In the previous issue of Adtech Policy Watch, we raised the question: Who gets crashed by the Digital Omnibus? In adtech policy, odds always favour the incumbents and the status quo. So the safest thing to do is to be cynical and not to bet on change. For better or for worse, I am one of those people who are willing to take disappointments over and over without becoming cynical, and keep thinking things can change. In this issue, I will share with you a personal story of the gambles, disappointments, and victories of the past two months and, in doing so, take you through some of the key updates in adtech policy in Europe and beyond. Among other things, the issue will cover privacy signals (Article 88b), attribution standardisation, and broader EU and UK digital policy.
The Noise around Digital Omnibus and the Signals
For many, Digital Omnibus (read: the Omnibus on ePrivacy and GDPR) has become a nauseating two-word phrase. It means so many different things. To me, it means privacy signals: most of the Commission’s original proposal weakened the ePrivacy and GDPR frameworks to accommodate the industry’s asks, but there was also a Trojan Horse – Article 88b – which was a genuine measure that could kill the annoying consent banners and revolutionise the online advertising ecosystem. Before Article 88b was proposed, in a 44-page draft discussion paper that culminated 6 years of my legal research, I had written in detail about the need for such a measure, making me one of the very few experts who actually understand the stakes here. I knew this: Article 88b, which could give Europeans a technical ability to express their privacy preferences for the first time in 30 years, would be attacked from all angles. Let’s be honest — most of the industry either wants to trap users or is afraid of, or unwilling to, give them a genuinely free choice. It is, in essence, a data-hungry industry vs people, or, as Prof. Shoshana Zuboff has called it, “surveillance capitalism vs democracy”. So when I was summoned to Brussels to share my views, I made my case. I warned the legislators and fellow civil society organisations that Article 88b threatens the current business model, and that industry, European or otherwise, will stand firmly against it unless we provide them with a compelling vision of an alternative, privacy-preserving yet financially viable way to earn money. In the end, it is not capitalism vs democracy.

May 12, 2026 Lex at the technical workshop in the European Parliament. Discussion revolved around Article 88b and privacy signals. Lex’s intervention was clear – without advertising exemptions, the industry will do everything to kill the provision.
Civil society organisations are fighting for people and democracy in Europe, and they are doing an outstanding job. It has been an honour to work side by side with some of the coolest, most capable, and inspiring people in this space, Max Schrems (noyb), Ursula Pachl (noyb), Itxaso Dominguez de Olazabal (EDRi), and Alan Toner (ICCL), to name a few. So far, we have all worked tirelessly to make the best of the Digital Omnibus for people and democracy. While we are aligned on issues such as the need to kill cookie banners without sacrificing privacy (more shared work on this coming soon), I also take every opportunity to share Check My Ads’ unique perspective: publishers and advertisers, businesses that contribute to the justice and prosperity of Europe, are also trapped in the status quo – they need a path out. I believe that without such a path out, there will be no Article 88b. That’s been my main focus – finding a new path for publishers and advertisers, and changing the status quo.

