If you're having trouble viewing this email, you cansee it online.
Hi friends,
As 2025 comes to an end, fundamental changes are underway in the European online advertising landscape. In the US, while the likelihood of divestiture in the US v. Google (adtech) remedies trial is uncertain, the industry scrambles to make the most of the AI "revolution" (aka AI bubble). The market sees both opportunity and fear, especially as OpenAI moves closer to the advertising market and clamours to steal the throne held by Google for years.
Meanwhile, the European policy landscape is experiencing its own tectonic shifts. Whether Europe ends up with a transparent, fair, and accountable online advertising ecosystem, or doubles down on surveillance-driven, opaque, and unaccountable markets, remains an open question. There are too many moving parts.
To help make sense of it all, we’re sending out our first policy newsletter to round up the most important developments in Europe, and what they may mean for the future of adtech.
The Digital Omnibus: how not to walk on the tightrope
The most debated development this autumn has been the Digital Omnibus Regulation (”Omnibus”), proposed by the European Commission on 19 November 2025. The Omnibus is a direct outgrowth of the Draghi report on European competitiveness, which bluntly argued that the EU must reduce regulatory friction if it wants to remain economically relevant—without abandoning its values or fundamental rights. That balance was always going to be difficult. The Omnibus is the Commission’s attempt to walk that tightrope in the context of digital regulation and online advertising.
The Digital Omnibus: Nothing personal - adtech business as usual
One particularly sensitive proposal concerns the definition of personal data—specifically, whether it should be understood as relative rather than absolute. The Commission appears to rely on the reasoning of the Court of Justice of the European Union (CJEU) in SRB v EDPS (T-557/20), where the Court clarified that information may qualify as personal data for some actors but not for others, depending on the realistic means of identification available to them. This ruling was long anticipated in adtech circles. Large platforms and smaller adtech intermediaries alike, especially those embracing Privacy-Enhancing Technologies (PETs), have increasingly lobbied that pseudonymised data in many adtech contexts should fall outside the GDPR altogether. If the EU embraces this argument without a detailed technical analysis and impact assessment, it will be giving the green light to large-scale commercial surveillance, as described by Cracked Labs, which is impossible for European consumers to comprehend but would never formally “trigger” data protection law.
To be clear: we are not arguing that personal data must always be interpreted absolutely. But changing how the GDPR’s core concepts operate—especially those on which entire business models depend—cannot responsibly be done without a serious impact assessment. There are real questions about the extent to which pseudonymization is fundamentally compatible with adtech use cases, particularly where a central promise (and architecture) of programmatic advertising is to enable one-to-one “addressability” across third-party websites. The EDPB’s draft guidance on pseudonymisation already shows how subtle these distinctions are. The EDPB has collected the public consultation in March 2025, and the final version of pseudonimisation guidance is expected early next year. Shortcutting that debate risks legal uncertainty and real harm to individuals and healthy advertising markets.
Quick fix to "cookie fatigue"
Everyone in Europe—except perhaps Consent Management Platforms (CMPs)—is tired of cookie banners: consumers, publishers, adtech, civil society, and regulators. While many in the industry frame this as a regulatory failure, in essence, the current proliferation of consent banners is nothing short of malicious compliance. The Commission seems keen to fix the cookie fatigue, but whether Omnibus is the right fix is another question. To simplify this complex attempt at simplification, the Omnibus addresses cookie fatigue by:
Mandating browser-level central opt-out signals, inspired by “Global Privacy Control (GPC).
Carving out an exemption from the Article 5(3) ePrivacy Directive requirements, and not requiring consent for certain personal data processing activities, such as for first-party analytics.
While the frustration is understandable, execution is not. The proposal was fast-tracked: four weeks of consultation, no impact assessment, and sweeping changes to the foundations of online monetisation. This is precisely how not to walk the tightrope. A Taoist saying, “Those who rush ahead, do not go far,” fits perfectly here. The civil society backlash was swift and compelling enough that the Commission has now opened post-proposal consultations until February 9 (for now, the deadline is crawling). This will feed into the legislative processes in Parliament and the Council, which are currently ongoing. The position of Check My Ads is clear: unless this iteration is substantively revised and certain provisions are blocked, it risks becoming an act of regulatory self-sabotage: complicating the legal environment while undermining the very values it claims to protect.
We support the initiative to end consent fatigue once and for all and to establish fair online monetisation practices, but we acknowledge that no quick fix can achieve this. Instead, this requires an impact assessment and stakeholder consultations. Interestingly, the Commission also announced the Digital Fitness Check or Part II of Simplification, seeking feedback until March 11, on how to better streamline the digital rulebook. The discussions about adapting core rules of the GDPR and ePrivacy Directive should be postponed until then. When it comes to certain exceptions for data processing activities, such as for first-party analytics, it is critical that purpose limitation is strictly applied, and ideally tracking and processing for such purposes are standardised, and their monitoring is mandated, but this requires moonshot thinking, not a quick fix.
