Four recent GDPR changes your business needs to know about

We cover GDPR changes: AI's impact, updated cookie banners, cross-border enforcement law, EU-U.S. Data Privacy Framework; Twilio Segment's role in GDPR compliance through consent, PII protection, local data processing.

By Lisa Zavetz

Enacted in 2018, GDPR set out to protect the privacy of European citizens online. It ruled that consent must be: obtained by the user before any cookies are activated, must be granular, and must be easily withdrawn if requested. These data subjects have the right to restrict processing and even request that companies delete their data.

With the rise of artificial intelligence and new legislators, GDPR’s way of working is being threatened.

With a few recent changes impacting the General Data Protection Regulation (GDPR), businesses must navigate revised regulations to handle customer data responsibly. This will require an understanding of the new regulations to understand how they will impact your business.

In this blog, we’ll uncover the current threats to GDPR, how they impact companies in the EU and USA, and how a Customer Data Platform (CDP) like Twilio Segment can help ensure compliance.

1. Generative AI is threatening the integrity of GDPR

Artificial Intelligence (AI) is gaining popularity, which is only expected to grow. 

But the lack of governance around AI leaves room for doubt. AI applications that process personal information are subject to GDPR’s principles. Users have to consider if the information output by these machines can be linked to one specific person.

So companies must ensure that AI analyzes personal data in a compliant way. The EU’s recently proposed “Artificial Intelligence Act" (AI Act) aims to encourage proactive addressing of privacy and ethical concerns in AI development.

Some of the topics proposed in the AI Act are around:

  • Scope and Definitions - how to define what constitutes artificial intelligence and its different categories of risk.

  • High-Risk AI Systems - how to identify certain high-risk AI systems, like medical devices or critical infrastructure, and enforce strict requirements for their development, deployment, and use.

  • Data Quality and Transparency - requiring developers to use representative and unbiased data for training AI systems. Transparency about AI's decision-making processes is also expected.

This feels similar to the GDPR’s impact on data protection.

Like GDPR, the EU AI Act aims to protect individuals' rights and privacy. While GDPR focuses on personal data, the AI Act addresses risks posed by artificial intelligence systems. Both regulations set rules for transparency, accountability, and safeguards to ensure that people's rights are respected in the digital age.

The EU AI Act could become a global standard, determining to what extent AI has a positive rather than negative effect on your life wherever you may be.

What does this mean for your business?

While the EU AI Act is still proposed, it could change the way marketers act. Marketers:

  • Will need to be cautious about how they employ AI in their strategies moving forward. 

  • Might need to ensure that AI algorithms for ad targeting are free from biases and adopt stricter compliance measures for high-risk AI applications in marketing. 

  • Must understand and adapt to the Act’s requirements, as non-compliance could lead to fines.

2. Changes to cookie banners

GDPR outlines a set of rules for dealing with cookies, which has made consumers all that much more aware of what data is being collected on them from third parties. Cookie consent is a cornerstone of compliance for websites with EU-located users.

This is because one of the most common ways for personal data to be collected and shared online is through website cookies. GDPR sets out specific rules for the use of cookies.

GDPR requires a website to only collect personal data from users after they have given their explicit consent to the specific purposes of its use, and they must be able to choose granularly what’s collected and be able to withdraw consent at a later date.

And secondly, people have the right to restrict the processing of data and request deletion.

A “Cookie Banner Task Force” was created in 2021 to field responses to various concerns filed by privacy group None of Your Business (NYOB). Earlier this year the task force shared a report with the European Data Protection Board. The report states that there must be a clear option to reject the use of cookies (not just rejecting and leading to the website closing). Note that a banner with “accept” listed and then “reject” hidden under a different term like “settings” or “more options” will no longer be considered up-to-standard.

What does this mean for your business?

Companies will need to ensure they follow the rules below:

  • Any pre-ticked boxes on what cookies will be accepted are not valid and contravene the GDPR.

  • You must not use button colors that can be deceptive to users. Users are often in such a rush, they select a button by its color versus reading the words.

  • Websites can not use the term “legitimate interest” to allow businesses to process some personal data without user consent.

  • A “withdraw consent” option must be available by a “floating icon” which will be reviewed on a case-by-case basis as well.


3. New laws for cross-border regulation

The European Commission plans to introduce a new law aimed at improving the enforcement of GDPR by EU countries' privacy regulators. This law will address concerns about inefficient handling of major cases, particularly involving Big Tech companies. It aims to set procedural rules for cross-border investigations and infringements, harmonize administrative procedures, and support GDPR cooperation and dispute resolution mechanisms.

For example, American giants Meta, Google, and Apple have set their EU headquarters in Ireland. Amazon’s EU headquarters is in Luxembourg. And under GDPR, tech companies are overseen by the national regulator in the EU country where they are headquartered. Note that Ireland has faced criticism for lax enforcement of GDPR privacy laws and imposed multimillion-euro fines to sanction GDPR infringements from Meta.

This new EU regulation aims to set clear procedural rules for national data protection authorities who deal with cross-border investigations and infringements. It aims to streamline enforcement while anticipating discussions and potential resistance from data privacy watchdogs, advocacy groups, and technology companies.

“Nobody will be happy with the Commission proposal as usual, because the data protection authorities agree on the problem but they do not agree on the solutions,” - Olivier Micol, the Commission’s head of unit for data protection which is leading the work on the policy.

Non-governmental organizations want to be more involved in the procedures and companies like Google, Apple and Amazon will push back for fear of new fines, Micol said.