May 18, 2026 Lex at the Expert Workshop: Web Standards for Data Protection in the EU organised by University of Maastricht. Discussion revolved around viability of Global Privacy Control (GPC) vs Advanced Data Protection Control (ADPC) in the EU.
proposed caption edits (cannot edit in above): May 18, 2026 Lex at the Expert Workshop: Web Standards for Data Protection in the EU organised by University of Maastricht. Discussion revolved around viability of Global Privacy Control (GPC) vs Advanced Data Protection Control (ADPC) in the EU.
Indeed, the entire advertising industry has lobbied against Article 88b, including Google (see Google’s secret lobbying paper first shared by noyb), as well as European news media publishers, broadcasters, advertisers and the European Tech Alliance (with members such as Zalando, Allegro, and Criteo). With European geopolitical-economic competitiveness being on everyone’s mind in Brussels and other European capitals, surveillance capitalists and the European industry they have entrapped were heard. In mid-June, after months of work perfecting Article 88b, we heard that Germany, Poland, and a couple of other Member States were pushing to delete Article 88b from the Digital Omnibus – the only genuine simplification measure in the file. Check My Ads and 20 CSOs wrote an open letter urging Council not to delete Article 88b. More than 40 academics, led by Soheul Human, also joined in an open letter expressing their support for Article 88b. In the end, the Council was unable to reach an agreement, meaning that the battle between surveillance capitalism and democracy will continue to be fought within the Council over the next three months (and even longer in the Parliament).
Advertising Exemptions – Hard Conversations We Must Be Having
As I said, my bet is that what will be decisive is whether we manage to carve out a path for an alternative business model. The idea that capitalism and democracy can coexist is a fundamental premise of the EU, which means we need businesses to fight for people and democracy. As businesses need incentives, my view has always been that Article 88b should be coupled with the advertising exemptions in Article 88a (see our position). Something like this was also recommended by the EDPB and EDPS in passing. Designing the right advertising exemptions can be very difficult work – the biggest risk of all is that such exemptions will be introduced that bolster the interests of the current incumbents. With this in mind, I made it my personal challenge to consider what the exemptions should look like in the public interest. In contrast to the EDPB and EDPS, who spent one paragraph on these advertising exemptions, on May 18th (the day we debated which signals were best fit for the EU in Brussels), the ICO in the UK produced a cost-benefit analysis and advice to the government about seven online advertising exemptions to PECR (the UK ePrivacy law). The exemptions, which include contextual targeting, ad delivery, billing, frequency capping, brand safety, and ad fraud defence, have a clear goal, shared by the Digital Omnibus in the EU – to kill the cookie banner – but the approach is drastically different – one that is certainly preferable to the industry. If Article 88b in the Omnibus proposes to kill cookie banners by enabling users to express privacy preferences, the ICO proposes removing the requirement to do so in the first place. The right path is a golden mean between these two approaches: enforceable privacy signals and minimal strictly defined exemptions that allow publishers to monetise in the opted-out environment.
I know the common counterargument, because I hear it at every workshop: publishers and advertisers will not be happy with any exemptions that privacy advocates would accept – genuinely low-risk online advertising is not financially attractive, and financially attractive forms of online advertising are not genuinely low-risk. If that were true, the cynics would be right, and the path out I keep talking about would not exist. I bet differently. Humans have demonstrated that they can resolve most urgent global problems with diplomacy and cooperation – a good example of this being the repair of the ozone layer. I think that surveillance advertising has caused the problem of a similar magnitude – creating the ozone hole in the information environment – and I choose to believe in our ability to fix it.
I also believe charting this path starts with creating a new default online advertising model that meets strict privacy requirements and is financially viable enough to incentivise and attract publishers and advertisers. That being said, to result in the change, there are not only carrots, but also sticks. Apart from public enforcement, collective privacy claims are becoming a powerful means of holding online advertising actors accountable. So, on June 12th, I flew to Berlin to speak about this at the Berlin Action for Damages Summit, organised by Peter Hense and his brilliant team at Spirit Legal, and to call on strategic litigators to go after actors in the online advertising industry who refuse to change.

June 12, 2026 Berlin Action for Damages Summit, Lex speak on panel about injunctive relief & collective data privacy claims. James Cole (Dredge), Anouk Ruhaak (SDBN), Vonne Laan (The Data Lawyers), Jonathan McQuitty (Innsworth).
The Business Models: Surgery in the Root Causes of Online Harms
The surveillance infrastructure built around online advertising has destroyed the information environment in ways that are impossible to ignore. The powerful movie “Molly vs Machines” reminds us of the story of Molly Russel, and the impact this infrastructure is having on children. But kids are not the only group affected by all of this. I know it firsthand. I have a father who, when he was recovering from a serious illness, became addicted to TikTok. I am happy that I was able to visit him and take him for a walk in Tbilisi, a city he loves and served for 40 years. How many millions of fathers and mothers have become the victims of online fraud? And more than that, there is climate, health and political disinformation, gender-based violence, the spread of racism and hate, and harm to children.

