribution models become less reliable, making it harder to understand what’s actually driving results.
- Campaign optimization. Ad platforms rely on conversion data to optimize delivery. Less data means less accurate optimization, higher costs per acquisition, and lower return on ad spend.
- Brand trust. How you handle consent shapes how users perceive your brand. A confusing or aggressive banner erodes trust. A clear, respectful one reinforces it. According to the Cisco 2024 Consumer Privacy Survey, 75% of consumers say they won’t buy from companies they don’t trust with their data.
Start treating your consent setup as part of your marketing infrastructure. How well it works affects brand perception and the quality and volume of every data point downstream.
The current consent model puts pressure on both sides of the screen. Users are overwhelmed by banners. Businesses are weighed down by complexity. Neither side is getting the best outcome.
The European Commission itself has acknowledged the problem. In its Explanatory Memorandum, it stated that “a regulatory solution on the consent fatigue and proliferation of cookies banners is long-overdue.”
Introducing the Digital Omnibus proposal
In November 2025, the European Commission published the Digital Omnibus Regulation proposal, part of a broader package to simplify and modernize EU digital rules without weakening the fundamental privacy rights that European law has built over the past two decades.
When it comes to cookie consent, the proposal would:
- Simplify the interaction between ePrivacy rules and the GDPR
- Lower consent fatigue and how often users are prompted with the same consent request
- Clarify which limited purposes (like first-party aggregated audience measurement) can operate without consent
This is a proposal, not a final law. The text may change substantially as it moves through approvals from the European Parliament and Council before adoption. Many important stakeholders, like the European Data Protection Board (EDPB), have already issued opinions and recommendations. The rollout will be phased and could take up to 48 months after entry into force.
Until then, the current GDPR and ePrivacy rules apply. You don’t need to change your setup today. But understanding where things are headed helps you prepare.
What this means for privacy and marketing
The core principle doesn’t change: consent remains the rule for advertising, profiling, cross-site tracking, and most third-party analytics. The opt-in model stays.
What changes is the mechanism. More clarity on first-party analytics, stricter banner UX rules (equal visibility for accept and reject, no dark patterns), and a re-prompting limit of six months for users who refuse consent. And on the horizon: browser- or device-level preference signals, where users could set privacy preferences once and have them applied across sites automatically.
In practice, you’ll likely show fewer banners to the same user over time. But you’ll still need solid consent infrastructure behind the scenes.
The proposal also includes a specific exception for media service providers whose revenue relies primarily on advertising: they would be exempt from the obligation to respect machine-readable preference signals. See what the proposal means for publishers.
“Consent is no longer just a compliance step, it is the legal gateway to how data can be collected and used. As regulatory frameworks continue to require valid, enforceable user choice, access to data increasingly depends on consent itself. In that context, the ability to capture, interpret, and operationalize consent signals is becoming a determining factor in both compliance and marketing performance.”
Giulia Stancampiano, Head of Legal (Privacy & Tech) at iubenda
A shift in mechanism, not in requirement
Consent isn’t going away. What’s changing is how it’s expressed, remembered, and enforced across systems.
With browser- or device-level preference signals on the horizon, users could set their privacy choices once and have them applied across sites, rather than responding to the same banner on every visit. This doesn’t change whether consent is required. It changes the mechanism.
For this to work in practice, a few things need to hold:
- Signals need to work with existing standards (interoperability).
- Signals need to trigger real technical behavior across websites and services.
- The model shouldn’t concentrate control in a small number of platforms.
In practice: more connected systems
Over time, users may see fewer repetitive consent prompts. But behind the scenes, the job doesn’t get smaller. Consent infrastructure will work in a broader, interoperable framework. This means the implementation becomes more complex with different sources of consent signals (banners, browsers, apps), multiple downstream systems (analytics, advertising, data platforms), and ongoing requirements for proof, enforcement, and user control.
Your Consent Management Platform is not just an interface for collecting consent. It will play a central role in this. As new signal sources emerge, that role becomes more important, not less. Browser-level signals don’t replace your CMP. They give it another input to work with. It still has to translate user preferences into real, enforceable technical behavior across the entire digital stack: websites, apps, analytics, and advertising services.
What will differentiate winning marketers in 2026 and beyond
The marketing teams that come out ahead are building on a foundation that holds up regardless of what the law says next. Compliance is the baseline. What separates growth-oriented marketers is how they turn it into a competitive advantage.
Here are four areas where the way you handle privacy, data, and consent can directly improve your marketing performance.
1. Rethink compliance as trust built in
Most marketing teams treat privacy compliance as a separate track: legal sets the rules, product builds the banner, and marketing works around the constraints. That approach has a cost.
Your consent banner, your privacy policy, and the way your data flows work are trust moments for your visitors that impact customer acquisition and retention. When banners don’t enforce visitors’ preferences, policies are years out of date, or consent flows frustrate users rather than reassure them, the legal risk is real. The trust cost is just as real.
According to Ipsos, more than two-thirds (68%) of those surveyed felt skeptical about the way companies used their data in marketing. Only 3% of respondents believe they have complete control of the disclosure and removal of their data online.
A consumer study on data privacy and security from Deloitte has found that “the vast majority of respondents want more protection and control over how their data is used. Almost nine in 10 agree they should be able to view and delete the data that companies collect about them.”
What you can do now:
☑️ Put yourself in your visitor’s shoes. Walk through your consent experience as a first-time user. Where does it feel unclear, intrusive, or hard to navigate?
☑️ Audit your current setup. Map every tool that sets cookies or processes personal data. Identify gaps between what your banner or privacy policy says and what’s actually running.
