Digital Omnibus Proposal: A Guide to the 2026 GDPR and ePrivacy Updates

Introduction: Navigating the Digital Omnibus Proposal

In November 2025, the European Commission unveiled the 'Digital Omnibus' proposal, a legislative package designed to amend key data protection regulations, including the General Data Protection Regulation (GDPR) and the ePrivacy Directive. This Digital Omnibus aims to simplify regulatory implementation, particularly in light of emerging technologies like AI, but has sparked significant debate among privacy advocates and regulators. As organizations prepare for potential GDPR update 2026 implications, understanding this proposal is crucial for maintaining data privacy compliance.

The urgency stems from the need to address gaps in current EU data regulation, such as controversial 'Pay or Okay' systems and inconsistencies between GDPR and newer laws like the EU AI Act. However, the proposal has faced criticism. A comprehensive analysis by noyb, updated in January 2026, warns that the changes could conflict with the EU Charter of Fundamental Rights, reduce data subject rights, and introduce inconsistencies. Similarly, the European Data Protection Board (EDPB) and European Data Protection Supervisor (EDPS) issued a joint opinion cautioning that simplification must not compromise fundamental rights. This guide provides a step-by-step overview of the Digital Omnibus, its key amendments, compliance expectations, and practical actions for businesses.

Key Changes to GDPR and ePrivacy Directive

The Digital Omnibus proposes several amendments to GDPR and the ePrivacy Directive, targeting operational efficiency and alignment with digital trends. Below are the primary changes based on available analyses.

GDPR Amendments

The proposal seeks to modify GDPR provisions to ease implementation, but risks altering core principles.

• Data Subject Rights and Enforcement: Changes may affect rights like access and erasure, potentially streamlining processes but raising concerns about dilution. The noyb analysis highlights risks of reduced protections, urging legislators to reject or improve specific articles to maintain consistency with CJEU case law.
• Sensitive Data Use for AI: A key amendment involves expanding the use of special category data (e.g., racial or health data) for bias correction in AI systems. The EDPB and EDPS warn this could undermine GDPR safeguards unless strictly limited to high-risk AI systems and based on necessity. They recommend clearer thresholds to prevent overreach.
• Registration Requirements: The proposal suggests removing registration obligations for self-classified non-high-risk AI systems. Authorities argue this would reduce transparency and accountability, complicating oversight by data protection authorities (DPAs).

ePrivacy Directive Amendments

Updates to the ePrivacy Directive focus on consent mechanisms and tracking regulations, addressing issues like 'Pay or Okay' systems.

• Consent Mechanisms: The proposal aims to clarify rules for obtaining valid consent, particularly in digital advertising. Studies show that 'Pay or Okay' systems, where users must pay or consent to tracking, lead to artificially high consent rates (e.g., 99.9%) by nudging users. When offered a third option—'advertising, but no tracking'—70% of users prefer it, supporting EDPB guidelines for genuine choice.
• Tracking Regulations: Amendments may introduce stricter rules on online tracking and cookies, aligning with GDPR principles. The goal is to ensure user consent is freely given and specific, rather than coerced through limited options.
• Harmonization with GDPR: The proposal seeks to reduce inconsistencies between ePrivacy and GDPR, but analyses warn of potential conflicts that could weaken overall data privacy compliance.

Compliance Timeline and Enforcement Expectations

As of early 2026, the Digital Omnibus is a proposal under discussion, not yet enacted. Organizations should monitor its progression through the EU legislative process, which involves review by the European Parliament and Council. If adopted, amendments would likely take effect after a transition period, potentially impacting GDPR update 2026 timelines. Key points:

• Current Status: The proposal was published in November 2025, with analyses and opinions (e.g., from noyb and EDPB/EDPS) emerging in early 2026. It has not been finalized or transposed into law.
• Expected Timeline: If approved, changes could be phased in, similar to other EU regulations. Businesses should prepare for potential enforcement within 1-2 years post-adoption, but verify official timelines as they develop.
• Enforcement Concerns: The EDPB and EDPS emphasize that simplification should not compromise rights, calling for mandatory DPA involvement in AI regulatory sandboxes and improved cooperation between authorities. Non-compliance could lead to penalties under existing GDPR frameworks (up to EUR 20 million or 4% of global turnover).

Practical Steps for Businesses

To adapt to the Digital Omnibus proposal, businesses should take proactive steps in data privacy compliance. Here’s a actionable roadmap.

