Date
Dec 15, 2025
EU Digital Omnibus Regulation: How Piano Strengthens GDPR‑Compliant, Privacy‑First Analytics
On 19 November, The European Commission introduced the “Digital Omnibus” proposal which aims to streamline EU digital regulations, including GDPR and ePrivacy, and achieve consistency and clarity for data-driven businesses operating across Europe.
As digital policy evolves, organizations face heightened scrutiny on how they collect, process, and analyze personal data. As it moves through Parliament and Council, here’s what matters – and how Piano is prepared.
Piano’s privacy-first foundation
Piano Analytics was created under Europe's strictest privacy laws, including the French Data Protection Act (LIL) and former German Telemedia & Telecommunication Acts (TMG & TKG).
Since GDPR's implementation, we've treated all data – whether logged-in or pseudonymous identifiers – as personal data. This principle won't change, regardless of regulatory shifts.
Personal data: what the proposal could change
The proposal introduces a "reasonable means" approach to re-identify individuals. However, extensive research shows the risks Piano has long recognized:
Gender, residential postcode, and date of birth combinations enable identification in over 60% of cases, rising to 80% for individuals over 70.
Two geolocation points (home and work locations) provide 50% identification probability, increasing to 90% with four data points
Transport records analysis shows just two data points can be sufficient for individual identification
These findings support Piano's conservative stance on data classification, as the combination of unique IDs, geolocation, and behavioral parameters we typically handle can enable profiles capable of re-identification.
We await positioning from the European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) to clarify this critical aspect of personal data definition.
How to achieve complete data ownership
Proposed Article 88a would allow a consent exemption for audience measurement when data is used “solely for the controller’s own use”. This aligns with Piano’s approach: clients own their data, and processing is strictly limited to the purposes they define.
Piano’s Europrivacy certification demonstrates proactive compliance with privacy and security benchmarks comparable to those envisioned under the Digital Omnibus:
Contractual commitments with dedicated Data Processing Agreements
Storage and purpose limitations preventing unauthorized data use
End-user rights management for pseudonymous identifiers
Sub-processor and transfer management with EDPB-approved Binding Corporate Rules
Technical and organizational measures for advanced security
Consent management systems for user preferences
Through this architecture, Piano enables every client to pursue an analytics strategy rooted in ethical collection, transparency, and complete control.
Supporting an open and balanced Internet
Beyond audience measurement, the proposal’s Article 88b addresses consent management signals.
The objective – ensuring that end users’ fundamental rights and privacy are respected – is clearly positive. As discussions progress, it’s important that any framework for consent signals is governed in a way that remains neutral, interoperable, and consistently applied
across the wider web. That consistency preserves user trust and enables effective oversight.
How to prepare for every scenario
If personal data definitions change and clients classify analytics data as non-personal, existing ePrivacy Directive Article 5.3 protections continue
Under current or amended frameworks, Piano's compliance architecture ensures seamless operation
Our flexible approach enables adaptation regardless of final legislative outcomes
Key takeaways for digital analytics leaders
Personal data reality: Even with subjective amendments, most businesses will likely remain under GDPR scope for digital marketing and analytics
Consent exemption opportunity: Existing consent exemptions for purpose-limited analytics solutions will be preserved and potentially streamlined under the consolidated GDPR framework.
Compliance imperative: Organizations need trustworthy tech partners to navigate regulatory changes and capitalize on new opportunities
Piano's commitment:
As discussions evolve, Piano remains prepared for every scenario – whether adapting to evolving GDPR frameworks, new regional privacy legislation, emerging AI governance requirements, or shifting cross-border data transfer regulations. We're monitoring developments closely, engaging with regulatory bodies, and ensuring clients can confidently navigate changes while maximizing compliant data collection opportunities.
The regulatory landscape is shifting, but Piano's fundamental value remains constant: providing powerful, privacy-respecting analytics that enable data-driven success while protecting user rights and maintaining trust.
Louis-Marie Guérif
Digital Ethics Officer,
Piano Group DPO
