On March 3, 2026, Didomi held its traditional start-of-year “Breakfast”, devoted to the major topics to be anticipated for 2026, at its Paris premises on Boulevard Sébastopol, in the 2ᵉ arrondissement, a stone’s throw from the picturesque Sentier district.
The morning session was led by Romain Gauthier (CEO), Thomas Adhumeau (Chief Privacy Officer) and Kevin Domingo (Key Account Manager).
There’s a lot going on right now. And even though it’s already March, the timing remains good: the pace of announcements is accelerating, particularly in France. The idea of the morning was to sort out what is certain, what is almost certain and what remains probable for 2026, with a clear guideline: to reconcile compliance and performance.
On the program: regulatory framework, benchmark on consent performance and overview of Privacy & Performance trends for 2026.
📜 Regulatory framework: what lies ahead?
✅ Cross-device consent (CNIL recommendations – January 2026)
The first “certain” topic: cross-device (or “cross-terminal”, in the words of the CNIL). The starting point is simple: to combat consent fatigue, the authority is paving the way for a single consent that can be reused on several terminals… but on one central condition: remain within an authenticated universe.
The recommendations specify that the cross-device must be :
- Limited to an authenticated universe (user account)
- Based on the same purposes, the same processes and the same technical service providers on all terminals
- Accompanied by clear information: choice applies to all devices
- Framed by a rule of priority in the event of contradiction, with possible primacy of the choice made in the logged environment
- Subject to new collection of consent in the event of a change of purpose or provider
In concrete terms: if a user consents in a logged-in app, this consent can then be applied when he or she connects to the web.
The “sticking point” raised during the session: managing contradictions. Typically, a user can make a choice while not logged in… and then log in. Which version takes precedence? The CNIL tends to consider that consent in a logged-in environment prevails.
Another highlight: when a user arrives at a new interface, a callback mechanism is recommended to indicate that choices have already been made and can be modified.
Finally, Didomi would like to emphasize a point of context: these recommendations were triggered by exchanges with the CNIL concerning a customer case.
📧 Tracking pixels in emailing (recommendation expected March/April 2026)
The second “almost certain” topic: e-mail tracking. A topic that has been discussed for years, and which is now approaching a more explicit framework.
The heart of the message: “marketing” consent (to receive communications) is not enough if you use pixels (or any other tracking mechanism) in your emails. Specific consent is required.
What the CNIL emphasizes in the exchanges:
- Specific consent for email tracking (opening, and more broadly everything that is tracked)
- Need for individualized proof: be able to say when, how, and in what configuration the person consented.
- No official grace period
In terms of implementation, two cases stand out:
- New contacts: integrate the pixel into marketing collateral.
- Existing base: the CNIL (French Data Protection Authority) has mentioned sending an e-mail to the entire base to request pixel consent, but this approach is deemed ineffective (no response = refusal, and low rates expected). Hence the interest in more contextual approaches (e.g. login).
An important point discussed was the possibility (mentioned) of obtaining this “pixel” consent via the CMP, which is a step towards a CMP that would progressively centralize more consents.
🧾 Proof of consent in marketing (public consultation 2026)
Third topic: proof of consent in marketing. The message is clear: whatever the channel, you need to be able to prove consent on an individual basis.
We’re talking about :
- Time-stamped, archived, auditable logs
- Documented link between consent and marketing activation
- Secure storage
- In some cases, double opt-in could become a reflex (e.g. point of sale with SMS or email confirmation).
The point to remember: the CNIL wants to move quickly (first half of 2026), with the idea that, in essence, the obligations already existed and that there is therefore no need for a formal “adaptation period”.
Finally, the session focuses on an often underestimated subject: the withdrawal of consent. It has to be as simple as granting it… and above all, it has to be able to propagate through a chain of vendors, which is not always trivial.
🇪🇺 EU Digital Omnibus: towards RGPD & ePrivacy modernization
Didomi then looks back at the EU Digital Omnibus, presented as an attempt at modernization, with the stated aim of simplifying compliance and boosting the competitiveness of companies in Europe.
Three key points emerged from the discussions:
1️⃣ Definition of personal data
One possibility under discussion is to introduce a logic whereby, depending on the data controller, pseudonymized data may not be considered “personal” if the actor is unable to re-identify it. This approach is highly controversial and could be withdrawn.
