2026 data privacy trends: Predictions from the experts

It is now tradition for us to kick off the year by asking experts, both internally at Didomi and from the industry at large, for their predictions for the year to come. 

‍

This year, we gathered 20+ data privacy professionals to share once again their answer to the question:

‍

What will be the biggest data privacy trend in 2026?

‍

We broke down their answers below, grouped by topics that emerged, closing the article with final thoughts from our CEO and research from Forrester.

‍

Privacy and governance will determine what AI can scale in 2026

Artificial Intelligence is entering a phase where ambition and profitability pressure collide with scrutiny on data use.

‍

In 2026, Privacy and AI governance might be the real stress test for what AI products can responsibly scale. At the same time, AI agents and new interfaces are reshaping how data is collected, making consented, high-quality inputs a prerequisite for success.

‍

This will be a decisive year for AI. On one side, many say an AI bubble is looming, and the financially overinflated hype will burst, drowning its supporters with it. On the other side, there are those who say that the field of AI will take a pragmatic turn, and companies will start deploying personalized, integrated, and profitable AI applications, proving skeptics wrong.

‍In both cases, a fierce AI race will continue pressuring companies to increase profitability. Many have not realized, but privacy and data protection concerns will serve as a central thermometer for assessing the quality of existing AI governance mechanisms.

‍In desperation to monetize and please investors, companies have been resorting to well-known privacy-invasive features, such as social-media-like interfaces and feeds (as we saw with Meta's Vibes and OpenAI's Sora 2) and promises of infinite AI memory and personalization.

‍Will data protection laws and emerging AI governance frameworks contain AI-powered abuses and help protect fundamental rights in times of intense pressure? That will be one of the most important trends to watch in 2026.

- Luiza Jarovsky, Co-founder of the AI, Tech & Privacy Academy

‍

In 2026, the 'magic' of AI will hit a hard reality: automated agents are only as reliable as the data they are fed. The biggest trend will be the shift from simply collecting data to actively enabling it for AI consumption.

‍Companies attempting to deploy AI agents on 'dirty' or non-consented data will face hallucinations and legal risks, stalling their ROI.

‍We must view Consent Management not just as compliance, but as the ultimate quality filter. The winning strategy involves integrating consented First-Party Data directly into the Modern Data Stack to feed AI and get business insights via Model Context Protocols (MCP).

‍Privacy becomes a business accelerator. By feeding clear, consented context to LLMs, organizations unlock 'safe and powerful activation': turning privacy constraints into a competitive advantage that drives tangible performance and automated marketing precision.

- Mathieu Lima, Co-founder at EdgeAngel

‍

I believe we are living in an exciting and unique moment in terms of the evolution of privacy. AI is already transforming the web and, more broadly, our digital behaviours and habits, with the widespread use of AI agents that consume content on our behalf and increasingly act on our behalf. Companies that have approached AI not only from the perspective of automation and productivity, but have also anticipated the profound transformations already underway in data collection and privacy, will have a head start.

What will become of data collection in a world where agents will answer all our questions without us having to consult a single information or news site? What will become of data collection when a new-generation browser will allow us to plan holidays in real time without having to consult flight or hotel price comparison sites? In short, what will become of data collection and therefore privacy in a world where the web is gradually becoming a database organised and formatted to be digested by AI agents?

All these questions are fascinating, and we will probably have some answers in 2026.

- Aurélien De Oliveira, Head of Creative at Didomi

‍

Children’s data will become a frontline enforcement and compliance priority

Across markets, children’s data is becoming a compliance and enforcement priority. Age assurance and digital identity checks are likely to expand, while AI-enabled fraud and deepfakes raise the stakes for how data is collected, retained, and accessed.

‍

In 2026, Australia's age checks and Digital ID will push more services to verify identity using face scans or government ID. At the same time, downloadable AI models (open-weight), including from higher-risk jurisdictions, make deepfake scams cheaper and AI-generated code harder to govern. 

‍With data flows hard to track, organisations must collect less, retain less, and log every access.

- Chris Brinkworth, Managing Partner at Civic Data

‍

I expect regulators will increasingly focus on the personal data of children, including guidance on how to avoid collecting their data and, if you need to, how to obtain the appropriate consent and protect it with the utmost security.

While I don’t agree with bans on social media (for some kids, it may be their only lifeline to a community), I do agree that companies should take a bit more care in thinking through their data processing practices for this group online.

‍- Julie Ford, Executive Director of the Digital Advertising Alliance of Canada (DAAC)

‍

Consent will become the control layer for first-party activation, measurement, and personalization

Consent is moving from a banner moment to a control signal that needs to travel across channels, tools, and interfaces. A

‍

s identifiers weaken and ecosystems fragment, performance will depend on being able to unify, govern, and activate consented first-party data reliably at scale, causing funadamental changes down the stack (how data is collected and routed), and up the funnel (how personalization and measurement stay defensible, provable, and useful).

‍

In 2026, the real shift won’t come from a new regulation, but from the way technology ecosystems reshape how consent and privacy are operationalized. With AI-powered interfaces and new browser architectures redefining data flows, organizations will need privacy tools that can plug into anything: CDPs, server-side environments, browser-native consent layers, and emerging digital interfaces. 

