Data Privacy News: GDPR, CCPA & Privacy Law Updates

Latest data privacy news and regulatory updates. GDPR enforcement, CCPA changes, UK DUA Act, and global privacy law developments that affect how your business handles personal data.

Last updated: 2026-03-02

Privacy laws are changing faster than ever. New jurisdictions are enacting comprehensive data protection laws, existing frameworks are being amended, and regulators are stepping up enforcement worldwide.

This page tracks the developments that matter for businesses handling personal data. Updated regularly with regulatory changes, enforcement actions, and new requirements that affect your DSAR processes and data protection obligations.

Bookmark this page. When a new privacy law takes effect or enforcement priorities shift, check here first.


June 2026

UK data protection complaints regime now in force

From 19 June 2026, the new statutory complaints-handling rules under the Data (Use and Access) Act 2025 — commenced by the Commencement No. 6 Regulations — apply to all UK controllers. Organisations must now operate a formal process for handling data protection complaints, and individuals are expected to raise a complaint with the controller before they can escalate it to the Information Commissioner's Office.

Key requirements for controllers, per the ICO's complaints-handling guidance:

  • Provide an accessible way to complain — accept complaints however they arrive, and tell people about their right to complain in your privacy notice and when you respond to a rights request such as a DSAR.
  • Acknowledge within 30 days and investigate without undue delay, keeping the complainant informed of progress and of the outcome.

This sits directly alongside your DSAR process: the same teams that field subject access requests will now receive — and have to log — data protection complaints.

What to do: Publish a written complaints procedure, give people at least one easy way to submit a complaint, update your privacy notice to flag the right to complain, and make sure complaints are recorded end to end. See our DUA Act 2025 DSAR changes guide.


May 2026

EU "Digital Omnibus" advances — GDPR simplification on the table

The European Commission's Digital Omnibus, tabled on 19 November 2025, continued through the EU legislative process, with the Council and Parliament reaching a provisional agreement on the package's AI provisions on 7 May 2026. The data protection elements remain under negotiation and are not yet law.

For privacy teams, the most consequential — and most contested — proposal is a change to the definition of personal data: information would not count as personal data for a particular organisation where re-identification is not "reasonably likely," judged on legal access, technical capability, cost and incentives. The package also proposes widening the exemption from records-of-processing obligations for smaller, lower-risk organisations.

The EDPB and EDPS have publicly urged co-legislators not to adopt the personal-data definition change, warning it goes well beyond a technical fix and would significantly narrow the scope of the GDPR.

What to do: Nothing changes today. Don't assume any data falls outside the GDPR on the strength of this proposal — the definition change is unsettled and faces strong regulator opposition. Track the file before adjusting any processing decisions.


March 2026

EDPB targets transparency in 2026 coordinated enforcement

The European Data Protection Board announced on 14 October 2025 that the 2026 coordinated enforcement action will focus on compliance with transparency and information obligations under GDPR Articles 12 to 14. This follows the 2025 coordinated action, which targeted the right to erasure under Article 17.

Data protection authorities across the EU will be scrutinising privacy notices, collection notices, and the information provided to individuals when their data is collected. If your privacy notice is vague, outdated, or missing required information, 2026 is the year that catches up with you.

What to do: Review your privacy notice against GDPR Article 13 and 14 requirements. Ensure you are clearly disclosing purposes of processing, legal bases, retention periods, recipient categories, and all individual rights.

UK DUA Act data protection provisions now in force

A principal tranche of the data protection and privacy provisions in Part 5 of the Data Use and Access Act 2025 came into force on 5 February 2026 via the Commencement No. 6 Regulations. This includes changes to recognised legitimate interests, research processing provisions, and amendments to law enforcement data processing rules.

The requirement for controllers to implement a formal data protection complaints-handling process takes effect on 19 June 2026 — twelve months after Royal Assent. Organisations subject to UK GDPR should be building their complaints procedures now.

For the full breakdown, see our DUA Act 2025 DSAR changes guide.


January 2026

Three more US states begin privacy law enforcement

Indiana, Kentucky, and Rhode Island consumer privacy laws took effect on 1 January 2026, continuing the wave of US state-level privacy legislation.

All three laws grant consumers rights to access, correct, and delete personal data, and require businesses to respond within 45 days. Indiana and Kentucky follow the Virginia/Connecticut model with a 30-day cure period for violations; Rhode Island's law is drafted differently, enforcing through the state's deceptive-trade-practices statute rather than the standard cure-period template.

