The EU just made your customer data more valuable—and more vulnerable. On November 19, 2025, the European Commission published the Digital Omnibus, codifying legitimate interest as a legal basis for AI training and operation. This ends years of uncertainty about whether companies could train AI on personal data without explicit consent. They can now. Privacy advocates call it the biggest attack on digital rights in years. For WordPress store owners, it means something simpler: first-party data you control can power YOUR AI. Data you give away powers someone else’s.

What Actually Changed#

The Digital Omnibus introduces a new provision under GDPR establishing that “the development and operation of AI systems or models constitutes a legitimate interest of the controller” (Gibson Dunn, November 2025). This is not a minor clarification. It’s a fundamental shift in how personal data can be processed for AI purposes.

Previously, the legal basis for AI training was a grey area. The European Data Protection Board (EDPB) took a restrictive view in Opinion 28/2024, warning that companies must conduct detailed balancing tests and that legitimate interest couldn’t justify indiscriminate data collection. Some national authorities allowed it under strict conditions. Others rejected it outright.

The Digital Omnibus ends that debate by codifying AI training as presumed legitimate interest—the most significant reform to GDPR since its 2018 adoption.

This doesn’t mean unrestricted processing. Controllers must still demonstrate necessity and proportionality through balancing tests. They must implement safeguards including data minimization. Sensitive personal data—health, ethnicity, religion, sexual orientation—remains protected under Article 9 GDPR. And crucially, your rights to object, access, and delete your data remain fully applicable.

But explicit consent? No longer required for AI training in most cases.

You may be interested in: EU Digital Omnibus 2026: The Cookie Consent Reform That Changes Everything

Why Privacy Advocates Are Alarmed#

This isn’t a quiet regulatory update. 127 civil society organizations—including noyb, EDRi, and ICCL—signed an open letter calling the Digital Omnibus “deregulation, not simplification” (noyb, November 2025).

Max Schrems, founder of noyb, characterized it bluntly: “This is the biggest attack on Europeans’ digital rights in years.”

The criticism centers on process as much as substance. The GDPR changes weren’t anticipated in the Commission’s 2025 Overview Report on Simplification. They weren’t part of the Call for Evidence for the Digital Omnibus. The consultation period closed just five weeks before publication—”clearly insufficient for genuine consideration of received input,” according to the open letter.

Privacy advocates argue the reform primarily benefits large technology companies while providing minimal relief to SMEs. The new rules create legal certainty for AI giants like Google, Meta, and OpenAI to train models on European personal data. Whether small businesses gain equivalent benefits is less clear.

The concern isn’t theoretical. Under the new framework, when you send conversion data to Google Analytics, behavioral signals to Meta, or customer information to advertising platforms—that data becomes subject to their legitimate interest claims for AI training. They can use it not just for your advertising, but to improve their own AI models.

The Strategic Implication for WordPress Stores#

Here’s where this gets practical for WooCommerce owners: the value of first-party data just increased significantly.

Under Digital Omnibus, first-party data you collect can be processed for YOUR AI applications under legitimate interest—customer prediction models, personalization engines, automated recommendations. You can build AI capabilities on your own customer data without navigating the consent uncertainty that previously existed.

But data you send to third parties becomes fuel for THEIR AI applications. When Google receives your conversion data, Meta receives your customer lists, or any advertising platform receives behavioral signals—they can train AI on that information under legitimate interest, separate from how they use it for your advertising.

This creates a clear strategic divide:

• First-party data in your own infrastructure: Powers your AI applications, your customer insights, your competitive advantage
• Third-party data sent to platforms: Powers their AI models, their product improvements, their market position

The question isn’t whether AI will be trained on personal data. Under Digital Omnibus, it will be. The question is whose AI benefits from YOUR customer data.

What Safeguards Remain#

Digital Omnibus doesn’t eliminate all protections. Understanding what remains helps you navigate the new landscape:

Balancing Test Required

Controllers relying on legitimate interest must still demonstrate that their interest isn’t overridden by individual rights and freedoms. This requires documented assessment of necessity, proportionality, and potential impact on data subjects. The test exists—but the presumption now favors AI development.