‍At Didomi, we see our role evolving from providing a point solution to acting as an intelligent privacy infrastructure that supports this entire ecosystem. Server-side consent orchestration will become a cornerstone of future data collection and activation, enabling teams to manage privacy with more accuracy, resilience, and innovation than ever before.

- Charlotte Perrin, Director of Customer Success at Didomi

‍

This is the year organizations start tretaing consent as a real-time orchestration signal instead of a checkbox. Channels will continue to multiply (CTV, retail media, in-app, clean rooms) and marketing performance will increasingly depend on the ability to unify and activate consent consistently across touchpoints.

The next competitive edge won’t be “more data”. It will be better-orchestrated, consented data, flowing seamlessly across the ecosystem.

- Frank Ducret, VP Strategy, Product Evangelist, Global Head of Partnerships at Didomi

‍

In 2026, privacy will stop being a compliance layer and become a revenue architecture. As signal loss accelerates and AI-driven systems demand cleaner inputs, companies will realize that consent is not a constraint, it’s the last reliable signal left.

The winners won’t be those collecting the most data, but those able to activate consented data consistently, at scale, across server-side, AI, and emerging channels. Privacy maturity will directly correlate with growth performance.

- Raphaël Boukris, Chief Revenue Officer and Co-founder at Didomi

‍

2026 will be the year of mass adoption for server-side tagging technologies. Today, adoption still sits around 30–40% among the top 1,000 websites per country, but the inflection point is clear. ROI is no longer up for debate: the technology is stable, reliable, and its performance-driven use cases (such as data enrichment and transformation) now fully unlock its value. I

n 2026, companies that are not yet equipped will accelerate their adoption, while those who initially built server-side in-house will increasingly turn to specialists to address more advanced challenges like Apple’s ITP, ad blockers, and bot-related issues.

One thing is certain: Didomi and Addingwell are ready to support every stage of that journey.

- Romain Baert, CEO and Co-founder at Addingwell by Didomi

‍

By 2026, journey personalization won’t succeed by being more aggressive or more transparent, but by being more defensible.

‍As AI-driven personalization scales under the EU AI Act, the challenge won’t be to explain every decision to users. Transparency at the UI level will quickly hit cognitive limits. Instead, winning experiences will rely on minimal trust signals for humans and deep auditability for machines. 

‍Personalization will move from opaque optimization to constrained autonomy: fewer signals, clearer permissions, and pre-approved influence boundaries that compliance agents can verify in real time.

‍- Amaury Ortolland, Co-founder & Head of Innovation at Welyft

‍

Faced with the end of third-party cookies, rising acquisition costs, and ever-present profitability challenges, the verdict is clear: with their data, brands are sitting on an unexploited goldmine.

‍The key no longer lies in mere data collection, but in the intelligent activation of consented First-Party Data. It is imperative to break down silos between Technology, Legal, and Marketing to inject this qualified data directly into media platforms, enabling algorithms to optimize effectively. This paradigm shift transforms compliance into a pure performance driver. In this context, 2026 will undoubtedly be the year of the thoughtful and measured leveraging of proprietary data!

- Jonathan Dupasquier, Deputy CEO at M13h (part of Cosmo5)

‍

European privacy will evolve under reform pressure and sovereignty politics

In Europe, 2026 looks like a year of reform momentum (see the Digital Omnibus initiative) layered on top of ongoing enforcement.

‍

The politics of sovereignty and cross-border data transfers will be key pressure points, and the definitions of what personal data is and how consent is expressed (including machine-readable signals) will be central to the conversation.

‍

I guess the various potential changes via the Digital Omnibus are by far the biggest changes in practice. On a larger scale the relationship between the EU and the US will also trigger many moves to so-called ‘sovereignty’ but potentially also to disruptions and new possibilities.

‍- Max Schrems, Chairperson of noyb

‍

In Europe, 2026 will be the year that follows the communication about the Digital Omnibus, a proposal that should unify and harmonise several data protection laws. While businesses will have to monitor the potential changes to come, they will have in parallel to remain focus on the still on-going, and increasingly automated, enforcement of the GDPR and ePrivacy/cookie laws by data protection authorities.

‍With the current international geopolitical situation, European businesses will also have to keep an eye on the specific topic of “data transfers”. Recent signals have shown that the Data Privacy Framework may be at risk, and that a new “Schrems II-like” situation should be anticipated.

- Louis-Marie Guérif, Digital Ethics Officer at Piano

‍

The biggest data protection trend for 2026 will be a serious second look at organisations’ data to figure out which are truly personal data, which are clearly not and which are somewhere in between. It is the chance to move away from assumptions and hasty conclusions and to get to the true heart of data protection: the protection of personal data.