2️⃣ Reconciliation RGPD / ePrivacy
Today, we can find ourselves having to ask for ePrivacy consent to deposit a cookie, when the processing behind it is based on legitimate interest. The Omnibus opens up the idea of aligning the legal basis of the cookie with that of the processing, which could radically change certain practices.
3️⃣ Browser consent
This is the most “structuring” idea: consent given at browser level, applied to the entire browsing experience. The aim is to reduce consent fatigue, but the implications are far-reaching (including in terms of competitiveness). A sector-specific exemption for news media has been mooted.
On the timeline: a lot of uncertainty, lobbying, and an application horizon of 2028-2030 with compliance deadlines.
📊 Benchmark Didomi: what do the data say?
The benchmark seeks to make the duality of “compliance + performance” legible. Three metrics are highlighted:
- Opt-in rate: % acceptance of all presentations
- No choice rate: % of people who make no choice (e.g. leave)
- Consent rate: % of acceptance among those who have made a choice
📈 Europe: overall stability, but visible fatigue
Overall, data remains stable across Europe, but the “weather” reveals a trend: Western Europe is falling, Eastern Europe is holding up better.
In France: a 2-point drop between 2024 and 2025 has been cited as a “structural” trend for several years, probably linked to overexposure to banners and consent fatigue.
📱 Performance by device
Rates remain close between devices, with a few nuances:
- Smartphone: high opt-in (61.5%)
- Desktop: solid consent rate (77.8%)
- CTV: lower consent rates, but fewer “no choices”: exposed users make a choice more often
🪟 Banner formats
The dominant format remains the pop-up, with a very high adoption rate (78.5%). The header format has a higher consent rate, but very little adoption, which makes it impossible to draw any operational conclusions. Message: keep your pop-ups.
❌ Refusal options
Regulatory differences between countries influence the mechanics that can be used. As a reminder, certain options (e.g. crosses) exist in Italy but not in France.
In terms of performance, one lesson stands out: “continuing without accepting” is presented as an option that performs well in the ecosystem observed.
🔎 Granular interaction
Third lesson: granularity remains marginal:
- 5.4% consult purposes
- 0.6% consult vendors
- 0.2% change vendors
In other words, the majority of choices remain “high-level”.
📌 Standards
Two signals:
- rise of GPP (Global Privacy Protocol) standards, especially in North America
- accelerated adoption of Google Consent Mode (3-fold increase over one year)
🔮 Panorama 2026: 4 data privacy trends
1️⃣ Consent fatigue
A CNIL topic, a user topic, and a business topic. The proposed approach: solicit less, but better.
Axes cited :
- useful” personalization (not every experience deserves to be personalized)
- multi-terminal / cross-device consent
- cross-domain exploration
- “consent pool: sharing consents between partners
- thinking about the right moment to interrupt the user, because interrupting has a cost (no choice, bounce)
The corollary: recognizing the user becomes central, especially if individualized proof becomes the norm.
2️⃣ Orchestrating consent
The idea is to build a unified privacy profile: CMP, preferences, marketing consents, CRM… and trace origin and compliance via a consent lineage logic.
One use case cited: CRM to media, with the prospect of linking a choice of consent to media activation.
3️⃣ Server-side tagging
Interesting angle: reversing the perspective. Server-side is not just a “response” to constraints, it’s also an opportunity to regain control of governance and rebuild data assets, while improving performance.
Didomi mentions its server-side dynamics via AddingWell, and the interest of better understanding where personal data is located along the way.
4️⃣ AI & Privacy
Finally, AI, with a paradox: low confidence, high adoption.
The thinking goes further: what if the user experience changed radically with agents? In an agent-to-agent world, “transaction privacy” could become richer than today’s binary choice, with scope for inventing new forms of exchange.
🧩 To sum up
2026 is shaping up to be a pivotal year:
- Very active CNIL (cross-device, email pixels, marketing proofs)
- Digital Omnibus: potentially structuring but still uncertain
- Consent fatigue at the heart of the equation
- Server-side as a lever for regaining control and performance
- AI in the background, with a potential transformation of career paths
Many uncertainties. But also, clearly, concrete projects to be started right away.
At Optimal Ways, we provide you with highly operational support for :
- Audit & compliance (CMP, email/pixels, proof of consent, traceability)
- Optimize collection (consent rate / no-choice, routes, reduce fatigue)
- Orchestration of consent (CMP + CRM + marketing, governance)
- Server-side tagging & data architecture (recovery, performance, compliance)
