As we head into another year of rapid change in the data and analytics landscape, I have two predictions that I believe will significantly reshape our industry. They focus on developments in the United States and the European Union, and both centre on the accelerating evolution of privacy.

1. The United States Will Enter a Rapid Privacy Shift

In Europe, privacy has become part of the mainstream. It now influences product design, marketing practice, and organisational culture. It is not perfect, but it is embedded. The United States is not there yet. However, I believe this will begin to change next year, and it will happen quickly.

When GDPR launched in 2018, it took roughly four years before strong enforcement, large fines, and negative publicity pushed companies to take privacy seriously. The United States is likely to follow a similar arc, but at a much faster pace. Litigation is far easier and far more common in the US, which means the pressure to comply will build faster. My expectation is that US organisations will shift their privacy approach within one to two years, rather than four.

2. The European Union Will Simplify Consent

Within the EU there is now a genuine willingness to update and simplify the privacy framework, particularly the ePrivacy Directive (ePD), which governs consent. The European Commission recently launched an unexpected but very welcome omnibus consultation aimed at streamlining the rules. Remarkably, this initiative is already progressing at speed.

In principle, I have always considered the GDPR a solid law. Its complexity arises from the question of what does and does not require user consent – that is, what can be defined as “personal” data, within reasonable means. This latter phrase has been argued over for years, for the most part dominated by privacy extremists. Thankfully, clarity came in Sep 2025 from the CJEU SRB ruling, which will have some far reaching ripple effects.

The current over interpretation of personal data is what has given us the intrusive consent banners that interrupt almost every browsing session in Europe. Beyond the terrible user experience, ambiguity around consent has also led to surprising legal interpretations (frankly quite silly). One well-known example is the ruling in Germany that effectively made Google Fonts unlawful to use without prior consent (there was similar decision about GTM). When even a static font library can create legal risk, it becomes easier to understand why some businesses hesitate to invest in Europe.

To be clear, consent is a core privacy principle that I fully support. However, I anticipate that by 2026 we will see a shift away from consent being handled by each individual website and towards a model where consent is set directly on the user’s device — a “set once and forget” approach. If this is achieved, I believe that around 90 per cent of the current GDPR friction will disappear. This is exactly the approach some proactive US states have already adopted using the Global Privacy Control signal (GPC).

2026 – A Positive Outcome for Privacy-Focused Analytics

I first wrote about the need to shift towards benign analytics (aggregate, non-identifiable data), back in 2019. Maybe now is the time for this to actually happen.

An important upside of these developments is that analytics tools built on aggregate, non-identifiable data — Piwik PRO is one example among several — are well positioned to grow. Because they can be configured to not collect personal identifiers, they can avoid consent issues entirely. That means no loss of traffic, no disruption to measurement, and a much more stable analytics environment for organisations that adopt them.

Brian Clifton is a measurement and data privacy strategist, author, and founder of Verified Data — the leading data quality and compliance audit platform. Formerly Google’s Head of Web Analytics for EMEA, Brian has spent over two decades helping organisations build trust in their data. He is the author of the best-selling books Successful Analytics and Advanced Web Metrics with Google Analytics and a certified member of the European Association of Data Protection Professionals.