On March 31, 2026, the French Defender of Rights and more than 60 independent European institutions published a joint alert. Their target: the “Digital Omnibus,” the massive reform that the European Commission wants to push through at breakneck speed. Their message is clear: be careful not to sacrifice fundamental rights on the altar of simplification. Two days earlier, trilogues were set to open at the European Parliament, with a plenary session vote scheduled for June 2026. What exactly is at stake? And why does it concern every digital player in Europe?

A text that changes everything about cookies

The Digital Omnibus, presented by the Commission on November 19, 2025, is a legislative package that merges and rewrites several founding texts of European digital law. The point that concerns us here: it absorbs the cookie rules from the ePrivacy Directive directly into the GDPR, through a new Article 88a.

In concrete terms, three major changes for consent banners:

One-click refusal becomes mandatory. If you offer an “Accept” button, the “Refuse” button must be equally easy to access > already mandatory in France.

After a refusal, it is forbidden to ask for consent again for the same purpose for at least 6 months > this was a recommendation, it would become an obligation.

And above all, Article 88b provides for the gradual implementation of automated preference signals, directly from the browser or operating system. The idea: you make your choice once in your browser, not site by site.

On paper, this is progress. “Consent fatigue” is a real problem: internet users click “Accept” out of weariness, not out of informed choice.

What the EDPB says (and why it matters)

On February 10, 2026, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) published a joint opinion on the Digital Omnibus. Their position can be summed up in one sentence: yes to simplification, no to weakening.

Their main concern is not about cookies. It is about the very definition of personal data. The Digital Omnibus proposes adding a paragraph to the GDPR that says, in essence: a piece of information is not necessarily personal data for every entity. If a company cannot identify the person behind a piece of data, that data is not “personal” for them, even if another entity could make the identification.

The EDPB is directly opposed. According to them, this change “would significantly reduce the scope of protected data” and would create loopholes that some actors could exploit to circumvent the GDPR.

Their recommendation: the definition of personal data “should say what personal data is, rather than what it is not.”

In plain terms: you do not simplify a fundamental law by narrowing its scope.

The March 31 alert: 60 institutions sound the alarm

What makes this topic so urgent is the unprecedented mobilization of March 31, 2026. The Defender of Rights, alongside the Equinet networks (equality bodies) and ENNHRI (National Human Rights Institutions), published a joint declaration. More than 60 institutions from more than 40 European countries.

Their alert goes beyond the scope of cookies and data. It touches on non-discrimination and fundamental rights across the entire European digital framework.

The Digital Omnibus, in seeking to lighten the burden on businesses, risks diluting protections that exist precisely because they are necessary.

This is a strong political signal. When so many independent institutions stand up against a legislative text that is still being negotiated, it means there is a real risk.

What it changes for publishers and advertisers

Let’s talk specifics. If the Digital Omnibus is adopted as is (estimated adoption in 2027, gradual implementation 2030-2031), here is what awaits digital professionals:

2030: Article 88a comes into force. Cookie banners must include one-click refusal and comply with the 6-month rule. For publishers already playing by the rules, no revolution. For the rest, consent flows will need to be reworked.

2031: Article 88b takes effect. Browser signals begin to replace banners. This is where things get complicated: if browsers send a “refuse by default” signal, consent rates could drop drastically. We are talking about scenarios at 30% consent, or even less.

A change that makes sense: purely statistical cookies (aggregated, anonymized audience measurement) could be exempted from consent. This is a welcome simplification for sites that do not go beyond statistical analysis.

The browser signal mirage

Let’s come back to Article 88b, because this is where the text goes from good idea to industrial headache.

The basic idea is appealing: instead of clicking on a different banner on every site, the user configures their preferences once in their browser, which then sends an automatic signal to the sites visited. No more consent fatigue, no more dark patterns. On paper, everyone wins.

Except that no technical standard exists for this signal. And that is a detail that changes everything.

