The European Commission has proposed a “Digital Omnibus” package that would relax parts of the GDPR, the AI Act, and Europe’s cookie rules in the name of competitiveness and simplification.
If you work with EU traffic or rely on European data for analytics, advertising, or AI features, it’s worth tracking this proposal even though nothing has changed in law yet.
What The Digital Omnibus Would Change
The Digital Omnibus would revise several laws at once.
On AI, the proposal would push back stricter rules for high-risk systems from August 2026 to December 2027. It would also lighten documentation and reporting obligations for some systems and move more oversight to the EU AI Office.
Regarding data protection, the Commission aims to clarify when information is no longer considered ‘personal,’ making it easier to share and reuse anonymized and pseudonymized datasets, especially for AI training.
Privacy group noyb says this new wording isn’t just about clarifying the rules. They believe the proposal introduces a more subjective approach, hinging on what a controller claims it can or plans to do. Noyb warns this change could exclude parts of the adtech and data-broker industry from GDPR protections.
Cookies, Consent, And Browser Signals
The cookie section is likely to be the most visible change for your day-to-day work if the proposal moves forward.
The Commission wants to cut “banner fatigue” by exempting some non-risk cookies from consent pop-ups and shifting more control into browser-level settings that apply across sites.
In practice, that would mean fewer consent banners for low-risk uses, such as certain analytics or strictly functional storage, once categories are defined.
The proposal would also require websites to respect standardized, machine-readable privacy signals from browsers when those standards exist.
AI Training & Data Rights
One of the most contested pieces of the Digital Omnibus is how it treats data used to train AI systems.
The package would allow companies including Google, Meta, and OpenAI to use Europeans’ personal data to train AI models under a broadened legal basis.
Privacy groups have argued that this kind of training should rely on explicit opt-in consent, rather than the more flexible approach they see in the proposal.
Noyb warns that long-running behavioral data, such as social media histories, could be used to train AI systems with only an opt-out model that is difficult for people to exercise in practice.
Why This Matters
This proposal is worth keeping on your radar if you’re responsible for analytics, consent, or AI-driven products that reach EU users.
Over time, you might observe smaller, browser-driven consent experiences for EU traffic, along with a different compliance approach for AI features that depend on behavioral data.
For now, nothing in your cookie banners, GA4 setup, or AI workflows needs to change solely because of the Digital Omnibus.
Looking Ahead
The Digital Omnibus is an early signal that the EU is re-balancing its digital rulebook around AI and competitiveness, not privacy and enforcement alone.
Key items to monitor include Parliament’s amendments to AI training and data language, cookie and browser-signal provisions for CMPs and browsers, and changes to AI training and consent for EU users.
Featured Image: HJBC/Shutterstock
