EU Digital Omnibus Directive
Article 7a of the proposed Omnibus Directive introduces interoperability requirements for consent management software, a legislative signal that this coordination layer is needed.
Online Consent Is Broken,
But It Can Be Fixed
Fine-grained consent management for the processing of personal data is a fundamental human right. It protects human agency against digital determinism, preserves the capacity of businesses worldwide to build respectfully upon data, and helps the open web resist platformization.
Yet consent online is failing. Users are buried under hundreds of vendors wrapped in legalese they never asked to read. Browsers wipe consent storage in the name of privacy, forcing the same banners to reappear every seven days. The result: numbness, distrust, and fatigue.
Many builders have responded by developing consent assistants, empowering users with systems that handle this complexity at scale. But the heterogeneity of consent management online, combined with shifting standards and regulation, makes this work fragile and prone to breakage.
There is a path that reconciles users and businesses, consent management platforms and consent assistants. That path is interoperability, and browsers can become this interoperability layer. navigator.consent is that layer.
The API
How it works
A thin transport layer. CMPs keep full control over compliance. Consent assistants get structured metadata instead of scraping.
The ecosystem
A browser spec that benefits everyone
End Users
You choose a consent assistant you trust, and it carries your preferences everywhere. You still control the granularity: which data, which vendors, which purposes, and how often.
Learn more →Consent Assistants
Read purposes, vendors, and consent state from any CMP. No scraping. No breaking changes. Product-market fit.
Learn more →Consent Platforms
Positions the CMP as a trusted compliance layer, exposing human- and machine-readable consent settings that make integration predictable.
Learn more →Browser Providers
No liability for consent UI design. The CMP owns the interface, the browser just provides the pipe.
Learn more →Policymakers
A decentralized standard that delivers interoperability without platform lock-in.
Learn more →SupportThey support
They support navigator.consent
“This specification, even if it looks somewhat technical, can profoundly change the daily lives of millions of people”
“This specification provides a very important clarification of what the EC's draft in Art. 88b Digital Omnibus means when it states that "browsers (...) shall provide the technical means to allow data subjects to give their consent".
This sentence does not mean that browser providers themselves provide consent management services. That would be like putting the fox in charge of the henhouse, as Apple's ATT impressively demonstrates.
Art. 88b Digital Omnibus rather means that browsers enable the technical interface for seamless communication between consent agents (of other providers than browsers) and the digital services that request consent.
This specification therefore clarifies what this technical interface of browsers must look like so that end users and digital services can finally establish user-friendly consent processes”
“Rewarded Interest believes the historical model of confronting consumers with cookie banners is broken – there doesn't need to be a tradeoff between usability and privacy. Consumers deserve both.”
“We always wanted to make consent very simple. This specification would help us simplify it even more.”
“This browser spec can be a game changer for Taste, and other assistants.”
“Super Agent has been applying user consent preferences at scale for years, through scraping, reverse-engineering, and constant maintenance as CMPs shift under our feet. navigator.consent is the substrate that makes this sustainable: a structured contract between assistants and platforms that eliminates fragility without centralizing control.”
“It's absolutely the right path.”
“A very promising initiative.
A standardized browser consent API could give users a much more effective way to manage their preferences, while dramatically reducing the endless stream of consent pop-ups across the web. A clear step toward a more user-centric and less frustrating privacy experience.”
“This initiative would help Privacy Badger empower users to more easily express their consent preferences.”
Consent Platforms
Consent Assistants
Companies
Why now?
150M+ users on GPC
Global Privacy Control has demonstrated that browser-level privacy signals work at scale. The infrastructure and user appetite exist. What’s missing is structured consent interoperability.
Academic research
Researchers at Aarhus University, Ruhr University Bochum, and others have documented the brittleness of current CMP scraping, validating the need for a stable API contract.
Frequently asked questions
What is navigator.consent?
A proposed browser API that acts as a neutral coordination layer between Consent Management Platforms (CMPs) and Consent Assistant browser extensions. It gives both sides a shared, structured interface instead of forcing extensions to reverse-engineer each CMP’s DOM.
How is this different from Global Privacy Control?