Google versus Europe
When it comes to online advertising, Google is almost always the elephant in every room. While Google is waging war for dominance on many fronts, pressure on the company is increasing in Europe, specifically in the EU. As Alan Chapell rightly argues, Google is the master of spinning regulators on the flywheel, and a reasonable bet is that it will emerge victorious in the EU too. Still, some signals, discussed below, suggest that Google may actually be in trouble in Europe.
Privacy Sandbox: Will Google awaken Zombies?
Speaking of Google's proclivity for unilateral preemptive changes, one striking omission in the Omnibus debate is Google’s strategic position.
As currently framed in Article 88b(6) GDPR, a legally mandated global opt-out signal is likely to be interpreted—de facto—as a user choice to disable cross-context, third-party cookie (3PC)-based tracking. This is likely to have a similar effect to the adtech industry as Apple App Tracking Transparency (ATT), when a majority of end-users see the prompt refused tracking. That matters because Google has spent years running circles around regulators with its Privacy Sandbox: browser-embedded advertising and measurement APIs (Topics, Protected Audiences, Aggregated Reporting) that can effectively entrench Chrome and Android into advertising intermediaries.
Google was unable to convince the UK Competition and Markets Authority that these APIs would not result in anticompetitive effects. Google’s later decision not to deprecate 3PCs raises an uncomfortable question: was this really about maintaining competitiveness of the adtech market, or about waiting for regulators to ban the old system themselves?
If browsers are now legally required to manage global opt-out signals, what exactly prevents Google from re-activating browser-based ad APIs, or deploying new AI-driven mechanisms, to entrench its dominance—this time with regulatory blessing? Now that Chrome divestiture hasn't been ordered as part of Google's search antitrust remedies in the US, and isn't on the table in adtech remedies discussions in either the US or EU, there is little comfort that this type of self-preferential data strategy would be curbed.
Calm before the Google Adtech remedies in Europe
All of this unfolds against the backdrop of the expected Commission’s decision on the behavioural and structural remedies for Google's abuse of its monopoly in the ad tech market. The Commission has already fined Google €2.95 billion for this, but, like the US court, is considering the divestiture of Google’s sell-side bundled ad tech stack— publisher ad server DFP and ad exchange AdX, collectively referred to as Google Ad Manager (GAM). It seems that the Commission is using every trick to postpone its own decision, so that the US can lead any structural remedy for one of the largest US companies. On November 14, Google proposed to the Commission the measures it intends to implement to avoid the break-up.
In the meantime, and in classic Google fashion, Google has reportedly already started rolling out some changes to its products, to seemingly stave off less favorable outcomes.
Let’s be honest, though, divesting GAM's components (DFP/AdX) is only the beginning of dealing with Google’s power in online advertising and the online ecosystem in general. Even if GAM is divested, Google will continue to dominate the ad ecosystem. It’s no secret that Google increasingly prefers ad spend toward its own properties (Search, YouTube) and downplays the importance of its network business. It is true that ad intermediation may be less profitable on paper, but control over intermediation means control over data and the market, and Google may use Chrome and Android in even more "creative" ways to exercise this control - ways that may be unexpected for adtech.
After receiving Google’s proposed changes, the Commission has sent Requests for Information (RFIs) to hundreds of stakeholders to gather evidence on Google’s proposed remedies. While Brussels may be waiting for the US court’s decision, it would not be surprising if the EU pursued structural remedies regardless.
Early 2026 could bring a genuine showdown.
Signs that the Commission is not backing down
The Commission’s tough stance on Google is also visible elsewhere.
On November 12, it opened an investigation under the Digital Markets Act (DMA) examining whether Google’s “site reputation abuse” policy unfairly demotes legitimate news publishers in Google Search, and
On December 9, it opened another Article 102 TFEU investigation into Google’s use of AI Overviews and AI Mode, focusing on whether publisher content is used without proper consent or compensation, as well as Google using the video content uploaded on YouTube for training its generative AI systems without appropriate permissions.
As Executive Vice-President, and the EU competition chief, Teresa Ribera put it, the goal of the Commission is to ensure that publishers are not “losing out on important revenues at a particularly difficult time for the industry.” Ribera always sounds like the Commission means business. Obviously, these signs do not necessarily point to divestiture of GAM, but they indeed suggest that the Commission is still in the game.
The Digital Markets Act (DMA) is often mistakenly called a “competition law” instrument. Seeing the Commission launch two probes into Google’s practices, both directed to help online publishers, but using two different legal instruments, is probably entertaining only for the legal nerds, but the truth is the Commission demonstrated that these tools can be used in tandem.
Is the DMA getting its act together?
