EU Digital Omnibus 2026: What the GDPR and ePrivacy Simplification Proposal Could Change for Ad Tracking and Cookie Consent

What the Digital Omnibus Is

The EU Digital Omnibus is a proposed package from the European Commission intended to simplify and streamline parts of the EU's digital rulebook — including the General Data Protection Regulation (GDPR), the ePrivacy rules that govern cookies and tracking, and related instruments. The stated goals are reducing administrative burden, addressing consent fatigue, and improving competitiveness.

The single most important framing point for advertisers is this: the Digital Omnibus is a proposal, not law. It is moving through the EU legislative process, where the Commission proposes, and the Parliament and Council negotiate and amend before anything is adopted. The text can change materially, and the timeline to any final outcome is not fixed. Treat what follows as the direction of travel and the open questions, not as rules to implement.

Why it still matters now: the proposals touch the mechanics that advertising depends on — cookie consent, the lawful basis for tracking, and even the boundary of what counts as personal data. Even at the proposal stage, the debate signals where the consent-and-tracking environment may move, and the institutions weighing in are the ones whose opinions shape the final shape.

The Digital Omnibus is best understood as a simplification package rather than a single rule change: it bundles amendments touching several instruments at once, which is why it draws attention from data-protection, ePrivacy, and broader digital-policy communities simultaneously. That bundling is also why advertisers should resist reading any one headline in isolation — a change to cookie-consent mechanics and a change to the definition of personal data are very different in consequence, and they will not necessarily advance or survive negotiation at the same pace. The package framing means some elements could be adopted while others are dropped or deferred.

"The Digital Omnibus is a signal, not a settlement. Advertisers should map their consent and tracking dependencies to it now — but build nothing irreversible until the text is adopted.
— AuditSocials analysis of the Digital Omnibus debate"

This guide covers what is proposed, why the EU's own data-protection authorities pushed back, what it could mean for ad tracking, and what to do while the outcome is uncertain. Track the legislative progress on the Policy Change Tracker and align the broader EU picture through the European Union compliance reference.

What Is Actually Proposed

The proposals span several areas. Three are most relevant to advertising and ad-tech.

Consent fatigue and cookie banners. A central objective is to reduce the proliferation of cookie banners and the repetitive consent prompts that users face. The aim is a more workable consent experience — potentially shifting some consent signaling to the browser or device level rather than repeating it on every site.

Beyond pay-or-consent. The debate around "pay or consent" (sometimes "pay or okay") models — where users either accept tracking or pay for access — has been contentious. The proposal direction includes offering users a genuine third option, such as access with advertising but without tracking, rather than a binary choice. This aligns with regulator guidance that has emphasized meaningful choice.

The definition of personal data. The most consequential and most contested element is a proposed change to core concepts, including how personal data is defined. Narrowing that definition would change what data falls inside GDPR at all — which has direct implications for what advertising data is regulated as personal data versus treated as outside the regime.

Because these are proposals, the specifics — thresholds, mechanisms, and scope — are exactly what negotiation will alter. The responsible reading is to understand the levers being debated, not to assume any particular version will become law.

Read the table as a map of uncertainty, not a forecast. Each lever could land anywhere from close-to-proposed to substantially amended, and the personal-data row in particular faces direct opposition from the EU's own data-protection authorities. The advertiser value is in knowing which dependencies map to which lever, so that whichever way negotiation resolves, the exposure is already understood.

Why the EDPB and EDPS Pushed Back

In a joint opinion issued in February 2026, the European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) supported the broad objective of simplification and reducing consent fatigue, but raised significant concerns about specific changes.

Their strongest caution was directed at the proposed changes to the definition of personal data. The EDPB and EDPS urged co-legislators not to adopt those changes, warning that they go beyond a targeted technical amendment and would significantly narrow the concept of personal data — which they argued could reduce the protection individuals enjoy, create legal uncertainty, and make data-protection law harder to apply consistently.

This matters to advertisers because the supervisory authorities are influential voices in the negotiation, and their pushback signals that the most advertising-relevant simplifications are also the most likely to be contested or revised. The reinforcement continued in June 2026, when the EDPS, Germany's Federal Commissioner (BfDI), and the Bavarian Data Protection Commissioner (BayLfD) organized a high-level debate on the Omnibus proposals on June 8, 2026 — a sign that the data-protection community intends to shape the outcome rather than accept the proposal as drafted.

