Feedback – Digital omnibus COM(2025)837

Summary

Sveriges Annonsörer welcomes the Commission’s ambition to improve, simplify and modernize the EU’s regulatory framework on data protection and digital regulation. At the same time, we see a few substantial risks in the current proposals that may lead to increased complexity, legal uncertainty and unintended negative consequences for both consumers and businesses. Our feedback mainly focuses on the proposed centralization of consent mechanisms, the split of cookie1 regulations between two different legislations, the consent requirement, as well as the proposed changes to the rules on data protection impact assessments and the definition of personal data.

The split between GDPR and ePrivacy

For companies that use cookies involving the processing of personal data, the proposed transfer of certain regulatory aspects to the GDPR may bring some degree of simplification. However, Sveriges Annonsörer sees clear risks in dividing the regulation of cookies between two separate legislations, specifically the e‑privacy framework and the GDPR. In practice, this may result in parallel cookie regimes when working with personal data cookies as well as other cookies, making it more difficult for consumers to understand how different consent mechanisms interact and for businesses to determine which rules apply in each situation. From a business perspective, this split regulation results in the need to comply with two separate legal acts with different requirements on cookies, potentially involving different supervisory authorities, guidance and case law. Consequently, we see risks of overlap, inconsistencies, complexity and legal uncertainty.

1 ”Cookies” in this paper refer to all techniques subject to article 88a.

New cookie conditions (article 88a)

We share the Commission’s view that consent fatigue is an issue. It is therefore positive that the proposal has extended the exemptions somewhat compared to the current consent requirement, since such a development will reduce consent requests for that category of low-risk cookies. There is, however, still room for improvements.

Sveriges Annonsörers view is that the approach to the exemptions should be taken in a more principle-based and future-proof way – with great respect for privacy concerns. That could potentially be achieved by complementing the list of exemptions with a mechanism which enables the Commission to introduce additional exemptions, and by adding a highly restrictive principle‑based rule that enables the use of low‑risk cookies without consent where there are benefits, or at least very low risks, to the consumer and clear benefits to the business. In this way, the exemption list would be illustrative rather than exhaustive. As of now, the current exemptions make it harder for advertisers to, for example, use functions such as ad fraud prevention, ad frequency capping and independent aggregated analytics. Frequency capping, for example, can improve the consumers’ experience greatly by preventing annoying, unintentional repetition of advertising.

Principle‑based regulation is particularly important considering the fast-moving digital landscape and the inherently slow pace of legislative change. An overly restrictive and static exemption list risks becoming outdated quickly, with potentially negative consequences for both businesses and consumers. Furthermore, the fact that virtually all marketing-related cookies require consent removes incentives to develop and use cookie solutions associated with lower privacy risks. Allowing alternatives to consent as a basis for certain low‑risk marketing uses on a limited scale could encourage more privacy‑friendly development but must be designed in a way that ensures a high level of protection for individuals.

Another new addition is the time limitations in article 88a(4). There is no doubt that controllers need to respect a declined request for consent, an already established principle. However, Sveriges Annonsörer questions whether it is appropriate to codify that principle, especially in such a black and white way with an arbitrary number that might not be fit for purpose.

The centralized cookie solution (article 88b)

Sveriges Annonsörers assessment is that the proposed system may have negative effects for both consumers and businesses. By moving consent management to the browser level, users are expected to give a general approval or rejection of cookies that website operators must then automatically comply with. This harms individual advertisers’ ability to exercise control over their own cookie management.

Consequently, the proposal grants significant control over the cookie system to primarily a few tech giants, in stark contrast to the Commission’s work on improving the competition in the digital market.

Moreover, such a centralized approach risks reducing users’ ability to make informed and meaningful choices about cookie use. An all‑or‑nothing solution at browser level may unfortunately lead consumers to either reject more cookies than they otherwise would, or to consent to broader data use than they fully understand. In general, if a consumer is faced with a choice to generally say yes or no to cookies via the browser, it does not seem far-fetched to assume that many consumers will decline cookies fully since the individual would not be able to fully grasp the consequences of leaving a general browser level consent, even if the choice is somewhat granular. This would affect businesses in general, including actors who have acted ethically, responsibly and who consumers have trusted with their consent. Unfortunately, the proposal does not reward companies building strong relations with their customers.

Another issue is that website operators may not be able to fully rely on browser‑level consent alone, as it may not meet the GDPR’s legal requirements on consent. This creates a situation where businesses must in some cases assess whether a browser‑based solution is compliant and, if not, maintain their own consent mechanisms as a fallback. The risk may be mitigated by the presumption of conformity that applies to controllers that comply with the standards that are to be developed according to the proposal. This, however, highlights the importance of the quality of the standards and that they are adopted as soon as possible.

New conditions for data protection impact assessments (article 35)

The Commission’s proposal to amend Article 35 of the GDPR, with the aim of creating more harmonised standards for data protection impact assessments within the Union, is welcomed in principle. Greater harmonisation can contribute to legal certainty as well as an easier and more consistent application of the rules. However, it is crucial that any new standards are designed in a way that effectively protects privacy without imposing disproportionate administrative burdens on businesses. Sveriges Annonsörer sees a risk that the proposed changes could be interpreted as requiring companies to reassess existing processing against newly established standards. Such an outcome would result in a significant, and potentially unnecessary, workload for businesses. The Commission must ensure that what is intended to be a simplification does not have unintended, negative effects.

Changes to the definition of “Personal Data” (article 4)

Sveriges Annonsörer sees potential risks in that the proposed addition to the definition of personal data might lead to unintended complications for advertisers. This is especially the case given the subjective nature and unclear wording of the rule, as well as the complexity and number of actors making up the ecosystem of tracking data in the digital advertising space. Sveriges Annonsörer questions whether there is a need to codify the case law which forms the basis for the proposal instead of leaving the principles to be further developed through case law.

Stockholm, 13th March 2026

Hanna Riberdahl
CEO

Ulrika Wendt
Lawyer

Jakob Rönnerbäck
Lawyer