Our art. 88B GDPR "Compliance & Internal Audit" Package
26 Mar 2026
The era of asking the same question on every single website is ending. It is at least the EU Commission & EU Parliament "Omnibus" article 88B GDPR trajectory, throwing at Legal teams: "Stop drafting policies & re-designing cookie banners, and start planning architecture reviews".
If your compliance roadmap is not drafted yet (for the banners-to-browser-signals shift), ask for ID side ready to use "Art 88b compliance package" (in PM or idside.eu website). It is simple: just contact us on contact@idside.eu or use the contact form on our website.
You are Legal/DPO and you do not know where to start?
We have your back to:
- translate the "Right to Object" into HTTP status codes and API logic,
- drive engineering teams toward this change?
- draft a clear plan for Legal to support Engineering teams' effort but also Product teams and SLT.
A COUPLE OF REMINDERS FOR THOSE NEEDING TO RAMP-UP?
1/ What's in art 88b?
Consent will become an "architectural liability" and all internet/AI service providers must assess infrastructure shifts needed. Also, a "Presumption of Compliance" (art 88b(4) GDPR) will only survive if your company's stack actually reads and respects these signals and implements a "Three-tier architecture"*.
2/ The "Three tier architecture" we are talking about:
1. The User Layer: Our Browser becomes our Legal Agent
Users will set a global preference once in their browser/device (i.e. "Allow personalization only for news.", "Always reject personalised advertising", "Accept anonymized analytics"). No more website banner "forced consent".
2. The Transmission Layer: An EU/international Standard to set
Preferences must travel in a machine-readable format Engineering can automate (i.e. HTTP Headers, JavaScript APIs, consent Strings). This is the most needed standardisation discussions that will start in Q3 2026.
3. The Enforcement Layer: Each Website or app de facto complies a priori
This is the real game-changer. If a signal arrives saying "reject ads," the server must enforce that without a pop-up. No banner. No "legitimate interest" override. Processing must stop before it starts.
If your compliance roadmap is not drafted yet (for the banners-to-browser-signals shift), ask for ID side ready to use "Art 88b compliance package" (in PM or idside.eu website). It is simple: just contact us on contact@idside.eu or use the contact form on our website.
You are Legal/DPO and you do not know where to start?
We have your back to:
- translate the "Right to Object" into HTTP status codes and API logic,
- drive engineering teams toward this change?
- draft a clear plan for Legal to support Engineering teams' effort but also Product teams and SLT.
A COUPLE OF REMINDERS FOR THOSE NEEDING TO RAMP-UP?
1/ What's in art 88b?
Consent will become an "architectural liability" and all internet/AI service providers must assess infrastructure shifts needed. Also, a "Presumption of Compliance" (art 88b(4) GDPR) will only survive if your company's stack actually reads and respects these signals and implements a "Three-tier architecture"*.
2/ The "Three tier architecture" we are talking about:
1. The User Layer: Our Browser becomes our Legal Agent
Users will set a global preference once in their browser/device (i.e. "Allow personalization only for news.", "Always reject personalised advertising", "Accept anonymized analytics"). No more website banner "forced consent".
2. The Transmission Layer: An EU/international Standard to set
Preferences must travel in a machine-readable format Engineering can automate (i.e. HTTP Headers, JavaScript APIs, consent Strings). This is the most needed standardisation discussions that will start in Q3 2026.
3. The Enforcement Layer: Each Website or app de facto complies a priori
This is the real game-changer. If a signal arrives saying "reject ads," the server must enforce that without a pop-up. No banner. No "legitimate interest" override. Processing must stop before it starts.