GPC proved that browser-level privacy signals work at scale. It sends a binary opt-out preference to every site the user visits. navigator.consent adds a structured layer for per-vendor, per-purpose consent on top. User research consistently shows that people make contextual decisions, not uniform opt-out or opt-in. The two are complementary: GPC as the baseline, navigator.consent for granularity.
How does IAB’s Transparency and Consent Framework fit with this?
TCF already works with purposes, vendors, legal basis, and regulations, even more so with GPP. Its technical components (the __tcfapi stub and the TC String) are designed for interoperability with the advertising ecosystem, not with the browser. Decoding a TC String and calling the navigator.consent registration methods is straightforward. The API does not replace TCF: it gives TCF a browser-legible interface. It also covers what TCF does not: imperative commands to set preferences. The TCF’s getTCData is read-only; navigator.consent supports both reading and writing.
Who controls my consent data?
The CMP retains full control over consent storage, compliance logic, and downstream signaling. The API is a read/write transport layer. It coordinates, it does not override.
Does this require browser vendors to ship anything?
Yes. If the specification is adopted, browser vendors would implement the API natively. A JavaScript polyfill exists for demonstration and prototyping, but the goal is a browser-level primitive, not a userland shim.
Does this work on mobile?
The API itself is browser-level, so it would work in any mobile browser that implements it. Two obstacles remain: consent assistants today are browser extensions, and mobile platforms restrict or prohibit extensions entirely. Then there are webviews, the sandboxed browsers embedded in apps, which would need access to extension context for consent assistants to operate inside them.
Doesn’t this add complexity when the goal is simplification?
The integration burden falls on three browser vendors (Google, Apple, Microsoft) who already manage complex web platform APIs. For everyone else, it simplifies. Users continue browsing as today but can optionally adopt a consent assistant to reduce their exposure to consent interfaces. Businesses keep using their CMP; some visitors will arrive with an assistant that delivers valid consent proofs automatically. For legislators, the narrative is concrete: install a consent assistant, and cookie banners disappear. This also aligns naturally with the EU digital identity wallet concept: a personal agent that carries your preferences across services.
What’s the impact on performance?
A consent assistant always responds faster than a human. It does not respond on every page, only when a user would have been prompted. Because consent storage and duration remain the CMP’s responsibility, the assistant only steps up when a human would have had to make a decision. The net effect is fewer UI round-trips, not more.
What cybersecurity safeguards exist for consent assistants?
Data protection authorities are responsible for ensuring that consent assistants comply with GDPR and ePrivacy, just as they oversee CMPs today. For cyber risks (data impersonation, user-space corruption), browser extension stores already enforce security reviews, code signing, and permission declarations. These controls are in force today. A specific provision in Article 88b could require tighter vetting for extensions that handle consent data, going beyond general extension store policies.
Won’t browser platforms push their own consent assistant?
This is a real sovereignty and competition concern. However, it is still a lesser concentration of power than letting browsers handle consent directly, which is the current Omnibus trajectory. With an open API, independent European companies can compete on quality and trust. Mandating a choice screen for consent assistants (as was done for search engines under the DMA) would ensure users are exposed to alternatives. We advocate for free competition and believe that purpose-built, independent assistants can offer a better service than a built-in browser default.
What happens if no consent assistant is installed?
Nothing changes. The CMP works exactly as it does today: it shows its banner, collects choices, and stores consent. The API is purely additive. It gives CMPs a structured channel to publish metadata and receive preferences, but if no assistant is listening, the CMP remains in full control. No user experience degrades.
Can a consent assistant override my choices without my knowledge?
The API enforces provenance: preferences set directly by the user always take precedence over those set by an assistant. Every mutation is logged with its source and timestamp, and savvy users can inspect the full audit trail. That said, trust cuts both ways. Already today, nothing prevents a CMP from saying one thing and doing another. And even when the CMP is honest, what happens downstream is a different story: tag managers, CMS plugins, and client-side code can all fire trackers regardless of what the consent layer decided. The API does not solve that, but it makes the consent layer itself transparent and auditable, which is more than the status quo offers.
Is this a W3C standard?
Not yet. It is an open RFC-style proposal. The specification is publicly available and we welcome feedback from implementers, researchers, and policymakers.
How can I try it?
The interactive demo runs the polyfill in your browser and walks through the CMP registration, metadata read, and consent update flow.