June 15, 2026 Lex’s father in front of the Parliament of Georgia, in Tbilisi. Georgia is not an official member of the EU, but the EU flag is always there as the symbol of hope.
Most in the civil society space and academia understand that somehow the economic logic, or “business models”, of the online environment are to blame for these harms, but it is not easy to pinpoint the precise problem. The online environment, like any other publishing environment, was always meant to be funded by advertising. The problem is not advertising; it is what advertising became. The unique value proposition of early adtech intermediaries, such as DoubleClick, was access to end-user behavioural data. Google, which held the largest pool of behavioural data through Search, adopted this model and canonised what became a race to the bottom.
Through its early dashboards and UI design, Google convinced advertisers of the value of surveillance advertising, making success in online advertising dependent on access to data. Companies that were able to build data-sucking platforms, such as YouTube, Facebook, Instagram, and TikTok, became the victors. Smaller actors needed help accessing similar pools of data, so they turned to independent adtech companies or to their own competitors, Google and Meta, which offered to throw them a bone. Data became power, and power became impunity. Surveillance capitalists have now trapped users, advertisers, and content creators in a cycle of dependency. They write all the rules: they set the terms unilaterally, obfuscate their policies, and refuse to curb harm. And impunity buys them what they started with — more data, more power, fewer rules.

June 3, 2026 TikTok Office INACH Roundtable, Lex gave a session to civil society orgs working on hate speech, about the business model of social media platforms, and how their work is cleaning up the symptoms, while the tap of harm is on.
Surveillance capitalists accept money from anyone without barely asking questions (see our recent advertiser verification report). As the BBC showed last week, they are willing to advertise CSAM, but also fund anyone for profit: sanctioned entities, disinformation or hate. These companies with data, power, and the ability to evade responsibility are not incentivised to do the right thing – Know Your Customer (KYC) checks for advertisers and creators, and moderate content, including advertising. So any strategy to surgically remove the root causes of online harm would require policies that (1) limit the data these companies hold (hence Article 88b), (2) limit their power in various markets they compete in and dominate, and (3) introduce a layer of meaningful transparency and accountability.
While the policymakers seem to have advanced on those fronts, sometimes one solution comes at the expense of another. The UK so far has been a great example. Motivated to end the systemic harms to kids, the UK government decided to ban social media for kids. Ofcom is also working hard to operationalise the Online Safety Act to curb fraudulent advertising practices. At the same time, ICO recommends that the UK government amend privacy law to grant the same platforms greater access to data and power. This can not work. The UK needs a coherent online advertising policy spanning privacy, competition, and online safety to meaningfully change economic incentives and chart a path towards a new model of the online economy. Not to posture publicly to rein in Big Tech, but to push policies that give surveillance capitalists more power. As the UK is expected to have a new government, there is an opportunity to align words with action: together with 48 organisations, Check My Ads signed an open letter calling on the incoming UK government to take the problem seriously and focus on the root causes of online harms.

May 22, 2026 Arielle Garcia, our COO, presenting at the panel on Computers, Privacy and Data Protection Conference (CDPD) about how Google seized control in the digital advertising market.
“Who Decides Who Decides Who Knows?” – Competition in Attribution
This is why I love working at Check My Ads: we don’t shy away from any hard conversations. The team’s expertise allows us to discuss privacy and competition with the same rigour with which we address the systemic online harms that the ad ecosystem funds (see our policy platform). Of course, the final outcome of the Google Adtech case has kept us on the edge of our seats in the US and in the EU. Because Google often weaponises privacy against competition, and competition against privacy, I wanted to bring this case closer to the privacy and data protection community. On May 22nd, we hosted a panel discussion at the Computers, Privacy and Data Protection (CPDP) conference. No matter how well I know the case, hearing Arielle and other panelists speak about how Google abused the online advertising market for decades made me realise once again: surveillance capitalism knows no mercy.

