“The only constant is change” – attributed to Ancient Greece philosopher, Heraclitus
Remember when the European Commission (EC) launched the General Data Protection Regulation (GDPR)? It started way back in January 2012, finally coming into force on 25 May 2018. That law dramatically changed data protection in the EU and set a global standard. Now, everything is set to change again. On 19 November 2025, the EC dropped its Digital Omnibus and Digital Omnibus AI Regulation Proposal, a package of reforms representing the biggest data protection policy shakeup since that 2018 date. The EC claims it will streamline rules, slash burdens, and ignite innovation. Privacy advocates, however, are calling it the “biggest rollback of digital fundamental rights in EU history” and a “gift to ‘Big Tech’”. Some commentators don’t agree. So who’s right? And what does this all mean for the advertising industry?
I’ve reviewed the analysis on the EC’s proposals, and even the lawyers are split on what it all means. But let me be clear: these proposals are a boon for AI, but a challenge for advertising as we currently know it. The legislative process has just begun: a final law isn’t expected until 2029 (some say it will be sooner – I’m sceptical). Yes, that’s a long road, and I appreciate that technology is presenting new challenges as well as new opportunities. While the proposals directly endanger traditional ad business models, they offer a significant advantage to companies that embrace a ‘Privacy-by-Design’ approach. Despite the distractions, organisations operating within the EU (and beyond) should pay attention and actively influence this process. Significant regulatory and compliance changes are imminent, regardless of the strategy adopted.
The Headlines
Here are the EC’s proposals top-line highlights:
- A Consolidated Data Law: Some existing data protection and privacy rules, including the ePrivacy Directive (aka the ‘cookie rules’), will be incorporated into a single piece of legislation: the GDPR.
- GDPR Updates: The GDPR itself will be updated to make it more workable, such as streamlining an individual’s ‘data requests’, particularly if they are abusive or vexatious, and harmonising Data Protection Impact Assessments (DPIAs) via EU-wide guidance.
- Cookie Rules Revision: The revision aims to combat ‘cookie fatigue’ and reduce the proliferation of consent banners by making the process more efficient. This streamlining includes: (a) introducing low-risk exemptions to consent, such as for security requirements and basic and aggregated web analytics; and (b) mandating universal consent signals via a ‘single click’ approach using machine-readable privacy signals embedded in user browsers, operating systems, or other mechanisms.
- AI Act Adjustments: Changes are being made to smooth the implementation of the EU AI Act. The proposals provide a clear legal basis (‘legitimate interest’) for using personal data in AI development, removing some challenges related to AI training. The implementation of new rules under the AI Act for high-risk applications has been postponed from August 2026 to August 2027 to provide providers and users with more time to comply.
Digital Advertising: The Primacy of Consent
The proposed shift shows a tension between fostering and adapting to AI innovation and maintaining strict standards in digital advertising. Claims that the EU would be conceding its ‘regulatory sovereignty’ largely point to the softening of AI governance rules. These proposed changes appear to accommodate pressure from the US (although reportedly the proposals did not go down that well state-side) and Big Tech, reflecting a potential pivot towards a more balanced framework needed to fully embrace and realise the AI ‘technological revolution’.
In contrast, the framework for digital advertising using personal data continues to centre on consent. There may be a softening around the edges (e.g., the ongoing debate about the revised definition of personal data, particularly in how it applies to pseudonymised data where re-identification may be impossible), but consent remains the main legal basis for using personal data to deliver targeted advertising. And the compliance landscape is set to become more complex. While the integration of the ePrivacy Directive into the GDPR is intended to clarify data protection and privacy rules, the practical mechanism for obtaining consent is shifting. For example:
- The ‘Single Click’ Universal Signal: The EC is proposing a ‘single click’ universal consent signal. This is designed to reduce the pervasive consent banners by shifting the main consent mechanism away from the publisher-level Consent Management Platforms (CMPs) to browsers and operating systems.
- Default Settings and Re-requesting: To comply with EU standards, this universal signal would likely be required to be on by default. This change effectively revives the ‘Do Not Track’ debate. Furthermore, the EC proposes a challenging new rule: a six-month mandatory break before a user who has refused consent can be re-prompted.
There is a key publisher exemption here. The EC’s proposed new rule on automated and machine-readable indications of an individual’s choices contains an exemption for media service providers. This suggests that while other sites may eventually be required to honour automated signals, publishers might retain greater flexibility, allowing them to better manage their content (e.g., journalism) for data or paywall models, as well as the relationships with readers.
While detailed public commentary from advertising trade organisations may still be emerging, their reactions are likely to be very different. For example: brand advertisers will likely view the proposals as a potential opportunity to build meaningful ‘privacy first’ strategies. Any measure that simplifies the current consent landscape (‘consent theatre’) could potentially take us in this direction, ultimately improving engagement, data quality, and brand trust. Ad tech and publishers will likely view the proposals with caution, recognising a significant challenge. The shift of consent control away from their publisher-side systems to browsers and operating systems represents a loss of control over a critical business asset: user data access.
Opportunities for Industry Advocacy
Although the EC has avoided labelling the proposals as ‘deregulatory,’ the package undoubtedly provides a vital opportunity for industry to actively advocate for a more pragmatic and proportionate regulatory landscape. The Brussels legislative process is a labyrinth, but this is a crucial time for the industry to influence the legislative process to ensure the final rules are both compliant and sustainable for current and future ad models.
In summary, the EC’s Digital Omnibus proposals are highly significant for the advertising industry, arriving at a moment when the sector is already grappling with transformative shifts driven by Generative AI. This marks the beginning of a long and influential legislative process, and it is imperative that industry groups proactively monitor and seek to shape the outcome.
Nick Stringer is a prominent global technology, public policy, and regulatory affairs adviser, specialising in privacy and brand safety. He is helping organisations navigate the complex digital policy and regulatory landscape. Nick’s extensive experience includes serving as Director of Regulatory Affairs at the UK Internet Advertising Bureau (IAB UK) and as VP of International Affairs at the Trustworthy Accountability Group (TAG).
Follow him for all his ‘ByteWise Insights’ on LinkedIn, X, Medium, Threads, Substack or BlueSky.