Step 1: Data Mapping and Impact Assessments

Conduct a thorough data inventory to understand what personal data you collect, process, and store. This is essential for assessing how proposed changes might affect your operations.

• Update Data Protection Impact Assessments (DPIAs): Under GDPR Article 35, DPIAs are required for high-risk processing. Review and revise DPIAs to incorporate potential amendments, especially regarding sensitive data use for AI bias correction. For guidance on AI-specific assessments, refer to our EU AI Act compliance roadmap.
• Identify Gaps: Use tools like AIGovHub’s data privacy solutions to automate mapping and identify compliance gaps relative to the proposal.

Step 2: Updating Privacy Policies and Consent Management

Revise privacy policies and consent mechanisms to align with proposed ePrivacy changes, ensuring transparency and user choice.

• Enhance Consent Options: Move away from 'Pay or Okay' models by offering a third option (e.g., 'advertising, but no tracking') to provide genuine choice, as supported by EDPB guidelines. Test consent rates to ensure compliance.
• Update Documentation: Amend privacy notices to reflect any new rights or processing activities under the proposal. Ensure clarity and accessibility for data subjects.

Step 3: Vendor Risk Management for AI and Digital Services

Strengthen third-party assessments, particularly for AI vendors, to address expanded sensitive data use and reduced registration requirements.

• Assess AI Vendors: Evaluate if vendors use high-risk AI systems that might involve sensitive data for bias correction. Require transparency on data processing practices. For comparisons, see our AI agent comparison guide.
• Implement Contracts: Update data processing agreements to include clauses addressing proposed amendments, such as limitations on sensitive data use and DPA involvement.

Tools and Platforms to Streamline Compliance

Leveraging technology can simplify adaptation to the Digital Omnibus. Consider these platforms for EU data regulation management.

• AIGovHub Data Privacy Suite: Our tools offer automated data mapping, DPIA templates, and consent management features tailored to evolving regulations. Integrate with existing systems to monitor compliance gaps in real-time.
• Vendor Comparisons: When selecting compliance software, compare options like OneTrust, TrustArc, and WireWheel. Key factors include support for GDPR and ePrivacy updates, AI governance capabilities, and pricing. Note: Pricing varies; contact vendors for details. For more insights, explore our guide to AI governance platforms.

Common Pitfalls to Avoid

Businesses often misstep when adapting to regulatory changes. Avoid these errors with the Digital Omnibus.

• Ignoring Fundamental Rights: Don’t prioritize simplification over data subject protections. The EDPB/EDPS opinion stresses that rights must not be diluted—ensure compliance balances efficiency with safeguards.
• Overlooking Consent Nuances: Relying solely on 'Pay or Okay' systems can lead to non-compliance. Implement multi-option consent mechanisms to meet proposed standards.
• Delaying Preparation: Since the proposal is not yet law, some may postpone action. However, early assessment reduces risk; start with data mapping and policy reviews now.

Frequently Asked Questions

What is the Digital Omnibus proposal?

The Digital Omnibus is a European Commission proposal from November 2025 to amend GDPR and the ePrivacy Directive. It aims to simplify implementation, address gaps like 'Pay or Okay' systems, and align with digital advancements, but has raised concerns about potential rights reductions.

How does the GDPR update 2026 affect my business?

If adopted, the GDPR update 2026 could change data subject rights, consent requirements, and AI data use. Businesses should monitor developments, update DPIAs, and revise privacy policies to stay compliant. Verify timelines as the proposal progresses.

What are the key concerns from regulators?

The EDPB and EDPS warn that simplifying AI Act implementation must not compromise fundamental rights. Specific concerns include expanded sensitive data use beyond high-risk AI, reduced transparency from removed registration requirements, and lack of DPA involvement in sandboxes.

How can I handle 'Pay or Okay' systems under the proposal?

Studies show offering a third option ('advertising, but no tracking') increases genuine choice. Align with EDPB guidelines by moving away from binary pay-or-consent models to ensure valid consent under data privacy compliance.

Next Steps and Conclusion

The Digital Omnibus proposal represents a significant shift in EU data regulation, with potential impacts on GDPR and ePrivacy rules. While its goal is simplification, businesses must navigate carefully to avoid undermining data subject rights. Start by conducting data mapping, updating consent mechanisms, and strengthening vendor management. Use tools like AIGovHub’s solutions to streamline this process and stay ahead of changes.

For further reading, explore our guide on the EU Data Act or AI governance in healthcare. Remember, this content is for informational purposes only and does not constitute legal advice. Always consult with legal experts to verify compliance requirements.