The European Commission is planning major revisions to the General Data Protection Regulation (GDPR) that could significantly change how companies manage personal data, particularly regarding cookie tracking and AI model training. A leaked draft reveals that the Commission intends to eliminate the requirement for websites to obtain explicit user consent before using tracking cookies. Instead, companies could track users by default, requiring individuals to opt out later. This shift moves cookie regulation from the ePrivacy Directive into the GDPR, which privacy advocates argue could undermine existing protections. The proposal would also allow companies to train AI systems using personal data under the "legitimate interest" basis, as long as they implement safeguards like data minimization and transparency. Critics warn this could lead to data mining without direct consent, countering the original intent of the GDPR. Additionally, the draft suggests narrowing the definition of sensitive data, which could permit companies to infer protected characteristics from neutral information without facing stricter legal requirements. The Commission plans to unveil this proposal officially on November 19, amid criticism from privacy groups who argue that these changes could erode the EU's robust privacy framework. They assert that the Commission is using “cookie fatigue” to justify weakening protections. The draft also proposes automatic transmission of user consent preferences by browsers, potentially phasing out cookie banners, but news organizations would still require explicit consent to protect their economic interests. Privacy advocates are concerned about the implications for individual rights and the overall integrity of data governance in Europe.