Europe is set to relax its flagship privacy and artificial intelligence laws, marking a significant shift in its regulatory stance. Under pressure from the tech industry and the U.S. government, the European Commission proposed changes to the General Data Protection Regulation, simplifying cookie consent requirements and allowing AI companies to utilize personal data for training, provided they comply with certain GDPR mandates. These amendments also extend the grace period for high-risk AI systems, delaying the implementation of stringent rules previously scheduled for next summer. The proposal aims to cut bureaucratic red tape, promote innovation among European companies, and maintain user rights, but it has already sparked controversy among civil rights advocates who accuse the Commission of undermining essential protections. The plan will now undergo a review by the European Parliament and the EU’s member states, a process likely to incite further debate and lobbying efforts.
The European Union is set to simplify its cookie consent policies, potentially ending the frequent pop-up requests that have frustrated internet users since their introduction in 2018. Proposed changes by the European Commission will allow users to set cookie preferences at the browser level, meaning that websites will have to respect these choices for at least six months. This initiative is part of a broader Digital Package aimed at modernizing EU digital rules, with the goal of enhancing user privacy and reducing the number of intrusive cookie banners. The proposal must now be approved by the European Parliament and the EU’s 27 member states, but it represents a significant step toward improving the online experience for users across Europe.
Today’s Bonus Segment for Plus subscribers has more on several bills in the house to know about plus the latest FedRAMP certification and what it means for MSPs.
Why do we care?
If even the EU is backing off its toughest privacy and AI rules, you know the pressure is real. And while that sounds like “less regulation,” what it actually means is way more uncertainty. The rules are shifting mid-game, and now you’ve got to play in that ambiguity.
The biggest change is around personal data and AI training. If AI companies can start using personal data under certain GDPR rules, that creates a giant gray zone. What’s allowed? What’s compliant? What’s going to get challenged in court later? That’s exactly the kind of thing that turns into surprise liability for your clients—and for you if you’re advising them.
The cookie simplification sounds great—fewer pop-ups—but it moves responsibility upstream. If your client’s website ignores a browser-level consent signal, users won’t care whether the browser or the site messed up. They’ll blame the business. And you’re the one maintaining the site.
Plus, the grace period on high-risk AI systems is a trap. Clients will interpret “delayed rules” as “lower risk.” It’s not. It’s just regulators punting because the political pressure is too high.
So why do we care? Because your value as an IT provider is navigating this messy middle. Governance, documentation, data hygiene—those become real differentiators when the rules stop being clear. Your clients can’t track this themselves, and vendors will spin it however suits them. If you show up as the one who brings clarity when the regulators don’t, that’s a huge edge.