May 21, 2026 Iesha White, our Director of Intelligence, unpacking some of Google’s latest margin-maximizing tricks, concealed under the cover of AI magic.
Whatever the outcome of the Google Adtech case, Google is already creating other opportunities to gain even more access to data, increase its power, and evade the rules. The next opportunity could be advertising measurement and attribution. If privacy signals succeed, advertising will need to be measured without tracking. This is why browser vendors and others are working hard to standardise a device-level attribution API called Attribution Level 1, developed with the editors being from Google, Meta, and Mozilla. In my view, there is nothing inherently wrong with on-device processing for advertising use cases such as attribution, but, of course, the involvement of Google and Meta raises many questions and invites criticism. Don Marti calls the group standardising the API an “attribution cartel“, and competition lawyer Thomas Höppner compares the situation to a fox guarding the henhouse.
While these concerns are real, the situation is not straightforward, and, to be honest, has given me a lot of headaches lately. As Martin Thomson (Mozilla) explains in a conversation with Alan Chapell, the API offers some privacy and efficiency benefits, and I believe something of this sort can support contextual advertising to make it more appealing to advertisers. The problem is not on-device attribution itself, but who controls the devices and for whose benefit the attribution API works. In no way does it make sense for Google to be the largest online advertising publisher and to measure its own performance against its own competitors. The largest online advertising publisher (Google Search, YouTube) cannot own device software (Android, Chrome) or the advertiser ad server (CM360). This is something for the competition authorities to solve, and the sooner we put this in front of them, the better.

May 22, 2026 Lex CPDP panel moderator about EU and US Google Adtech cases Panelists: Mathilde Fiquet (European Publishers Council), Alexandros Papanikolaou (European Commission), Tasos Stampelos (Mozilla), and Arielle Garcia (COO, Check My Ads).
“Fight for Us, not For Them”
The last chapter of my odyssey before coming home was another trip to Brussels, where Check My Ads, along with 12 different civil society organisations, organised an event to call the European policymakers to fight for the people and democracy, and not for surveillance capitalists. No one should be fooled – this is not the fight between the US and Europe. Many European companies are fighting alongside Big Tech for more data, more power, more impunity. Publicis, for example, one of the largest advertising companies, announced the acquisition of LiveRamp, a company that provides permissionless surveillance as a product (see CrackedLabs report). More data, more power, more impunity. Many European companies, alongside Big Tech, are pushing for the deregulation of the GDPR and the ePD. Some others stand with people. Opt Out Advertising, or Kobler, for example, innovates to build GDPR-compliant adtech solutions. We urge the EU policymakers not to side with the surveillance capitalists, but to side with us – with civil society, with academia, with people, with democracy, and with the businesses that want to build just and flourishing digital Europe. Digital Omnibus is still in the making, but it may be a small wave to a legislative tsunami that the DFA is going to be. However, if the Digital Omnibus ends in the victory of surveillance capitalists, it will set the stage for the DFA’s outcome as well.

June 23, 2026 Claire Atkin as the moderator of the panel discussion “Blueprint for Better” presenting blueprint the event organisers have drafted. Big shoutout to Friedericke Scheueuer, Anouk Ruhaak, Clara Mclinden, Ella Jakubowska, and Laura Lazaro Cabrera.
The closing keynote of the event in Brussels was Prof. Shoshana Zuboff, the author of the book “Age of Surveillance Capitalism”, who delivered a fascinating speech. She took us back to 2019, when, during the ceremonial evening at the Axel Springer Journalists Club in Berlin, Ursula von der Leyen, president-elect of the European Commission, presented Prof. Zuboff with an honorary award. Prof. Zuboff reminded the president of the European Commission of her promise in her laudatio speech to chart the European path, which places humans at the heart of the information economy. Prof Zuboff reminded us that “living humans, not machines, make society,” and ended her speech with powerful words – “If democracy is to survive the coming decades, it will be because enough people in enough societies choose to love the human and the kind of future only we can make. As you well know, love is always a gamble, but who among us has refused the bet”?

Like all odysseys, my personal odyssey over the last two months also ends with my return home. After travelling to nine countries, making allies and friends, winning and losing battles, getting lost, I came home to my girlfriend and proposed. Because love is always a gamble, why refuse to bet?