Today, for consent to work between a site, a CMP, an ad server, and dozens of advertising partners, everyone speaks the same language: the TCF (Transparency & Consent Framework), maintained by the IAB. It is imperfect, but it is a common protocol, adopted by the entire ecosystem.

The browser signal outlined in Article 88b has none of that. There is no protocol. No technical specification. No data format. And the Commission does not propose a solution. It says, in essence: figure it out yourselves.

Article 88b gives industry players 2 years to agree on a standard, then 4 years for browsers to implement it. In total, we are looking at a 2030-2031 horizon for the system to be operational.

Except that agreeing on a global consent standard among actors with radically opposing interests (publishers, advertisers, Big Tech, CMPs, regulators) is asking competitors to build the rules of the game together. We are very far from that.

To understand the scale of the problem, let’s take a concrete example. When a user refuses tracking via their browser, what exactly does that cover? Advertising cookies? Analytics? Personalization? Retargeting? One site might call the same purpose “site performance,” another “user behavior measurement,” a third “fraud measurement.” Without a common taxonomy, without a shared data format, the browser signal cannot faithfully translate a user’s preferences from one site to another. The transmitted consent would not even be legally valid, since the GDPR requires specific, informed, and granular consent.

As Thomas Adhumeau, Chief Privacy Officer at Didomi, sums it up: “the lack of standardization makes this system very difficult to implement. A universal browser signal would require a ‘globalized CMP protocol,’ which is utopian in such a fragmented market.”

And this is not starting from scratch. A decentralized framework already exists: the TCF (Transparency & Consent Framework), developed under the auspices of IAB Europe, offers granular consent management that respects GDPR principles and is adapted to the complexity of multi-actor ecosystems. As Alliance Digitale points out (representing 300 actors in the advertising value chain in France), the Commission is quite simply proposing to bypass what works in the name of a simplification that is simplification in name only. We would be breaking a system collectively built by the industry to replace it with a binary, centralized mechanism that no one yet knows how it will work.

Because that is also the problem: the binary nature. Saying “yes” or “no” to personalized advertising at the browser level does not solve consent fatigue. It displaces the problem. Informed consent requires understanding what you are consenting to, with whom, and for what purposes. A binary toggle in the browser settings does not allow for any of that.

And even if this signal existed tomorrow, a fundamental problem remains: the browser can emit a refusal, but it is technically incapable of verifying whether the site actually respects that choice or continues to process data in the background. Today, it is the CMP, on the site side, that plays this role of consent control and traceability. Tomorrow, who will do it? The browser? The very one that belongs to Google or Apple?

The Google paradox: when simplification benefits the giants

This is perhaps the most hard-hitting criticism of the Digital Omnibus. Entrusting consent management to browsers means handing the keys of regulation to a handful of dominant players.

Chrome (Google) represents approximately 65% of the browser market in Europe. Safari (Apple) holds approximately 20%. Together, they cover 85% of European users.

Centralizing consent in the browser very concretely means placing the control of the privacy relationship between the user and the website in the hands of Google and Apple.

The scenario most feared by publishers is one we have already lived through on mobile. When Apple launched App Tracking Transparency (ATT) on iOS in 2021, the result was decisive: more than 75% of users refused tracking. And for good reason, iPhone owners now find themselves having to validate their choice twice: once on ATT and then on the CMP. Simplification?

And that is not the only problem: ATT has already been the subject of sanctions, in France and Italy, for anti-competitive practices. Alliance Digitale has been denouncing this mechanism since its implementation.

If Chrome or Safari implements a similar mechanism at browser installation (one choice, one time, “yes” or “no” to tracking), we can expect comparable refusal rates on the web.

And this is where the mechanics become dangerous. With control of the consent layer at the browser level, the entire advertising market can shift through a single unilateral decision by Google or Apple. Without recourse, without negotiation, without counterbalance.

Independent publishers, intermediaries, mid-sized players: all find themselves structurally dependent on a decision in which they have no part.

For the open web, this is an earthquake. For the walled gardens (Google, Meta, Amazon), it is a massive competitive advantage. Why? Because they do not depend on cookie consent for their targeting. They have the first-party data of billions of users logged into Gmail, YouTube, Instagram, Amazon.

