The EU Digital Omnibus codifies legitimate interest for AI training. But it solves a problem only Big Tech actually has. Google, Meta, and Amazon already sit on billions of data points. The Omnibus gives them legal clarity to use that data for AI training. Your WooCommerce store with 50,000 annual visitors? You’re still stuck on step one: actually collecting the data. Big Tech spent €151 million lobbying EU institutions in 2025 to get here (Corporate Europe Observatory, 2025). What did your business get from this legislation?

It Took €151 Million in Lobbying to Write This Legislation#

The Digital Omnibus didn’t appear from nowhere. Corporate Europe Observatory and LobbyControl traced the fingerprints. Big Tech companies averaged a lobby meeting with the European Commission every working day in the first half of 2025 (Corporate Europe Observatory, November 2025). The result? Seven of eight major Digital Omnibus changes align directly with Big Tech lobby positions (CEO/LobbyControl, January 2026).

890 digital-sector lobbyists now operate in Europe, and the top 10 digital companies spend three times as much as the top 10 spenders in pharmaceutical, financial, and automotive industries combined (CEO, 2025).

The process matters. The Commission prepared the Digital Omnibus through “Reality Checks”—meetings explicitly exempted from standard transparency measures. Of 23 Reality Checks scheduled in the first three quarters of 2025, 17 don’t appear on the Commission’s website at all (Corporate Europe Observatory, November 2025). The GDPR changes weren’t anticipated in the Commission’s 2025 Overview Report on Simplification. They weren’t part of the original Call for Evidence. The consultation period? Five weeks before publication.

127 civil society organizations—including noyb, EDRi, and ICCL—signed an open letter calling the Digital Omnibus “deregulation, not simplification.”

Here’s what they understand: when Big Tech writes the rules, Big Tech wins. Your WordPress store is collateral simplification.

What the Legitimate Interest Provision Actually Does#

The Digital Omnibus adds a new provision under GDPR establishing that the development and operation of AI systems constitutes a legitimate interest of the controller (IAPP, 2025). Controllers can process personal data for AI training without explicit consent—provided they pass a balancing test, implement safeguards, and respect data subjects’ right to object.

This sounds like a win for everyone. It isn’t.

To use legitimate interest for AI training, you need data to train on. Google has decades of search behavior, email content, Maps data, and YouTube viewing patterns. Meta has social graph data, messaging patterns, and advertising interaction data across billions of users. Amazon has purchase history, browsing behavior, and product interaction data at global scale.

Your WooCommerce store has whatever your GA4 managed to capture between ad blockers (31.5% of users globally, Statista 2024), Safari’s 7-day cookie limit, and 40-70% cookie consent rejection in the EU.

The question isn’t whether you’re allowed to use data for AI training. The question is whether you have any data worth training on.

You may be interested in: Digital Omnibus AI Training: GDPR Changes 2026

The Data Collection Problem That Legislation Cannot Fix#

The ICCL’s argument is worth understanding: cutting GDPR protections actually hurts EU competitiveness because it entrenches Big Tech dominance (ICCL, November 2025). Deregulation doesn’t inevitably liberate innovation—it liberates the companies with the most data to exploit.

The Digital Omnibus also reforms cookie consent. One-click reject buttons must be equally prominent as accept buttons. Controllers can’t re-ask for consent for six months after rejection. Browser-level signals like Global Privacy Control must be honored. Each reform sounds reasonable. Each one reduces the data small stores can collect.

When 40-70% of EU visitors reject cookies, your GA4 sees 30-60% of actual behavior. That’s not a dataset. That’s a guess.

Meanwhile, Big Tech platforms don’t depend on cookie consent. When you’re logged into Gmail, Google already has permission. When you’re scrolling Facebook, Meta already has your behavioral data. The consent barrier that cripples your WooCommerce analytics doesn’t even touch their data collection.

This is the asymmetry the Digital Omnibus preserves. Not by design, perhaps. But by effect.

The Real Gap: Infrastructure, Not Legislation#

Every WooCommerce store faces the same sequence of problems:

Problem 1: You can’t collect data reliably. Ad blockers, browser restrictions, and consent rejection erode your dataset before it reaches any analytics platform. Client-side tracking loses 30-40% of visitor data before you even begin analysis.

Problem 2: The data you do collect trains someone else’s AI. When you send conversion events to Google Analytics, behavioral signals to Meta, or customer data to advertising platforms—that data feeds their AI models under the same legitimate interest provision the Omnibus just codified. Your data makes their algorithms smarter. Not yours.

Problem 3: You don’t own the pipeline. GA4 data lives on Google’s servers. Facebook CAPI data lives on Meta’s infrastructure. If either platform changes its terms, restricts access, or sunset’s a product (remember Universal Analytics?), your historical data disappears with it.

The Digital Omnibus doesn’t solve any of these problems. It gives legal clarity to companies that already solved them years ago.

You may be interested in: Digital Omnibus 2026: Why Big Tech Wins and Publishers Lose

What Small Stores Actually Need to Compete#

The answer isn’t waiting for Brussels. It’s building your own data infrastructure now.

Server-side tracking on your own subdomain collects data that ad blockers can’t touch. First-party cookies from your domain aren’t subject to Safari’s 7-day ITP limit. Data stored in your own BigQuery warehouse—not GA4’s interface—stays under your control regardless of what Google decides to do next.

The Digital Omnibus even supports this approach. The cookie consent exemption for “aggregated audience measurement for the controller’s own use” applies specifically to first-party analytics on your own infrastructure. You can measure your own traffic without consent—as long as the data stays with you for your own purposes.

Server-side tracking achieves 95% data accuracy versus 60-80% for browser-based pixels (Top Draw Digital Marketing, 2025). That’s not a marginal improvement. That’s the difference between a dataset and a foundation for AI.

Transmute Engine™ is a first-party Node.js server that runs on your subdomain. The inPIPE WordPress plugin captures events and sends them via API to your Transmute Engine server, which routes data simultaneously to GA4, Facebook CAPI, Google Ads, and BigQuery—all from your own domain. The data flows through infrastructure you own before going anywhere else. That’s not a legislative provision. That’s architecture.

Key Takeaways#

• The Digital Omnibus legitimate interest provision for AI training primarily benefits companies with massive existing datasets—Google, Meta, Amazon—not small WooCommerce stores.
• Big Tech spent €151 million on EU lobbying in 2025 (up 33% from 2023), and 7 of 8 major Digital Omnibus changes align with their lobby positions.
• Cookie consent reform (one-click reject, six-month cooldown) will push EU rejection rates to 40-70%, further eroding small store data collection while leaving Big Tech’s logged-in user data untouched.
• The fundamental problem for WooCommerce stores isn’t legal permission to use data for AI—it’s having data infrastructure to collect, own, and retain first-party behavioral data in the first place.
• First-party server-side tracking on your own subdomain, feeding your own BigQuery, gives you the data sovereignty that no EU legislation can provide.

Stop waiting for legislation to solve an infrastructure problem. Start building your own data pipeline with Seresa.