Alliance Digitale, the French digital marketing and data trade association representing 300 member organisations, today published a formal position paper laying out 17 recommendations on the European Commission's Digital Omnibus - the package of regulatory simplification measures the Commission unveiled on November 19, 2025, that would amend the General Data Protection Regulation, the ePrivacy Directive, and the EU AI Act simultaneously.

The paper, published on May 21, 2026, on the Alliance Digitale website and available in English, is addressed to the co-legislators now debating the proposals. It covers three broad zones: provisions the association welcomes, proposals it rejects outright, and areas where it calls for specific technical corrections. The document makes the stakes plain for the advertising industry: the Digital Omnibus, if enacted as written, could reshape how consent is collected, how AI systems are trained, and which actors control the technical infrastructure through which those signals flow.

What Alliance Digitale supports in the Digital Omnibus

Alliance Digitale is a French representative of three international networks - IAB, FEDMA, and GDMA - and its membership spans media and consulting agencies, publishers, sales houses, data providers, and ad-tech and mar-tech solution providers. The association says it welcomes three pillars of the Commission's current text.

Pseudonymisation and the SRB v. EDPS codification

The first area of support is Article 3(1) of the proposal, which amends Article 4 of the GDPR to codify the Court of Justice of the European Union ruling in EDPS v Single Resolution Board (case T-557/20). The ruling established that information is not personal data for an entity if that entity lacks the means that are reasonably likely to be used to re-identify the individual.

According to Alliance Digitale, this codification is "particularly important for complex advertising value chains where multiple actors process mainly pseudonymized data, for different purposes and with different technical and legal capabilities." The association argues it would allow controllers to separate processing that involves personal data from processing that involves data which cannot reasonably be linked to an individual - freeing compliance resources to concentrate where the actual risk is highest.

The SRB v. EDPS judgment came down on September 4, 2025, confirming the recipient-perspective principle that had already been flagged by the Advocate General months earlier. The EDPB published updated pseudonymisation guidelinesin January 2025, establishing technical specifications for organisations processing personal data within the European Economic Area, but those guidelines interpreted pseudonymised data as remaining personal data under Article 4(5) regardless of the recipient - a position the Commission's proposed codification would now qualify.

Alliance Digitale adds three concrete proposals to this section: extending the implementing act to cover anonymisation as well as pseudonymisation, explicitly recognising privacy-enhancing technologies as state-of-the-art safeguards within the Article 41a assessment, and clarifying that identifiability should be assessed from the entity's own perspective, weighing objective factors including cost, technological resources, and time required for re-identification.

Legitimate interest for AI systems

The association also supports Article 3(15) of the proposal, which creates a new Article 88c establishing an explicit legitimate interest basis for the development, testing, and deployment of AI systems. According to Alliance Digitale, this is "a highly positive and long-awaited development for the advertising industry, as it would bring certainty with regard to recourse to legitimate interest by AI systems developed or used by our members" for uses including personalised advertising, audience segmentation, content relevance, and performance measurement.

The EDPB Opinion 1/2024 on legitimate interest had previously outlined a three-step assessment - identifying genuine interests, analysing processing necessity, and balancing against fundamental rights - without conclusively resolving how that framework applied to AI model training at scale.

But the association disagrees with how the Commission has drafted the opt-out mechanism. The current text grants data subjects an unconditional right to object to AI model training. Alliance Digitale argues this contradicts Article 21(1) of the GDPR, which makes the right to object conditional on the controller being unable to demonstrate compelling legitimate grounds. An unconditional opt-out, the paper warns, would create a security loophole: "malicious actors (e.g. fraudsters) could opt-out of detection systems simply by objecting." The association also notes the balancing test in the current draft only accounts for the controller's interests, whereas both the GDPR and CJEU case law also allow third-party interests to be weighed.

Harmonising DPIA lists across Member States

The third welcomed measure is Article 3(9), which amends Article 35 of the GDPR to give the Commission the power to adopt common templates and lists of processing operations that require a Data Protection Impact Assessment. Currently, each of the 27 Member States can maintain its own DPIA list under different taxonomies. According to Alliance Digitale, this has "resulted in 27 divergent national lists based on different taxonomies, creating huge complexity and a significant lack of legal certainty for organizations involved in cross-border processing."

The EDPB adopted its first standardised DPIA template on March 10, 2026, opening a public consultation that runs until June 9, 2026 - an initiative that sits alongside but is legally separate from the Commission's Digital Omnibus proposals.

Alliance Digitale adds two cautionary recommendations here: the harmonised list should reflect existing national consensus rather than becoming a "super-list" that aggregates all current national requirements into a more onerous single instrument, and any new DPIA obligations should apply only to new processing operations, not retrospectively to services already compliant under existing national guidance.

Where Alliance Digitale draws the line

The centralized cookie management mechanism

The most forceful criticism in the paper concerns Article 88b, which would require the centralisation of consent management in browsers or other technical means. Alliance Digitale calls for this article to be deleted entirely.