Data Minimization Still Applies

You can’t collect more data than necessary for the stated purpose. AI training doesn’t justify indiscriminate hoarding. Safeguards must include “minimizing data used for AI training” (IAPP, December 2025).

Objection Rights Intact

Data subjects retain the right to object to processing based on legitimate interest. Controllers must inform individuals that their data may be used for AI training and must honor objection requests. This creates ongoing compliance obligations even without consent requirements.

Sensitive Data Protected

Special category data—health, race, political opinions, sexual orientation—retains Article 9 protections. The Digital Omnibus creates an exemption only for “residual” sensitive data that appears incidentally in larger datasets, with requirements to minimize collection and remove identified sensitive information.

You may be interested in: WooCommerce Events to BigQuery Without GA4

The Data Quality Advantage#

Here’s an angle the regulatory debate misses: 80% of AI projects fail, and 70% of those failures trace back to data quality issues (Gartner/IBM, 2023). The companies that win in an AI-enabled future aren’t necessarily those with the most data—they’re those with the cleanest, most structured, most accessible data.

WooCommerce stores have a structural advantage here. Your order data is inherently clean: real transactions, verified customer information, actual purchase behavior. Unlike scraped web data or inferred profiles, e-commerce events represent ground truth.

But that advantage only materializes if you control the data. When customer information flows to third-party platforms, it enters their data lakes alongside billions of other signals. Your clean transaction data becomes one input among many—valuable to their AI, but not distinctly yours.

First-party data infrastructure—your own BigQuery, your own event stream, your own customer database—preserves the quality advantage. It keeps your data queryable, trainable, and exclusively yours.

How to Position for the New Reality#

Digital Omnibus creates winners and losers. The winners will be those who adapt their data strategy now:

Build First-Party Data Infrastructure

Route events to your own BigQuery alongside (or instead of) third-party platforms. This gives you raw data for future AI applications while maintaining current analytics capabilities. Transmute Engine™ enables this with direct BigQuery routing—no GA4 middleman required.

Maintain Advertising Platform Connections Strategically

You still need conversion data in Google Ads and Meta for campaign optimization. But understand that this data now explicitly feeds their AI. Send what’s necessary for advertising performance. Keep deeper customer intelligence first-party.

Document Your Own Legitimate Interest

If you plan to use customer data for AI applications—personalization, prediction, automation—document your legitimate interest basis now. The Digital Omnibus makes this easier, but documentation remains required. Record your balancing test, safeguards, and data minimization measures.

Prepare for Objection Rights

Update privacy policies to inform customers that data may be used for AI-powered features. Implement processes to handle objection requests. The consent requirement is gone, but transparency and objection handling remain.

The Transmute Engine Approach#

Transmute Engine™ was built for first-party data ownership—before Digital Omnibus made it strategically essential.

Events flow from your WordPress server to destinations you choose. BigQuery integration gives you a data warehouse under your control—queryable, trainable, exclusively yours. Advertising platform connections maintain campaign optimization without surrendering all customer intelligence to third parties.

The architecture matters more now. When legitimate interest enables AI training across the ecosystem, controlling where your data lives determines whose AI it powers.

Key Takeaways#

• Digital Omnibus codifies legitimate interest for AI training. This is the most significant GDPR reform since 2018, ending years of regulatory uncertainty about AI and personal data.
• Privacy advocates call it GDPR dismantling. 127 civil society organizations opposed the changes. Max Schrems characterized it as “the biggest attack on Europeans’ digital rights in years.”
• Safeguards remain but consent requirements don’t. Balancing tests, data minimization, and objection rights continue. Explicit consent for AI training doesn’t.
• First-party data strategy is now essential. Data you control powers your AI. Data you give away powers someone else’s AI.
• The winners will be those who own their data infrastructure. BigQuery, first-party event streams, and controlled customer databases create the foundation for AI advantage.

Frequently Asked Questions#

Ready to own your customer data before it trains someone else’s AI? Explore how Transmute Engine routes events to your own BigQuery—first-party data infrastructure for the AI era.