DMA and AI
The DMA has received significant attention in 2025 and may steal the show in 2026. Article 40 of the DMA establishes “the High-Level Group” (HLG), consisting not only of the relevant Commission divisions but also of the European personal data protection, consumer protection, competition, electronic communications, and audiovisual media authorities. In essence, the HLG serves as a seed for an independent regulatory agency for the online environment. Currently, it has no authority to intervene in investigations and is limited to helping the Commission coordinate its actions and regulatory actions. Just before we closed 2025, HLG published a small discussion paper on AI and how it maps to the DMA.
The paper leaves many questions unanswered: Will OpenAI be designated as a Very Large Online Search Engine (VLOSE) under the Digital Services Act (DSA)? - a question that, as reported, the Commission is currently actively considering. Will the Commission create a new core platform service (CPS) under the DMA to capture conversational and agentic AI, or will these services be regarded as “virtual assistants”? One thing is clear: the EU enforcers are closely watching AI.
Recall that in April 2025, Meta was fined €200 million for violating the DMA with its initial consent-or-pay model (March 2024–November 2025). The Commission explicitly did not assess the revised model introduced in November 2025—but said it would continue investigating. Buried in the latest press release was a surprise: Meta will introduce a third model in January 2026.
That raises obvious questions:
Was the second model (Nov 2025–Jan 2026) also unlawful?
If so, where is the decision and a fine?
Has the Commission already assessed the legality of the third model?
Or are we about to repeat the same year-long cycle?
Due diligence for ads
Finally, on December 2, the Grand Chamber of the Court of Justice of the European Union (CJEU) issued a ruling inX v. Russmedia Digital SRL (C-492/23), signalling a significant shift for online platforms that monetise with ads. A Romanian company, Russmedia Digital SRL (“Russmedia”), operates an online marketplace at http://www.publi24.ro that allows users to list their classified offers for free or for a fee. In 2018, an anonymous user posted an advertisement falsely representing a woman as offering sexual services, including her photos and telephone numbers, without her prior consent.
The woman in question initiated proceedings against Russmedia for breaches of her image rights and of her right to data protection. Since the 2002 eCommerce Directive (now superseded mainly by the DSA), platforms in the EU, as elsewhere in the world, have enjoyed immunity from intermediary liability. The lower courts were split between applying this immunity and holding the platform liable under the GDPR. The court of appeal referred the case to the CJEU for guidance, which held that an online platform is a data controller for personal data included in an advertisement published on its website, even if such an ad is designed and placed by a user. In other words, even though the marketplace did not create the content, it published and monetised it for its own purposes, thereby exerting decisive influence over the processing.
The CJEU made clear that in such contexts (and this is important!) marketplaces cannot avoid their GDPR obligations by relying on the liability exemptions under the eCommerce Directive. This has several implications:
A platform and an advertiser qualify as joint controllers when an ad is published, thus responsible to have legal basis for processing any personal data in the ad.
A platform as a controller must adopt appropriate measures to make sure sensitive data is not published without compliance with the GDPR (which is likely to mean scanning the ads).
A platform must verify the identity of an advertiser before publishing an ad (e.g. because joint controllers must know each other’s identities, controller must disclose identity to data subject, etc.)
A platform must implement security measures, to ensure that ads containing personal data are not copied and unlawfully published on other websites. Before Russmedia took down the ad from its platform, the content had been scraped and proliferated across the internet. The court does not prescribe exactly what security measures are necessary to prevent such scraping, but it certainly raises the bar for online platforms.
This judgment signals a significant shift from passive hosting toward active responsibility for platforms that publish or monetise user-generated ads containing personal data, especially sensitive data. One very important caveat here is that the CJEU discusses a specific context: an online platform placing and delivering ads on its website for its own benefit, thereby increasing the platform’s responsibility. There is no ground for interpreting the CJEU as requiring a general monitoring obligation for content shared by end-users in other contexts, as this was never discussed in the case.
To some extent, the decision encourages a common-sense approach: when a platform delivers ads, it must verify the advertiser's identity. While in this case the CJEU mandates such verification to ensure that any personal data contained in the ad relates to the end-user who chose to advertise, similar measures can be applied to all ad placements, whether the ad includes personal data or not, and include any adtech intermediary involved.
Indeed, Check My Ads has long advocated for Know-Your-Customer rules that would require adtech firms to perform baseline due diligence on the business users that buy and sell ads using their platforms. This would reduce the risk of unlawful dissemination of personal data, reduce the ad dollars flowing to spam and scams, redistribute value to publishers and advertisers, , and ultimately proactively create a safer, more fair online world for users. which To that end, by requiring proactive authentication of identity before purchase of ads, and creating a joint responsibility for advertisers and platforms over the content of their ads, this decision is an encouraging step in the right direction.
.png)