When a user refuses cookies in their browser, they cut the ground from under the site they are visiting, not from Google, which is already targeting them through their account.

And this is where the paradox becomes glaring. In September 2025, the European Commission fined Google 2.95 billion euros for abuse of dominant position in online advertising. The investigation, initiated in 2021 following a complaint from the European Publishers’ Council, concluded that Google had systematically favored its own advertising services (AdX, Google Ads, DV360) to the detriment of publishers and competitors. The Commission even mentioned “structural remedies” such as the divestiture of activities to resolve the conflict of interest.

In the United States, a judge also ruled that Google held a monopoly on online search.

The same Commission that sanctions Google for its adtech monopoly, the same Europe that created the DMA to limit the power of gatekeepers, is therefore, through the Digital Omnibus, handing an additional lever of control over the advertising ecosystem to those very same gatekeepers. It is incoherent.

Google has understood this well and is already positioning itself. Its Privacy Sandbox (Topics API, Protected Audiences, Aggregated Reporting) transforms Chrome into an integrated advertising intermediary, capable of managing targeting, measurement, and attribution directly in the browser, without third-party cookies.

Article 88b only accelerates this dynamic: if consent is managed in the browser, whoever controls the browser controls consent.

For publishers, the risk is very concrete. Today, the consent relationship takes place between the site and the user, via the CMP. The publisher controls their banner, their consent rate, their monetization. They can choose their design, their messaging, their consent strategy.

Tomorrow, this relationship could be bypassed by a browser setting over which the publisher has no control.

We are moving from a decentralized system to a centralized system in the hands of two or three technological gatekeepers. This is exactly the opposite of what the DMA was supposed to accomplish.

Simplify or complicate? The real bottom line for businesses

This is where we get to the heart of the problem. The stated objective of the Digital Omnibus is simplification: reducing the regulatory burden, harmonizing rules, making compliance easier. The Commission even announces more than 800 million euros in annual savings for European businesses.

But when you look at the details, the picture is more nuanced.

By transferring cookie rules from ePrivacy to the GDPR and introducing new exemption categories, the text does not eliminate complexity. It shifts it, and creates new layers of it.

In practice, organizations will have to answer questions that did not exist before: does this processing still require consent, or does it fall under one of the new “low risk” exemptions? How to precisely classify each vendor and each purpose, knowing that exemptions vary depending on the purpose, the technology, and the data category? How to document these choices to prove compliance? How to manage consent capping across banners, analytics, and user journeys? And how to reconcile all of this with a potential browser signal whose format and operation are still unknown?

As Romain Gauthier, CEO of Didomi, sums it up: “As it stands, the Digital Omnibus will likely increase the complexity of digital activities for the most advanced European companies.”

Some small sites could indeed gain simplicity through the exemptions. But for the majority of organizations involved in advertising, personalization, cross-domain tracking, or AI, the new framework introduces additional levels of subtlety, conditions, thresholds, and exemptions that will require increased legal and technical expertise.

The “simplification” risks turning into added complexity for those who needed it the least.

Peter Craddock, a partner specializing in digital law at Keller and Heckman, is even more direct: according to him, “the proposal only makes things more complex and calls into question even approaches considered valid today in certain jurisdictions.”

We are replacing one problem (consent fatigue) with another (dependence on Big Tech for consent management), without a ready technical standard, without any guarantee of effective control, and with an implementation timeline stretching to 2030.

All while delegating the construction of the standard to an industry whose players are in head-to-head competition with one another.

On the definition of personal data, the Digital Omnibus opens a breach. And in a world where data flows between dozens of actors (advertisers, SSPs, DSPs, DMPs, CDPs…), reducing what is considered “personal data” may create blind spots in user protection.

And from a competitive standpoint, we end up with a paradox: a text that claims to protect European citizens could end up strengthening the dominance of the very actors that Europe spends its time sanctioning.

---

Thomas Gicquel – CEO of Gimii / Cookies for Good