Ad Tech Briefing: Digital Omnibus is about to land — here’s what it means for GDPR, and the future of ad targeting

For marketers, ad tech intermediaries, and publishers, this could mark the most meaningful shift in European privacy governance since GDPR took effect in 2018.

What the Digital Omnibus is expected to include

Based on leaked documents and recent consultations, the European Commission is preparing a package that would amend multiple frameworks at once — including GDPR, the AI Act, ePrivacy, the Digital Services Act, NIS2, and the Digital Operational Resilience Act. Among the most notable expected changes:

• Narrowing the definition of “personal data.” Pseudonymous identifiers may fall outside GDPR unless they directly identify an individual.
• Limiting data-subject rights. Access and deletion requests could be denied unless made “for data-protection purposes.”
• Reducing protections for sensitive data. Strong safeguards would only apply when data explicitly reveals a characteristic — not when such traits are merely inferred.
• Creating a “legitimate interest” basis for AI training. Companies could train models on personal data, including pseudonymized data, without opt-in consent.
• Merging elements of ePrivacy into GDPR. Certain forms of device access for security checks or audience measurement may proceed without consent.
• Raising the threshold for “systemic risk” AI models, easing compliance for large general-purpose systems.
• Streamlining cybersecurity reporting so companies aren’t filing identical incident logs under NIS2, the Cyber Resilience Act, and DORA.

This is why many privacy lawyers say the Omnibus is not just a tune-up — it is a broad re-opening of Europe’s privacy framework.

How it differs from GDPR — and whether it “undoes” it

To many advocates and watchdog groups, the most contentious shift is philosophical: the GDPR applied its protections expansively. If data could, in theory, be linked to an individual — even via complex re-identification — it was treated as personal data.

The Omnibus appears to move in the opposite direction. Narrower definitions mean more data would fall outside GDPR entirely; broader legitimate-interest bases mean more processing could occur without explicit consent.

Civil liberties organizations argue this is a rollback. The International Association of Privacy Professionals, in its early analysis warned that the draft could significantly weaken protections around sensitive data and give AI models unprecedented leeway to use personal information.

But pro-business privacy professionals see the Omnibus as overdue. Mike Brook, a longtime ad-tech executive who recently consulted with several multinational privacy leaders, told Digiday that operational privacy teams see the Omnibus as “the first genuine attempt at air-traffic control” after years of overlapping, contradictory rules.

Jamie Barnard, CEO of Compliant, explained that many felt that GDPR “introduced a level of red tape that ticks a box from a regulatory point of view, but doesn’t actually make a meaningful impact to people’s day-to-day privacy.”

However, as many in the industry are aware, any relaxation comes with risk, with unscrupulous players inevitably trying to exploit the gaps. Changes in the treatment of special-category data — such as race, religion, or sexual orientation — for AI training have some privacy professionals concerned. Brook said this “lit up every conversation” among privacy professionals; many regard it as the most politically explosive part of the Omnibus draft.

Who benefits — and who loses?

Big Tech

Brook’s view is that the Omnibus is “unambiguously positive” for the large U.S. platforms and AI developers. Relaxed data-use rules scale in direct proportion to the volume of data a company holds. Barnard agreed: “The more data you have, the more you stand to gain from softer regulation.”

SMEs

Smaller European companies — historically terrified of GDPR non-compliance — could see meaningful relief: fewer DPIAs, simpler banners, and a more workable interpretation of pseudonymization. Some may revisit decisions to avoid EU operations altogether.

Ad tech intermediaries

Brook said the Omnibus could be a competitive reset for intermediaries, such as demand-side and supply-side platforms, that “over-complied” in 2018 — or exited Europe — should “re-evaluate every assumption.” Relaxed pseudonymization rules could let fast adopters scale more quickly than cautious rivals.

Publishers

Before considering cookies, targeting, or consent banners, publishers face a deeper structural risk: losing autonomy to browser- and OS-level privacy defaults.

How it reshapes programmatic and data flows

Industry sources familiar with the Omnibus expect the combined effect of narrowed definitions, streamlined consent, and expanded legitimate interest to:

• Increase addressable inventory
• Enable smoother cross-site and cross-app measurement
• Revive audience modelling techniques curtailed post-GDPR
• Reduce the operational friction that crippled some intermediaries
• Accelerate AI-driven optimization and targeting

In effect, the Omnibus could shift Europe away from consent as the primary gateway for digital advertising data flows, restoring more of the pre-2018 fluidity — albeit under a more structured legal framework.

What the Digital Omnibus means for publishers

For publishers, the Digital Omnibus presents a paradox: it promises relief from years of friction and consent-banner fatigue, but it also risks deepening their long-running dependence on a handful of dominant platforms.

On paper, the Omnibus looks like a win. It would soften the strict consent requirements that European publishers have lived under since 2018, potentially reducing the bounce rates caused by cookie walls and opening the door to more “privacy-by-design” ad models. But there’s a catch: the Omnibus also contemplates browser- and OS-level universal privacy settings that every publisher, advertiser, and intermediary must honor. That could consolidate gatekeeper power in the hands of a few major platforms in a way that echoes — or even surpasses — Apple’s App Tracking Transparency (ATT).

