2025-2026 shift in privacy engineering? From minimizing identifiers to authorizing use.
24 Jun 2026
For years, the dominant paradigm was simple:
- collect as little identifiable data as possible
- block third-party #cookies
- truncate IPs
- randomise fingerprints.
These were necessary steps, but they are no longer sufficient.
Research dating back to Narayanan & Shmatikov's 2008 PET Award-winning paper showed that even anonymised datasets can be re-identified using behavioural patterns and auxiliary data. The problem was never the identifier itselfit : was the unauthorised use of data.
What starts replacing it is Authorization centricity;
1. Instead of focusing solely on preventing data collection (often impossible), we need to focus on controlling data use (requiring explicit authorization for each processing action), with technical enforcement to prevent unauthorised uses -even when identifiers are present.
2. This shift is inevitable, as illustrated by the EU Digital Omnibus proposal -which is leaning this way. By simplifying AI regulation and introducing new legal bases for processing special category data for bias detection, the Omnibus acknowledges that responsible data use (not blanket minimization) is the path forward.
3. PETs research has been moving beyond minimization. Technologies like secure multi-party computation and zero-knowledge proofs enable authorized, privacy-preserving analysis of sensitive data without revealing the underlying information. The question no longer being: "can we avoid collecting data?", but "can we authorize its use safely?"
4. AI agents leave no choice. Autonomous agents need access to data to act on our behalf. This makes the "ask permission every time" model unworkable. Research shows we need automated, context-aware permission systems that can predict user preferences with high accuracy -up to 94% for high-confidence decisions. Without authorization-centric design, AI agents become privacy and security liabilities.
As ID side starts working along with few AI / AdTech major players (notably on article 88B Tech options), authorisation centricity tools (human-centric automated privacy signals) is what "privacy by default" shall look like when implemented in real life.
- collect as little identifiable data as possible
- block third-party #cookies
- truncate IPs
- randomise fingerprints.
These were necessary steps, but they are no longer sufficient.
Research dating back to Narayanan & Shmatikov's 2008 PET Award-winning paper showed that even anonymised datasets can be re-identified using behavioural patterns and auxiliary data. The problem was never the identifier itselfit : was the unauthorised use of data.
What starts replacing it is Authorization centricity;
1. Instead of focusing solely on preventing data collection (often impossible), we need to focus on controlling data use (requiring explicit authorization for each processing action), with technical enforcement to prevent unauthorised uses -even when identifiers are present.
2. This shift is inevitable, as illustrated by the EU Digital Omnibus proposal -which is leaning this way. By simplifying AI regulation and introducing new legal bases for processing special category data for bias detection, the Omnibus acknowledges that responsible data use (not blanket minimization) is the path forward.
3. PETs research has been moving beyond minimization. Technologies like secure multi-party computation and zero-knowledge proofs enable authorized, privacy-preserving analysis of sensitive data without revealing the underlying information. The question no longer being: "can we avoid collecting data?", but "can we authorize its use safely?"
4. AI agents leave no choice. Autonomous agents need access to data to act on our behalf. This makes the "ask permission every time" model unworkable. Research shows we need automated, context-aware permission systems that can predict user preferences with high accuracy -up to 94% for high-confidence decisions. Without authorization-centric design, AI agents become privacy and security liabilities.
As ID side starts working along with few AI / AdTech major players (notably on article 88B Tech options), authorisation centricity tools (human-centric automated privacy signals) is what "privacy by default" shall look like when implemented in real life.