- Peter Craddock, Partner - Data/Cyber/Tech Law at Keller and Heckman LLP

‍

In 2026, the adtech ecosystem will need to keep a watchful eye on the EU Commission Digital Omnibus package which tackles the persistent challenges of consent fatigue through fundamental reforms to the ePrivacy Directive.
‍
The key mechanism is porting relevant provisions from Article 5(3) ePrivacy Directive into GDPR as a new Article 88a, bringing personal data processing from terminal equipment fully within GDPR's regulatory framework, whilst preserving existing ePrivacy protections for non-personal data. Controllers face new operational requirements: they must provide single-click refusal mechanisms…Two purposes gain exemptions from consent requirements including creating aggregated audience measurement for the controller's own use.
‍
The most significant, although longer-term, innovation comes through Article 88b's automated consent mechanism. Controllers must enable data subjects to give or refuse consent through machine-readable signals, whilst web browser providers (excluding SMEs) must provide technical means for users to transmit these preferences.
‍
These changes [are] unlikely to shield the industry from ongoing regulatory scrutiny that has shaped EU data protection enforcement for years.

- Willy Mikalef, Partner at Bird & Bird

‍

In 2026, the Digital Omnibus Package will keep many of us busy. With the trilogue underway, a lively battle of influence is already taking shape around some of the most delicate GDPR and ePrivacy topics. For lawyers, it has a familiar taste, very much a ‘pre-GDPR once again’ moment, where legal expertise briefly becomes fashionable inside companies.

Didomi will be at the forefront of these discussions, actively contributing to every debate and consultation in the year ahead.

- Thomas Adhumeau, Chief Privacy Officer at Didomi

‍

U.S. privacy will continue to accelerate, with stronger enforcement and higher expectations

In the U.S., the direction of travel is clear: more laws, but even more importantly, more serious enforcement and higher expectations for how privacy rights work end-to-end.

‍

Regulators and litigators are pushing beyond surface-level compliance into technical realities, including data minimization, contracts, and whether opt-outs and signals truly flow across systems. The result will be a market where risk management drives stricter experiences and operational rigor, even when the law doesn’t explicitly require it.

‍

The key to a trend is seeing it before it becomes a trend. The California Attorney General’s enforcement action in Healthline signals that regulators are now enforcing on what they deem to be the reasonable consumer expectations, which is part of California and Colorado’s data minimization standard.

In the same way that we continue to see enforcement action (in California) focus on the lack of contracts with privacy protective terms, I suspect that data minimization will be next. Many organizations are going to need to carefully assess or reassess whether and how their services fit into that standard.

- Michael Hahn, Executive Vice President & General Counsel at IAB and IAB Tech Lab

‍

This will be the year that U.S. regulatory enforcement really gets into the weeds. Surface-level compliance isn't going to cut it anymore.

‍Regulators, especially in California, are stressing the importance of implementing consumer privacy rights correctly and exhaustively on the backend, from a technical perspective. This means ensuring GPC signals are honored and opt outs flow across platforms and consumer touch points, as well as having a full and complete understanding of (and proper contractual relationships and opt-out signaling capabilities with) every third party to whom personal information is sold or shared on an ongoing basis.

‍Regulators will dig deep to understand how data flows work, and they'll expect organizations to be right there with them. So make sure to get your ducks in a row: the hard questions are coming.

- Julie Rubash, Chief Privacy Officer and Legal Counsel at Sourcepoint by Didomi

‍

We're going to continue to see the U.S. move to a de facto opt-in regime—not because of any single regulation, but more so the death by a thousand cuts.

Between CIPA enforcement, VPPA cases, children's privacy litigation, and general consumer protection trends, we'll reach a tipping point where >50%+ of U.S. websites will have consent messages prompting explicit opt-in, even when it's not legally mandated. It's not regulation-driven, but more about risk management at scale.

‍- Brian Kane, Co-founder and Chief Operating Officer at Sourcepoint by Didomi

‍

2026 is shaping up to be a turning point. With meaningful enforcement of universal opt-outs finally arriving in U.S. browsers, we may see the long-standing divide between U.S. and European privacy expectations begin to narrow. As new consent channels mature—from mobile to CTV to server-side—the entire ecosystem will be pushed to rethink how permissioned data is tracked and governed. Knowing exactly when, where, why, and how consent was gathered will shift from an operational detail to a strategic advantage.

This clarity becomes essential as the industry moves into server-side execution and AI-driven interactions, where user choices must be consistent, transparent, and verifiable across every touchpoint.

- Jeff Wheeler, VP of Product at Didomi

‍

Closing words from our CEO, and more data privacy trends for 2026 from Forrester

Our CEO, Romain Gauthier, closes the 2026 edition of our data privacy expert roundup with his own predictions, highlighting the importance of standardization:

‍

In 2026, I expect privacy standards to keep emerging and gaining traction. 

Consent fatigue and AI adoption by users will drive regulators to push the markets to build new standards (see the EU Commission Digital Omnibus). Standardization will be one of the most important levers we have to reduce complexity and make compliance easier to implement at scale for companies. 

It’s also, in my view, the only viable path to scale privacy, trust, and responsible data innovation across industries and regions, which is why Didomi intends to play an active role. Stay tuned.

- Romain Gauthier, CEO and Co-founder at Didomi

‍

What about you, what are your predictions for 2026? Join the discussion on LinkedIn and, to discover more trends, head to our latest report, featuring research from Forrester:

‍

{{forrester-2026-predictions}}