☑️ Bring compliance into your marketing kickoffs. Before launching a new campaign, adding a tool, or entering a new market, run a quick compliance check.
2. Use privacy-aware measurement
Privacy-aware measurement means building a privacy-friendly approach to marketing performance that works accurately with the data you have, and models intelligently for the data you don’t. Two strategies stand out:
Google Consent Mode. When a user declines consent, Consent Mode sends limited, cookieless signals that allow Google to model conversions in an aggregated way, helping maintain measurement continuity. Google’s systems, including Google Analytics, use AI modeling to estimate conversions from unconsented users based on patterns from consenting users.
Server-side tracking. Instead of embedding tracking in the user’s browser, server-side tracking captures events directly on the server and assigns a server-generated ID to each action before forwarding signals to analytics and ad platforms. It’s emerging as the most reliable measurement alternative for e-commerce and marketing teams.
Neither replaces the obligation to obtain valid user consent. Both should be used alongside your CMP, not as a substitute for it.
“Ad tech and privacy used to feel like they were pulling in opposite directions. Then we implemented Google Consent Mode for our clients. When users declined cookies, Google modeled the conversions we’d lost, our bidding algorithms had more to work with, and our campaigns performed better. Privacy compliance and ad performance aren’t opposites. Once you understand the tools, you can make them work together.”
Virginie Rivet, Senior GTM & Marketing Strategy Consultant at Cremanski & Company
Consent Mode is now non-negotiable for EEA and UK traffic. From July 2025, Google began actively disabling advertising features for accounts that hadn’t activated it. The numbers back this up: conversion modeling through Consent Mode recovers more than 70% of ad-click-to-conversion journeys lost to cookie refusals.
What you can do now:
☑️ Implement Google Consent Mode V2 if you haven’t already. Check if it’s active on your site. Your CMP should handle valid consent collection and the technical integration.
☑️ Explore server-side tracking. EU privacy regulations keep evolving, and browser-based tracking may face further restrictions.
☑️ Check your IAB TCF integration. If you run programmatic advertising, a misconfigured TCF setup means consent signals aren’t reaching your ad tech stack.
3. Use first-party marketing data
First-party data is the information you collect directly from the people who interact with your business: signups, purchases, preferences, and on-site behavior. It’s become the most dependable source for driving cross-channel performance and staying close to your customers.
It starts with transparency. When customers understand how their data is used and stay in control of it, the data you collect becomes more accurate, more reliable, and more valuable.
According to a 2023 Deloitte industry report on first-party data commissioned by Meta, 82% of marketing leaders are prioritizing first-party data to create immediate value for customers. Businesses that invest in tailored, data-driven experiences based on first-party data saw a 27% increase in conversion rate and a 23% increase in customer satisfaction.
What you can do now:
☑️ Identify the data points that actually drive decisions. Focus on signals that connect to your goals: email signups, purchase history, product preferences.
☑️ Give people a clear reason to opt in. The value exchange needs to be explicit. “Get early access to new drops” works better than “enhance your experience.”
☑️ Build a preference center. Give users a simple page where they can update their communication preferences and privacy choices at any time.
☑️ Keep consent connected to your tools. Your banner should control what runs in your analytics and ad platforms. Your CMP should enforce this automatically.
☑️ Use first-party data to improve lookalike modeling. Customer lists fed into Meta’s or Google’s platforms improve audience quality, especially as third-party signals shrink.
4. Optimize your consent rate
Consent rate, the percentage of users who actively accept cookies or opt in, rarely makes it onto the marketing performance dashboard. It should.
Every percentage point of improvement means more observable conversions, more accurate attribution, better bidding signals, and higher return on ad spend.
Consent rate optimization means improving that rate through better banner design, clearer language, smarter positioning, and recovery flows for users who initially decline.
Banner design has a measurable impact. iubenda’s own data shows that placing your banner at the top of the page rather than the bottom can boost consent rates by 16%. Adding your logo increases trust and improves opt-in rates.
What you can do now:
☑️ Check your current consent rate. If you’re not measuring it, start. Your CMP dashboard should show opt-in rates by device, country, and banner placement.
☑️ A/B test your banner. Test position, button labels, and copy. Even small changes can move rates meaningfully.
☑️ Use a consent recovery flow. A follow-up prompt to users who initially declined, shown within regulatory limits, can recover a meaningful share of opt-ins.
☑️ Match your banner design to your brand. A branded banner feels like part of your site. The more natural it feels, the more likely users are to engage thoughtfully rather than dismiss it.
☑️ Check your mobile experience separately. Consent rates on mobile often differ significantly from desktop.
Check out these 10 GDPR cookie banner examples that convert
The teams in the strongest position start now
“When consent, privacy, and compliance are built in from day one, product, marketing, and growth teams can move faster with confidence. You test more, ship more, and scale without hitting invisible walls.”
Andreea Maria Mandeal, CMO, iubenda
Regardless of how cookie consent rules continue to evolve, the fundamentals don’t change. Better consent infrastructure means better data. Better data means better decisions. Better decisions mean better results.
For teams that build well, privacy regulation stops being a constraint and starts being a filter: one that separates brands that have earned their customers’ trust from those that haven’t.
The marketers who come out ahead won’t be those who react fastest when the rules change. They’ll be the ones who built the right infrastructure before they had to.
See why the best marketers are making privacy a feature
Disclaimer: This post discusses a legislative proposal, not final law. The content reflects iubenda’s interpretation as of March 2026 and should not be relied upon as legal advice. Consult your own legal counsel for guidance specific to your business.