Cookie consent is broken, and everyone knows it. Europeans spend an estimated 575 million hours per year clicking through consent banners. Research shows that up to 80% of users click “Accept All” when dark patterns push them toward it, which 72% of banners do. Half of websites set cookies before users make any choice at all, and 57.5% keep advertising cookies running even after users revoke consent. This is not informed consent. It is consent theatre, and the European Commission has finally acknowledged it.
The Digital Omnibus proposal, published in November 2025, introduces Article 88b to the GDPR. For the first time, EU law will require websites to accept automated, machine-readable consent signals from browsers. Users would set their preferences once, their browser would communicate those preferences to every site they visit, and controllers would be legally obliged to respect them. No more banners. No more clicking. No more dark patterns.
But here is the catch: the standards for how these signals should work have not been written yet. Article 88b delegates the technical specification to implementing acts and standardisation bodies. The decisions made in that process — what signals can express, who controls the interface, how much granularity users get — will shape consent for a generation of internet users.
That is why we published Conditional Consent: an open concept paper and technical specification proposing what Article 88b signalling should look like, designed from the user’s perspective.
The core idea: consent as conditions, not clicks
Today, consent is binary. Accept or reject, site by site, visit by visit. Conditional Consent proposes that users define rules across three dimensions:
- Cookie purpose: functional, analytics, advertising, social media, personalisation
- Website category: e-commerce, news, government, banking, healthcare
- Third-party processor: first-party only, exclude specific companies, allow named providers
A user might say: “Allow functional cookies everywhere. Allow analytics on shopping sites, first-party only. Deny all advertising cookies. Block any processing involving Meta.”
This level of granularity does not exist in any consent tool today. Current Consent Management Platforms offer purpose toggles at best. Global Privacy Control — the most successful browser privacy signal, now mandated in twelve US states — can only express a binary “do not sell.” The Advanced Data Protection Control specification developed by noyb and the Vienna University of Economics and Business came closest to what we propose, supporting granular purpose-based HTTP header signalling, but never achieved real-world adoption and lacks the website category and processor dimensions.
Conditional Consent builds on all of these. It proposes an open HTTP header protocol for Article 88b signalling, combined with automated CMP interaction as a fallback — so it works on existing websites from day one, without requiring website operators to change anything.
What we published
The concept paper sets out the problem, the legal basis in Article 88b, six core principles for user-centric consent signalling, a detailed comparison with existing tools (GPC, ADPC, Consenter, Consent-O-Matic, IAB TCF), and a proposed architecture for a browser extension MVP.
The technical specification (pending) goes deeper: browser extension architecture, a preference engine for evaluating conditional rules, an HTTP header protocol, a CMP automation layer, chatbot-guided onboarding, and a compatibility analysis with every relevant existing standard.
These are (or will be) published under CC BY 4.0 at conditionalconsent.com. They are designed to be forked, extended, critiqued, and adopted by anyone — browser vendors, CMP providers, privacy advocates, standardisation bodies.
Why now
Article 88b has a staged timeline. Controllers must accept automated signals within 24 months of entry into force. Browser providers must enable signalling within 48 months. But the implementing standards — the technical specifications that define what those signals can actually carry — need to be developed now. Once a standard is set, it will be extremely difficult to change.
The risk is that the advertising industry shapes these standards toward the simplest possible signal — a binary accept/reject that perpetuates the current model in machine-readable form. The opportunity is to establish that the standard should support genuine conditional granularity: rules that reflect how people actually think about their privacy.
What we are asking for
We are not launching a product. We are putting a proposal on the table — early, openly, and with full documentation — so that the conversation about Article 88b implementation includes a concrete, user-centric option.
If you work in privacy, policy, browser development, or consent management, we would like your input. Read the papers. Challenge the assumptions. Propose improvements. Tell us what we got wrong. The specification is deliberately open because getting this right requires more perspectives than any single consultancy can provide.
The concept paper and technical specification are available at conditionalconsent.com.