“Big Tech companies will not be very happy with it because it will make the system more efficient to have more enforcement,” he said.

What does this mean for your business?

To adhere to GDPR, marketers must:

  • Pay close attention to data transferred between countries

  • Adopt more transparent, secure, and accountable data handling practices when working with international data. 

  • Be aware of the Data Privacy Framework, which we uncover in the next section.

4. Data Privacy Framework notes how data is transferred from the USA to the EU

Introduced in July 2023, the EU-U.S. Data Privacy Framework was enacted to ensure that data can flow freely (safely and legitimately) between the USA and the EU. 

Previously, businesses could transfer EU data to the US under the EU/US privacy frameworks, like the Safe Harbour and Privacy Shield. However, the EU courts ruled these insufficient in Schrems I and II.

The Data Privacy Framework is replacing the Privacy Shield, which was less secure because it allowed European citizens’ data to be stored by American companies locally in American data centers.

Privacy enthusiast Max Schrems was the pioneer in invalidating the Privacy Shield, as he felt that this was not robust enough to protect user privacy. "Just announcing that something is 'new,' 'robust' or 'effective' does not cut it before the Court of Justice. We would need changes in U.S. surveillance law to make this work," - Schrems

As a result, the United States changed its law to impose stronger privacy safeguards on US intelligence accessing EU personal data. Now, the US can only access EU data that is “necessary and proportionate.” Previously, Uncle Sam could access anything and everything under the sun regarding an EU citizen. The US has established a data protection review court which is accessible to EU citizens, and does allow EU citizens to challenge US surveillance practices.

Zooming out, it makes a lot of sense that data must be shared across the Atlantic Ocean. The internet is such a massive, interconnected platform. But it’s the way this data was handled that is under the magnifying glass

US-based companies like Google, Amazon, and Meta collect a ton of customer data and use it to send personalized messaging to their customers. There have been massive lawsuits between companies spanning the Atlantic Ocean around the misuse of customer data.

This updated framework will make it much easier and more seamless for American companies to operate in Europe.

The door is not closed- Schrems is promising to challenge the decision to further examine the privacy validity outlined within the EU-U.S. Data Privacy Framework. At Twilio, we are constantly examining international law to ensure we remain compliant.

What does this mean for your business?

To remain compliant with the DPF, businesses must:

  • Consider how they transfer personal data between the EU and the US.

  • Review their data flows, revise contracts with third parties, and implement more strict privacy measures to maintain cross-data transfers that uphold the EU privacy standards. 

  • Determine the best solution for themselves. Interpretations of data residency are multi-faceted. Some customers may still prefer the ability to pursue a data resident solution rather than the DPF.

How Twilio Segment maintains GDPR compliance

As you monitor the changes to GDPR, you can at present maintain a high level of customer privacy right now by investing in a CDP like Twilio Segment.

Segment practices are GDPR compliant. As the central record for your customer data, we are also committed to making it easier for you to comply with GDPR.

Segment can help you with compliant and consented data through:

  • Consent management

  • PII protection

  • Local data processing

Consent management 

Initially, we request the customer to consent to data collection and then ensure at runtime the visitor’s preferences are respected. This occurs by surfacing a banner to give visitors the ability to configure consent preferences. It also accounts for all the integrations connected to your website source in Segment, even when a new one is added!

Segment uses time zones to determine if a user is physically in the EU, and we look at their language preferences as a hint to determine if they may be a European resident versus a visitor from another country.

We provide a fully customizable user experience, including an out-of-the-box solution for the Consent Manager if you want to go live quickly or a fully customizable solution so you can align user experience with your product or brand.

Segment’s Destination Insert Functions enable you to insert code to enrich data before it reaches the destination. One use case is Privacy and Compliance such as data masking, encryption and decryption, improved PII data handling, and tokenization.

PII protection

The privacy portal allows users to create a dynamic data inventory in minutes. With Segment, you can automatically detect and classify personally identifiable information (PII) to create a dynamic customer data inventory for your Segment data. Each data point is matched against common PII fields and assigned a risk-based classification of red, yellow, or green.

Segment makes it easy to proactively enforce your company’s data privacy policies, to protect against sensitive data being collected like passwords and card numbers. Segment allows you to set rules to automatically block restricted personal data from being collected.

Local data processing

With “Regional Segment” you can ingest, process and store customer data on infrastructure hosted in the EU. The right to erasure helps you manage user deletion across Segment and supported destinations. It provides visibility into the progress of deletion requests to confirm when data is deleted, so you can update your users and your company.

And finally, Segment lets you block data collection for specific users with one-click suppression. You can issue suppression requests to restrict user data from being sent to Segment and Cloud-based Destinations. Then, use the suppression list to easily add or remove users if their preferences change over time.


Sometimes the only constant is change. Regulatory bodies like the GDPR are constantly improving the way user data is protected. Many other countries have started to follow suit, implementing their own privacy regulations. The United States introduced CCPA, Canada has PIPEDA, Singapore introduced PDPA, and Brazil has LGPD.

And with technological advancements like AI, the sky’s the limit on how data can be used to enhance customer journeys (and how regulations will enforce privacy.)

It is important that you keep your finger on the pulse of these updated regulations to ensure you’re protecting your customer’s privacy. At Twilio Segment, we remain committed to protecting your user’s data while still providing customized, personalized experiences.

The State of Personalization 2023

Our annual look at how attitudes, preferences, and experiences with personalization have evolved over the past year.

Recommended articles


Want to keep updated on Segment launches, events, and updates?