5 Privacy Updates: Your Tuesday Briefing

Actionable Regulatory Intelligence for compliance, security, and legal teams.

Twenty-five Data Protection Authorities across the EEA have formally kicked off the European Data Protection Board's 2026 Coordinated Enforcement Framework, this year focused squarely on Articles 12–14 — your privacy notices, layered disclosures, and information-on-collection obligations. DPAs will mix fact-finding letters with formal enforcement actions, and the sweep covers controllers across multiple sectors. Context: national DPAs issued €1.15 billion in GDPR fines during 2025; the CEF is built to accelerate that trajectory. If your privacy notices haven't been re-audited against Articles 12–14 in the last twelve months, you are in the target zone — today.

Read the EDPB announcement →

FTC finalises OkCupid/Match Group settlement — first Section 5 privacy case under Chair Ferguson. The 20-year consent order targets data sharing with an unrelated AI company that contradicted OkCupid's privacy policy. Translation: Republican-led FTC is still bringing privacy enforcement, and "we don't share with third parties" boilerplate is the trigger. Audit every public privacy claim against your actual AI-vendor data flows this week. FTC source →

Alabama becomes the 21st US state with comprehensive privacy law (HB 351). Signed by Gov. Ivey on April 17, the Alabama Personal Data Protection Act adds standard access/delete/correct/port rights plus opt-outs for targeted ads, sales, and "solely automated significant decisions" (credit, employment, healthcare, housing, basic-necessity access). Add Alabama to your state matrix and confirm your CCPA/Colorado ADM opt-out flow covers HB 351's "significant decision" definition. Hunton analysis →

Ireland DPC opens inquiry into X/Grok LLM training on public posts. A formal investigation into whether the public availability of source data discharges GDPR obligations when training large language models. The outcome will set precedent for every LLM trained on scraped public content. If you train on public web data, document your Article 6(1)(f) legitimate-interest assessment now — before the ruling lands. Background →

UK DUAA complaints procedure — 52 days to comply (2026-06-19). Every UK controller must have a documented data-protection complaints procedure under the Data (Use and Access) Act 2025: named DPO/contact, response SLAs, escalation path, complaints log. The ICO is preparing finalised DUAA guidance for H1 2026 and the 2025 fine record signals this deadline will be enforced.

ICO DUAA hub →

Re-audit your top three consumer-facing privacy notices against GDPR Articles 12–14 — layered structure, plain language, every required content element, every processing purpose mapped to its disclosed legal basis. The EDPB's 25-DPA enforcement sweep is live now; transparency mismatches are the cheapest finding for a regulator to make.

Wednesday → AI Governance. Expect updates on EU AI Act enforcement, US federal AI guidance, and state-level AI hiring/health-care rules.

CyberEyeQ — Actionable Regulatory Intelligence
Questions, feedback, or scoop? Reply to this email or write [email protected].
Upgrade to CyberEyeQ Pro →