The association identifies four categories of harm. First, economic: requiring website operators and advertising actors to interpret and comply with automated signals emitted at browser level would demand deep adaptations to existing tracking, consent, and monetisation infrastructure. The default-refusal dynamic that browser-level signals enable would, according to Alliance Digitale, structurally lower acceptance rates for advertising-related tracking - not because of the quality of an individual publisher's privacy notice or safeguards, but because of a system-level default. The paper is direct about where that investment pressure flows: toward "environments deemed more efficient such as walled gardens."

Second, the association argues the mechanism fails to solve the problem it claims to address. Consent fatigue - users confronted with repeated, identical cookie banners - would not diminish under Article 88b. Instead, according to Alliance Digitale, users may "express preferences at system level without understanding their downstream effects, such as receiving a downgraded version of the service or having to pay for previously free services." The paper calls this "consent confusion" rather than meaningful user control.

Third, competition. Centralising consent signalling at browser or operating system level concentrates the power to define and implement technical standards in a small number of dominant actors. Alliance Digitale argues this "effectively create[s] 'consent gatekeepers'" and conflicts with the pro-competition objectives of the Digital Markets Act.

The fourth concern is the marginalisation of the Transparency and Consent Framework. The TCF was built to reflect GDPR principles, enable granular user choice, and ensure accountability across complex multi-actor ecosystems. TCF enforcement more than doubled in 2025, with IAB Europe recording 587 vendor enforcement procedures - up 118% - across 953 registered vendors and 181 consent management platforms. Google mandated migration to TCF v2.3 by February 2026, a deadline that drove widespread industry adaptation. Article 88b, the association argues, sidelines this existing infrastructure without delivering a technically superior replacement.

The six-month ban on re-requesting consent

Article 88a(4) of the proposal introduces a mandatory six-month cooling-off period after a user refuses consent: operators cannot re-request consent for the same purpose for at least half a year.

Alliance Digitale calls for this provision to be deleted. The association notes several practical problems. The rule does not accommodate changes in processing purpose, new technology, improved transparency, or changes in partners - all of which could legitimately warrant a fresh request. It creates a structural asymmetry between the open web, where cookies remain dominant, and other digital environments such as large online platforms and connected TV that do not face equivalent restrictions. And it conflicts with the principle of data minimisation: reliably identifying the same person across different devices, browsers, and authenticated versus non-authenticated environments in order to enforce a six-month block on consent requests is "technically challenging, if not impossible," according to Alliance Digitale.

The split regime from partial ePrivacy integration

Article 88a partially integrates Article 5(3) of the ePrivacy Directive into the GDPR, creating different consent requirements for tracking technologies depending on whether the data qualifies as personal or non-personal. Combined with the SRB case law codification, the same tracking technology could be treated as non-personal data for some actors in the advertising value chain but as personal data for others - with different consent standards applying to each.

Europe's privacy watchdogs flagged exactly this concern in their February 2026 joint opinion, warning that "the proposed separation of the rules on access to and storage of information in terminal equipment over different legal instruments may lead to legal uncertainty." Alliance Digitale recommends full integration of Article 5(3) of the ePrivacy Directive into the GDPR to achieve a single, coherent framework.

In addition to criticisms, Alliance Digitale proposes expanding the list of activities exempt from consent requirements under Article 88a(3). The current text lists four exemptions, including audience measurement. The association argues that contextual advertising, frequency capping, fraud prevention, security, product maintenance, software updates, aggregated analytics, and personalisation based on first-party data should all be added to that list.

The rationale varies by category. On impression and click tracking for billing purposes, the association argues that opting out of personalised advertising already reduces how much publishers can sell their inventory, but losing access to basic measurement metrics undermines their capacity to sell it at all. On frequency capping, the association notes that modulating ad exposure is not only commercially important but also a legal obligation for minors under Article 28 of the Digital Services Act guidelines. On fraud prevention and security, the paper characterises these not as secondary conveniences but as essential to a safe and sustainable digital ecosystem.

The EDPB-EDPS Joint Opinion 2/2026 of February 11, 2026 is cited directly in the Alliance Digitale paper in support of incentivising contextual advertising. Contextual advertising does not require personal data, and the joint opinion had offered qualified support for new exceptions in this area, albeit with calls for clear delimitation to strictly necessary processing.

Enforcement fragmentation and European accountability

The final section of the position paper addresses implementation. Alliance Digitale argues that simplifying the text of the GDPR and ePrivacy Directive will produce no meaningful results if enforcement continues to diverge across Member States. Currently, national supervisory authorities and sector regulators such as telecoms or competition bodies sometimes share jurisdiction over privacy-related topics under the ePrivacy Directive, producing inconsistent interpretations of identical legal concepts.

The paper singles out France as a concrete example. According to Alliance Digitale, "the CNIL's dual competence over both GDPR and e-Privacy matters, combined with its public communication practices in enforcement procedures, can generate regulatory instability and reputational risks for market actors."

The European Commission introduced the Digital Omnibus on November 19, 2025, and the Netherlands raised formal concerns about the privacy provisions as early as December 2025. Parliamentary debate has since extended the legislative timeline. Brussels talks on the AI Act provisions of the Digital Omnibus collapsed in April 2026, leaving the August 2026 AI Act compliance deadline intact and the overall Digital Omnibus package in continued negotiation.