“This would be even more challenging for the open web, and worse than [Apple’s] ATT, which still allows for first-party targeting,” said Bert Verschelde, director of privacy for Belgian media group DPG Media. He said the proposal sounds “eerily familiar,” evoking the long-running debate around Google’s Privacy Sandbox, where shifting control into the browser risks turning a technical layer into a de facto regulator of the open web.

Still, there are meaningful upsides for publishers — especially those operating in markets where consent friction has been devastating. “We have had to accept it as the fact of life that we lose between 15 and 35 percent of our visitors to the cookie wall,” Verschelde noted.

For many European publishers, GDPR compliance has become a regulatory plate-spinning act: GDPR, ePrivacy, the AI Act, the Political Advertising Regulation and the upcoming Digital Fairness rules overlap and sometimes contradict one another. “It’s a cobweb of things criss-crossing — we need a clean up,” said Thomas Lue Lytzen, director of ad sales and tech for Danish tabloid Ekstra Bladet. He said it can take six months just to onboard a new SSP, thanks to the compliance burden.

One change publishers particularly welcome is expanded legitimate interest as a legal basis for some tracking-related activities. Verschelde pointed to DPG Media’s tech site Tweakers, which built a cookie-free contextual ad product but failed to attract demand because advertisers couldn’t measure or integrate it into buying workflows. “That was purely driven by the fact the consent requirement is so strict for any form of tracking,” he said. “So the fact that this GDPR draft opens the door towards other legal grounds, such as legitimate interest, I think that will be welcomed by publishers.”

Still, publishers remain cautious: if browser-level privacy settings become mandatory and dominant platforms control those defaults, the Omnibus could ultimately strengthen — not weaken — the very gatekeepers publishers have spent years trying to escape.

Does this accelerate the “death of the cookie”?

Not directly. Brook’s take is that the Omnibus “doesn’t kill the cookie — it draws more attention to the underlying problem.” Browser decisions, not Brussels, remain the primary force behind cookie deprecation. But the Omnibus could elevate pseudonymous identifiers and probabilistic signals by making certain forms of tracking viable without consent.

Cookies won’t die here — but their centrality could diminish further.

For Tim Cowen, co-founder of trade outfit Movement for an Open Web, said consolidating the application of rules more coherently is necessary. He added, “At the moment, it’s simply not clear to businesses what is right and what isn’t, which increases the risks of non-compliance by some businesses that are “too rich to comply and too big to care.”

He added, “Clarity would make it easier for businesses to comply with the law whilst also facilitating more effective policing.”

Practical implications for marketers:

• Enforcement will likely arrive faster than GDPR’s two-year runway.
• Expect fewer DPIAs, simplified banners, and more workable data flows.
• AI-based optimization will become easier as legitimate-interest processing expands.
• Understanding pseudonymization will become a core capability in marketing operations.

What we’ve heard

“I think asking publishers for a single request per impression in exchange for five bids per impression is a ridiculous ask. I keep hearing it, and I don’t understand it. Many DSPs already ignore floors, so I don’t get the utility.”

– An anonymous source reacts to some of the “grand bargain” recently put on the table to try and end the recent transaction-ID, or TID, controversy. 

Numbers to know

• 32%: the level of mobile IVT in Q3, per Pixalate. 
• 33%: the amount of global programmatic ad spend on mobile apps wasted on ‘invisible’ impressions, per the company 
• 3,200: the number of job cuts at Interpublic Group revealed last week ahead of its merger with Omnicom.
• 12: The number of top-50 U.S. news websites to have experienced year-over-year traffic growth, according to Press Gazette. 

What we’ve covered

For the agentic-curious: WTF is the Agentic RTB Framework?

The IAB Tech Lab’s new Agentic RTB Framework rebuilds programmatic auctions to run inside shared container environments instead of across multiple cloud systems. This removes latency and lets advertisers, publishers, and data partners deploy autonomous “agents” directly in the auction. The setup cuts transaction time to a fraction of a second, reduces cloud costs, enables real-time fraud and data enrichment, and allows secure collaboration without exposing sensitive data.

Amid search wars, Google touts YouTube, display inventory to advertisers

For the past six months, the tech behemoth has increasingly recommended spending on non-search, upper funnel channels like YouTube, display, and discovery ads, according to seven agency execs Digiday spoke with for this story. For the past six months, the tech behemoth has increasingly recommended spending on non-search, upper funnel channels like YouTube, display, and discovery ads, according to seven agency execs Digiday spoke with for this story.

What we’re reading

A former WPP exec is suing the ad agency giant, claiming he was fired after flagging an alleged kickback operation

A fired executive at WPP is suing the advertising agency giant, accusing the company of retaliating against him and firing him after he raised concerns that the group’s media investment division was allegedly running an improper kickback operation.

Google rolls out chatbot agents for marketers

Google on Wednesday announced the full availability of its new agentic AI tools, called Ads Advisor and Analytics Advisor.

Microsoft to publishers: Miss standards, forfeit impressions

Microsoft’s free behavior analytics tool Clarity, which helps website owners understand how visitors interact with their website, will require all third-party publishers to ensure ad placements meet editorial and safety standards.

Life360 to acquire Nativo

Life360 and Nativo will combine family and location insights with premium publisher reach to help brands connect with families across more channels.