The European Union’s passage of the General Data Protection Regulation (GDPR) in 2016 ushered in a new era of data privacy, aiming to put people back in control of their personal data. It motivated many other countries to follow suit with similar legislation, and while the U.S. has yet to pass a comprehensive federal data privacy law, dozens of states have taken inspiration from the GDPR to create their own rules.

The GDPR is not without its critics, though. Businesses have often complained that some of its rules are unduly burdensome or complicated without providing many benefits to individuals. The rapid adoption of AI-driven technologies has also left regulators scrambling to determine how they fit into a data protection regime.

In an effort to simplify and update its data protection rules, the European Commission has released the Digital Package, a set of legislative proposals to be taken up by the European Parliament. If approved, the new rules could have far-reaching consequences for businesses across the globe.

Easier Cookie Management

Businesses hate cookie banners, internet users hate cookie banners, but they also provide important privacy controls. That’s why cookie rules are getting a major rewrite in the Digital Package, including:

• One-Click Control: This is more a codification of existing rules, but cookie banners would be required to have Accept All and Reject All options at the first level. Websites would also have to respect consent choices for at least 6 months.
• Relaxed Consent Rules: Most of us are familiar with the exception to requiring consent for “strictly necessary” cookies. The new rules add exceptions for cookies used to maintain security and to create “aggregated information about the usage of an online service to measure the audience,” where it is carried out by the controller and used solely for its own purposes. This would appear to allow for analytics cookies without opt-in consent, though sites may need to tweak how they do analytics in order to stay within that exception.
• Centralization of Cookie Rules: Part of the proposal is a Digital Omnibus that condenses several data privacy and security laws down to just two: The Data Act and GDPR. Rather than have a patchwork of rules that differs slightly among member states (as is currently the case under the ePrivacy Directive), the new cookie rules will fall under the GDPR and therefore be the same across the EU.

Browser-Based Consent Controls

The new rules would require web browser providers to provide a way for consumers to consent, decline consent, or object to data processing via browser settings. In other words, an individual could set their browser to refuse marketing cookies, and websites would be required to honor that setting. 

In some ways, it parallels California’s recent legislation requiring browsers to support opt-out signals.

Clarifying AI Training Data

As AI technologies become ubiquitous, it’s important for regulators to provide clarity on the rules for using personal data to train large language models. The Digital Package would allow for data processing for the purposes of developing and operating an AI system to be carried out as a “legitimate interest.”

This would mean that, in most cases, personal data could be used to train AI models without relying on prior consent.

Anonymous Data

The proposed amendments would grant the European Commission the power to adopt rules clarifying when data is sufficiently anonymized so that it is no longer considered personal data.

For example, if a controller pseudonymizes its own records and turns them over to an outside consultant who does not have the key necessary to re-identify the data, is it anonymous data or pseudonymous data? This was a question addressed in a 2025 EU Court of Justice decision. (Answer: Depending on the context, it is possible for pseudonymous data to be considered anonymous.)

Admittedly this is a bit wonky, but clarification on this issue would be important for a lot of organizations.

Get Caught Up on Privacy Compliance

Data privacy compliance is a moving target, and many businesses don’t have the internal expertise to stay current on the latest developments. A privacy policy or a data map created years ago may not reflect updated requirements.

TrueVault helps businesses of all sizes get privacy compliant in as little as a few days, and stay that way for years to come. Using our guided workflows and automated integrations, you can quickly create a data map, publish privacy notices, be prepared to handle consumer requests, and more. Anyone can do it—no legal background required. Best of all, as existing laws like the GDPR are amended, those changes are incorporated into your privacy dashboard at no extra cost!

Contact our team today to learn how TrueVault can help your business get compliant.