Five of the association's final recommendations target this enforcement layer: a statutory duty requiring inter-regulatory consultation when issues span multiple frameworks, a formalised inter-authority forum for digital regulation, joint guidance developed through mandatory public consultation, strengthened EDPB oversight as a genuinely independent European authority, and enhanced procedural safeguards - including anonymisation of actors targeted by data protection authority injunctions and treating advisory exchanges as trade secrets by default.

The broader context matters for marketers. A noyb survey of 510 data protection officers published in March 2026 found that the DPOs most burdened by GDPR compliance ranked Article 30 record-keeping as the top administrative obstacle - not the consent and legitimate-interest provisions the Commission has prioritised for reform. Alliance Digitale and noyb disagree on many questions, but the survey underlined a shared premise: that the Digital Omnibus as currently drafted does not necessarily address the friction points most damaging to day-to-day operations.

The position paper arrives as the advertising industry is navigating multiple overlapping changes to the consent landscape. Alliance Digitale's own January 2026 hybrid measurement white paper documented how France's social advertising market grew 43% from 2.37 billion euros in 2022 to 3.39 billion euros in 2024, driven in part by measurement fragmentation as investment shifted toward platforms not subject to the same consent constraints as the open web. The position paper's warning that Article 88b would accelerate investment toward walled gardens is, in that light, grounded in trend data the association's own research has already documented.

Timeline

  • November 19, 2025 - The European Commission presents the Digital Omnibus package, proposing simultaneous amendments to the GDPR, ePrivacy Directive, and AI Act. Coverage: ppc.land
  • December 2025 - The Netherlands raises formal concerns about the Digital Omnibus privacy provisions. Coverage: ppc.land
  • January 16, 2025 - EDPB publishes Guidelines 01/2025 on pseudonymisation, its first comprehensive guidance on the subject since GDPR implementation. Coverage: ppc.land
  • January 29, 2026 - Alliance Digitale publishes its hybrid measurement white paper, documenting French social advertising growth from 2.37 billion euros (2022) to 3.39 billion euros (2024). Coverage: ppc.land
  • February 11, 2026 - EDPB and EDPS publish Joint Opinion 2/2026 on the Digital Omnibus, warning that splitting terminal equipment rules between GDPR and ePrivacy could create legal uncertainty.
  • February 13, 2026 - PPC Land covers the EDPB-EDPS joint opinion on the Digital Omnibus privacy provisions. Coverage: ppc.land
  • February 28, 2026 - Industry deadline for migration to TCF v2.3, enforced by Google's advertising systems. Coverage: ppc.land
  • March 8, 2026 - noyb publishes a survey of 510 data protection officers finding the Digital Omnibus misses the compliance priorities that DPOs say matter most. Coverage: ppc.land
  • March 10, 2026 - EDPB adopts its first standardised DPIA template, opening a public consultation until June 9, 2026. Coverage: ppc.land
  • March 28, 2026 - IAB Europe publishes its 2025 TCF Compliance Report, showing enforcement procedures rose 118% to 587. Coverage: ppc.land
  • April 2026 - Brussels negotiations on the AI Act provisions of the Digital Omnibus collapse, leaving the August 2026 AI Act compliance deadline in place. Coverage: ppc.land
  • May 21, 2026 - Alliance Digitale publishes its 17-recommendation position paper on the Digital Omnibus, calling for deletion of Article 88b and Article 88a(4), and expansion of the consent exemption list.

Summary

Who: Alliance Digitale, the French digital marketing and data trade body representing 300 member organisations including agencies, publishers, data providers, and ad-tech companies, and serving as the French representative of IAB, FEDMA, and GDMA.

What: A 17-recommendation position paper on the European Commission's Digital Omnibus, covering the proposed GDPR and ePrivacy Directive amendments. The paper supports codification of the SRB v. EDPS pseudonymisation ruling, legitimate interest for AI systems, and harmonised DPIA lists. It calls for deletion of the centralised cookie management mechanism (Article 88b) and the six-month ban on re-requesting consent (Article 88a(4)), and recommends expanding the consent exemption list and strengthening European-level enforcement accountability.

When: The position paper was published on May 21, 2026. The Digital Omnibus package was introduced by the European Commission on November 19, 2025, and remains under legislative negotiation.

Where: The paper was published on the Alliance Digitale website, addressed to the European Parliament and Council as co-legislators. The Digital Omnibus proposals, if adopted, would apply across all 27 EU Member States and the broader European Economic Area.

Why: Alliance Digitale argues that several provisions - particularly the browser-level centralised consent mechanism and the six-month consent re-request ban - would impose disproportionate technical and operational burdens on open-web publishers and smaller advertising actors, accelerate investment toward large walled garden platforms, and fail to meaningfully reduce user consent fatigue. The association frames regulatory simplification as a legitimate objective but contends the current draft text would produce new complexity rather than reduce existing fragmentation.

Share this article
The link has been copied!