Digital Omnibus: let’s bring some clarity

This post is about: ,
Table of contents
Primary Item (H2)Sub Item 1 (H3)Sub Item 2 (H4)
Sub Item 3 (H5)
Sub Item 4 (H6)

On 19 November, the European Commission presented the proposal called “Digital Omnibus”, a package of regulatory amendments that also affects Privacy, Cookies and the management of online consent.
It has been widely discussed, often in alarmist tones (“new Privacy revolution”, “end of Cookie Banners”, “end of Policies”, etc.). For this reason, the first objective of this article is to bring clarity.
In particular, it is important to immediately establish three points:

  1. We are at the beginning of a process
    Digital Omnibus is currently only a proposal and will have to go through a long and complex legislative process before it becomes applicable. You can review the text of the proposal at the official link https://digital-strategy.ec.europa.eu/it/library/digital-omnibus-regulation-proposal.
  2. The timeline is medium‑ to long‑term
    The regulation will not enter into force for at least two years, and the text is expected to change along the way.

For your day‑to‑day operations, nothing changes right now. The following remain fully in force:

  • the GDPR;
  • the ePrivacy Directive and the relevant national implementing laws.

All the obligations you already know (Cookies, Privacy notices, prior blocking, legal bases, data subject rights, security, etc.) remain exactly the same.
The objective of this article is therefore to:

  • explain what Digital Omnibus is;
  • clarify where we are in the process and what the next steps are;
  • illustrate which topics are being discussed with the Commission;
  • illustrate our role in this process;
  • reiterate that the aim of this dialogue is to keep Privacy as a fundamental right of European citizens, while seeking to simplify the digital experience.

What is Digital Omnibus

Digital Omnibus is a proposal by the European Commission which, in addition to intervening on specific profiles related to Artificial Intelligence, aims to:

  • simplify the user experience by reducing the proliferation of banners and repetitive consent requests, mainly due to the use of dark patterns in some “intrusive” cookie banners and in in‑app browsers;
  • harmonise and update certain existing rules within the European digital framework;
  • reduce administrative burdens for businesses and organisations, in particular in the management of consent for the use of Cookies and similar technologies.

Within this framework, measures include, among others:

  • the possible centralisation of consent choices at browser or operating system level;
  • the definition of specific regimes for certain sectors (such as media);
  • the introduction of minimum periods between one consent request and another (cooldown);
  • the potential evolution of the current ePrivacy rules on Cookies and similar technologies towards a more risk‑based approach.

The Commission’s stated intent is twofold:

  • simplify and make the online experience more consistent for users;
  • streamline compliance requirements for businesses, while maintaining an adequate level of Privacy protection.

Where the legislative process stands

A key point, in line with what has already been highlighted in our newsletter, is that Digital Omnibus:

  • is currently an initial proposal;
  • will have to go through a full legislative process before it can be turned into applicable rules.

The main stages of the legislative process are:

  1. Public consultation and stakeholder dialogue. The Commission has already started a dialogue with:
    • data protection authorities;
    • trade associations and business organisations;
    • civil society organisations;
    • technical and legal experts.

    During this phase, comments, concerns and proposed amendments are collected.

  2. Possible revisions of the text by the Commission. Based on the contributions received, the text can be corrected, clarified and supplemented.
  3. Discussion and vote in the European Parliament. Parliament:
    • examines the proposal;
    • introduces and votes on amendments;
    • adopts its own position.
  4. Discussion and approval in the Council of the European Union. The Member States, meeting in the Council:
    • discuss the text;
    • may propose amendments;
    • approve a formal position.
  5. Alignment between Parliament and Council (ordinary legislative procedure). The two institutions must converge on a common text (through the so‑called “trilogues”).
  6. Publication and adaptation period. Once approved:
    • the text is published in the Official Journal of the European Union;
    • a transitional period follows before it becomes actually applicable, to allow businesses and organisations to adapt.

To summarise:

  • it is not a regulation already in force;
  • the content of the proposal is subject to change, even substantially;
  • the timeframe for application is medium‑ to long‑term.

What changes today for those who manage websites, apps and personal data?

It is important for us to reiterate:

For your daily operations, nothing changes today because of Digital Omnibus.

The following remain fully in force:

  • the GDPR;
  • the ePrivacy Directive;
  • the national implementing rules

Consequently:

  • the management of Cookies, pixels and other tracking tools follows the current rules;
  • activities such as marketing, newsletters, remarketing, profiling must continue to be framed within the current legal bases;
  • all obligations regarding notices, security measures, prior blocking, and any DPIA (when required) remain fully valid.

No specific adjustment to the content of Digital Omnibus is required at this stage.