For advertisers, the practical meaning of this institutional pushback is that the elements most likely to ease day-to-day operations — a lighter consent experience, a narrower personal-data concept — are precisely the elements facing the strongest resistance, while the elements that add structure for users — meaningful choice beyond pay-or-consent — face less opposition. That asymmetry is a useful planning heuristic: do not bank on the simplifications that would most reduce your compliance load, because those are the ones most exposed to amendment, and do prepare for a world where contextual, non-tracking advertising becomes a more first-class citizen.

What It Could Mean for Ad Tracking

If elements of the Digital Omnibus are adopted in something like the proposed direction, the effects on advertising could be meaningful — but each is conditional on a text that does not yet exist in final form.

A streamlined, browser-level consent model could reduce banner fatigue and change how consent signals reach ad-tech — potentially making consent more durable but also more centralized, which would shift how advertisers obtain and rely on it. A formalized third option beyond pay-or-consent could expand contextual and non-tracking advertising as a compliant default for users who decline tracking, rewarding advertisers who can perform without granular behavioral data. And any change to the definition of personal data would ripple through the entire targeting and measurement stack, because it would redraw the line between regulated personal data and data outside the regime.

The honest summary is that the range of outcomes is wide. A version close to the proposal would ease some operational burdens while expanding non-tracking advertising; a heavily amended version shaped by EDPB and EDPS concerns might preserve the current personal-data boundary and change less than the headline suggests. Advertisers should prepare for a spectrum, not a single scenario. Use the Legal Compliance Scan to understand current EU consent and tracking obligations, which remain fully in force regardless of the Omnibus.

What Advertisers Should Do Now

The correct posture toward a proposal is readiness without overcommitment. Comply with the rules as they stand today, and build optionality for where they may move.

• Keep complying with current GDPR and ePrivacy rules: the Digital Omnibus changes nothing yet; existing consent, cookie, and lawful-basis obligations remain fully in force.
• Map your consent and tracking dependencies: document where campaigns rely on behavioral tracking versus contextual or first-party signals, so you know your exposure to any consent or personal-data change.
• Invest in non-tracking capability: strengthen contextual targeting, first-party data, and measurement that does not depend on granular cross-site tracking — useful regardless of the outcome and aligned with a likely third-option direction.
• Do not rebuild around the proposal: avoid irreversible changes premised on a specific version of the text; the definition-of-personal-data element in particular is contested and may not survive negotiation.
• Track the legislative path: follow the Parliament and Council stages and the supervisory authorities' interventions, because those will determine the final shape.

Keep the proposal's progress and any adopted text tracked on the Policy Change Tracker, and revisit consent architecture only once the direction is settled.

There is a quiet upside in how the Digital Omnibus debate is unfolding. Whatever the final text, the direction of travel — meaningful user choice, less reliance on banner-fatigue consent, and pressure on tracking-heavy models — rewards the same investments that already make an advertising operation resilient: strong first-party data, contextual capability, and measurement that does not collapse when a consent signal is withdrawn. An advertiser who uses this period of uncertainty to reduce dependence on fragile cross-site tracking will be better off under essentially every plausible outcome, including the status quo. That is the rare situation where the prudent compliance move and the prudent commercial move point in the same direction.

The trap to avoid is paralysis in the other direction: assuming that because change is coming, current obligations can be relaxed. They cannot. Until the Omnibus is adopted and implemented, EU consent, cookie, and lawful-basis rules apply in full, and enforcement of the existing regime continues. The correct stance is therefore neither to rebuild prematurely around a draft nor to ease off current compliance, but to hold the present line while steadily shifting capability toward approaches that are robust whichever way the proposal lands.

Digital Omnibus Watch Checklist

• [ ] Current GDPR / ePrivacy consent and cookie compliance verified and maintained
• [ ] Campaign reliance on behavioral tracking vs contextual / first-party data mapped
• [ ] Non-tracking capability (contextual, first-party, privacy-safe measurement) strengthened
• [ ] No irreversible rebuilds premised on a specific Omnibus version
• [ ] Legislative stages (Parliament, Council) and EDPB/EDPS interventions monitored
• [ ] Pay-or-consent setups reviewed against current regulator guidance on meaningful choice

For the obligations that apply today — which the Omnibus does not change — see the European Union compliance reference and check current exposure with the Legal Compliance Scan.