The EDPB wants AI training data to be timestamped: what the draft guidelines say
In its draft guidelines on web scraping for generative AI, the EDPB recommends recording the timestamp of collected data before using it. A look at a text open for consultation until 30 October 2026.

Timestamping rarely stepped outside the field of proof of priority. On 8 July 2026, it turned up where you would not expect it: in a draft set of guidelines from the European Data Protection Board (EDPB) on web scraping for generative artificial intelligence. In it, the regulator explicitly recommends recording the timestamp of collected data before using it to train a model.
The signal is interesting, but it should be read with care. This text is not final: it is a draft, open for public consultation. Here is what it says, what it does not, and why dated traceability is becoming a topic well beyond creators.
Unlike the blockchain guidelines, adopted in final form on 8 July 2026, the guidelines on anonymisation and web scraping for generative AI are a draft open for consultation until 30 October 2026. Their wording may change. This article describes a direction, not a settled obligation.
What the EDPB draft recommends
In the section on web scraping, the EDPB addresses how personal data collected from the web can be processed lawfully for generative AI. Among the measures put forward, one sentence stands out for our topic.
The EDPB recommends "scraping data only from reliable sources, recording the timestamp, and validating the data before using them," as relayed by France's CNIL. The stated goal: to comply with the accuracy principle.
That principle is not new. It appears in Article 5(1)(d) of the GDPR: personal data must be "accurate and, where necessary, kept up to date." What the draft adds is a method: date the collection so you can later demonstrate the state of a data point at the moment it entered the training set.
Why dating collected data changes something
Data scraped from the web is not fixed. A page changes, information becomes stale, content is corrected or removed. Without a temporal marker, there is no way to know what the data looked like when it was captured.
Recording a timestamp answers three concrete needs:
- Trace the origin: on what date, from which source, was the data extracted?
- Document the state: the data used for training corresponded to this version, on this date.
- Answer a challenge: if the accuracy, freshness, or lawfulness of a data point is questioned, a verifiable timestamp makes objective what was used.
Two uses converge. Priority timestamping proves a file existed on a given date. Collection timestamping, here, documents the moment a data point entered a process. In both cases the mechanics are the same: a fingerprint, a date, an independent verification.
What it proves, what it does not
It would be wrong to conclude that "timestamping your data makes an AI processing operation compliant." Timestamping is a link in traceability, not compliance in itself.
The EDPB draft also recalls that processing special categories of data (sensitive data within the meaning of Article 9 GDPR) is in principle prohibited, with no general exemption: dating a collection obviously does not lift that prohibition. Likewise, lawful scraping requires a legal basis, respect for minimisation, and informing individuals.
In other words, timestamping documents the when and the what. It resolves neither the why (the purpose) nor the right (the legal basis). It is a useful evidentiary building block, provided you do not make it say more than it does.
A reflex that reaches beyond AI
Beyond teams that train models, this direction illustrates a deeper trend: documenting the date and integrity of a data point as it enters a process is becoming a compliance and traceability reflex.
A company building an evidence file, a service archiving deliverables, an organisation that must prove what it held at a given moment: all have an interest in freezing a dated fingerprint rather than relying on approximate memory. The EDPB draft merely applies to AI a logic already tested elsewhere.
Where does LegalStamp fit in?
LegalStamp produces exactly this kind of marker: a SHA-256 fingerprint computed locally, anchored to the Bitcoin blockchain via OpenTimestamps, and an independently verifiable receipt. The file never leaves your machine; only the fingerprint is published.
For a data team or a controller, this makes it possible to freeze the state of a dataset, a collection log, or a batch of files on a precise date, without depending on a third party for later verification. Timestamping does not replace data governance; it adds a solid temporal proof to it.
LegalStamp remains a non-qualified timestamping service under eIDAS: the evidentiary weight of the receipt is assessed case by case, within the framework of free assessment of evidence.
To timestamp batches of files or collection logs on an ongoing basis, LegalStamp's Pro and Team plans cover the volume with folder organisation and an API. See the pricing →
Conclusion
The EDPB draft guidelines send a clear signal: timestamping is no longer confined to intellectual property, it enters the traceability of the data itself. But as long as the text remains in consultation until 30 October 2026, it should be treated as a direction, not an established rule.
The right stance is twofold: anticipate the good practice (date and validate your data upstream) while keeping in mind that timestamping documents, without dispensing with full compliance.
FAQ
Disclaimer: this article is provided for informational and educational purposes. It does not constitute legal advice and comments on a draft text under consultation that may change. For the compliance of a data processing operation or an AI project, have your strategy validated by a legal professional or your data protection officer.
Related articles

EDPB blockchain and GDPR guidelines: what they change for your digital evidence
July 14, 2026

eIDAS 2.0 and Qualified Electronic Ledgers (QEL): what the regulation provides for December 2026
May 18, 2026

Paris Court of Appeal, 9 April 2026: an electronic signature is only as strong as its evidence file
May 13, 2026