The main technical issues at the centre of the discussion

One of the key ideas is the collection of consent preferences at browser or operating system level.
In practice, the idea is that:

  • the user can express some general choices once (for example, by purpose categories);
  • these preferences are then applied to the websites visited via Consent Management Platforms, reducing the need for repeated consent requests.

The critical issues causing the greatest concern include:

  • how to ensure that these choices are clear, understandable and modifiable;
  • how to reconcile general preferences with:
    • the specific needs of individual websites;
    • the needs of particular services (e.g. payments, personalised content, marketing);
  • how to integrate coherently:
    • desktop browsing;
    • the use of mobile devices;
    • and in‑app browsing, which is increasingly common.

In addition, the proposal introduces the idea of a “media exemption from consent at browser level”, i.e. specific rules for publishers and information providers.
The ongoing discussions concern, among other things:

  • the need for a precise definition of what is meant by “media”;
  • the impact of differentiated regimes on competition with other sectors;
  • how to ensure that the direct relationship between user and publication is preserved, even in a context of possible centralisation of choices.

Continuing this analysis, Digital Omnibus provides for the possibility of introducing a minimum period (for example six months) during which the choices made by the user should not be presented again through new consent requests. In this respect, the debate concerns the technical methods to recognise a returning user, the general settings expressed at browser level, and the possibility for individual websites to offer the user a review of their choices in a transparent and non‑intrusive way.
Finally, another area of debate concerns the possible replacement or revision of the current Article 5(3) of the ePrivacy Directive (cookies and similar tools), with a mechanism more focused on risk, which defines categories in a proportionate and understandable way, taking into account technical feasibility and adaptation costs.

Ongoing dialogue: role of stakeholders and common objective

The Commission is collecting numerous contributions from:

  • data protection authorities;
  • industry associations;
  • businesses;
  • digital rights organisations;
  • companies that already offer consent management solutions today;
  • other interested parties.

In parallel, many players in the sector are working together to:

  • analyse the text of the proposal in depth;
  • identify areas of convergence between different needs (rights protection, operational sustainability, innovation) and address the numerous critical issues;
  • develop concrete technical and legal proposals.

The shared objective is to find a balance between simplification, clarity of the rules and effective protection of rights.

Why Digital Omnibus matters

The objectives to be pursued can be summarised as follows:

  • keeping Privacy at the centre as a right of European citizens;
  • ensuring that new solutions are understandable and manageable by users and implementable by businesses and organisations;

As My Agile Privacy, the role we have taken on is to participate in the ongoing debate with a constructive, regulatory and technical approach, contributing, together with other companies in the sector, with our experience gained from real‑world implementations.
Do you also want to take part in the debate?
The European Commission has made available, on its page https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/15554-Digital-fitness-check-testing-the-cumulative-impact-of-the-EUs-digital-rules_en, a form where you can share your concerns, assessments and opinions.

What to do now

In light of the above, the operational message remains the same as already expressed: calm and clarity.
No alarmism, but an informed approach.
Today:

  • no specific action is required because of Digital Omnibus;
  • it is important to continue to:
    • comply with GDPR and ePrivacy;
    • keep Privacy notices up‑to‑date;
    • properly configure Cookie Banners and Consent Management Platforms (CMPs).

Our objective remains the same: to help you work in a compliant, sustainable way that respects the rights of European citizens, even in an evolving regulatory framework.

Daniele Bianco

CEO - CTO My Agile Privacy

Download the free guide

Fill out the form and get immediate access to the guide in PDF format.
Mockup del pdf della guida
Loading in Progress...
Request successfully sent. You will be redirected to the download page shortly
By submitting this form I declare that I have read the privacy policy and authorize the Owner to respond to me for what is expressed in point a of the privacy policy
Warning: Your Cookie choices may not allow the form to be submitted.
Click here to review your preferences.
buy now My Agile Privacy - compliant in less than 3 minutes
a Formula Agile SRL project
COE / TAX ID 31366
Via Tre Settembre, 99 - 47891 Dogana - San Marino - RSM
Share capital 26'000€
For assistance: info[at]myagileprivacy.com
Logo CMP partner GoogleLogo CMP partner GoogleLogo CMP partner GoogleLogo IAB Europe approvedLogo IAB Europe approved
GDPR and privacy present complexities that extend beyond achieving website compliance. Compliance obligations span across all business aspects and necessitate expert analysis.
When it comes to implementing Banners and Policies, trust My Agile Privacy—the only solution that excludes unnecessary implementations not mandated by regulations.

Supported regulations: GDPR (EU and UK), nLPD / nFADP, PIPEDA, LGPD, CCPA / CPRA, CPA, CTDPA, DPDPA, MCDPA, MTCDPA, NDPA, NRS 603A, NHPA, NJDPA, OCPA, TIPA, TDPSA, UCPA, VCDPA.

Supported languages: Italian, English, French, German, Spanish, Portuguese, Dutch, Polish, and Greek.