If you process personal data of residents in any of these states, you need a DSAR response process that can handle requests under their specific requirements. See our US jurisdiction guides for state-by-state details.

CCPA automated decision-making rules take effect

The California Privacy Protection Agency's automated decision-making technology (ADMT) rules became effective on 1 January 2026, with a compliance deadline of 1 January 2027.

Under the new rules, businesses using ADMT must inform consumers about their use of automated decision-making and provide the right to opt out of decisions that produce legal or similarly significant effects. This is the first US regulation to create enforceable rights around automated decision-making, broadly comparable to GDPR Article 22.

See our automated decision-making rights guide for the full requirements.


November 2025

India DPDP Rules 2025 notified — phased compliance begins

India's Ministry of Electronics and Information Technology (MeitY) notified the DPDP Rules 2025 on 14 November 2025, operationalising the Digital Personal Data Protection Act 2023. The Data Protection Board of India (DPB) was constituted the same month.

Implementation is phased:

  • November 2025: DPB constituted and initial provisions in force
  • November 2026: Consent Manager registration and obligations framework opens
  • May 2027: Full substantive compliance required, including Data Principal rights infrastructure

Organisations processing personal data of individuals in India should be building compliance infrastructure now. See our India DPDP Act guide.

South Africa: Information Regulator ramps up enforcement

The South African Information Regulator held a media briefing on 13 November 2025 outlining enforcement activities under POPIA. Notable actions include a R5 million fine against the Department of Basic Education and a R100,000 fine against Lancet Laboratories for security compromise notification failures.

Breach notifications are surging — 1,947 security compromises were reported in the first seven months of the 2025/26 financial year, a 40% increase over the prior period.

Earlier in 2025, the Regulator introduced an e-Portal for breach reporting (from 7 April 2025) as the channel for notifying security compromises, in place of the previous email-based process.

New Zealand Biometric Processing Privacy Code takes effect

New Zealand's Biometric Processing Privacy Code 2025 came into force on 3 November 2025, with existing processors given until 3 August 2026 to comply. The Code imposes specific requirements on organisations collecting and using biometric information, including fingerprints, facial recognition data, and voiceprints.


September 2025

New Zealand Privacy Amendment Act 2025

The Privacy Amendment Act 2025 received Royal Assent on 23 September 2025, introducing a new Information Privacy Principle 3A (IPP 3A). IPP 3A requires agencies to notify individuals when their personal information is collected indirectly — from sources other than the individual themselves. The new principle takes effect on 1 May 2026.

CPPA finalises CCPA automated decision-making rules

The California Privacy Protection Agency's ADMT rules were adopted by its Board on 24 July 2025 and approved by the Office of Administrative Law on 22 September 2025. The rules create new consumer rights around automated decision-making technology and take effect 1 January 2026 (see January 2026 above).


June 2025

UK Data Use and Access Act receives Royal Assent

The Data Use and Access Act 2025 received Royal Assent on 19 June 2025, marking the most significant update to UK data protection law since the Data Protection Act 2018.

Key changes include a recognised legitimate interests framework, a codified reasonable-and-proportionate-search standard for subject access requests (with the burden on the controller to show a request is "manifestly unfounded or excessive"), and enhanced powers for the Information Commissioner.

Provisions are being commenced in stages throughout 2025 and 2026. See our DUA Act 2025 guide for the detailed breakdown.


Late 2024 — Early 2025

Australia's first tranche of privacy reforms passes

The Privacy and Other Legislation Amendment Act 2024 received Royal Assent on 10 December 2024 — the first major update to Australia's Privacy Act in years. Key changes include a children's privacy code, a statutory tort for serious invasions of privacy, and automated decision-making transparency requirements (commencing 10 December 2026).

The removal of the small business exemption — which currently excludes around 2.3 million businesses (roughly 95% of all Australian businesses, those with annual turnover under AUD 3 million) — was not included in this first tranche but remains agreed to in principle by the government. A second tranche of reforms addressing the exemption, updated consent definitions, and a "fair and reasonable" processing test is expected.

See our Australian Privacy Act guide.

GDPR enforcement fines exceed €7 billion cumulative

Cumulative GDPR penalties since 2018 reached an estimated €7.1 billion by end of 2025 (per the CMS Enforcement Tracker; no regulator publishes an official running total). The year's headline enforcement action was TikTok's €530 million fine from the Irish Data Protection Commission for transferring European users' personal data to servers in China.

The EU's 2025 coordinated enforcement action focused on the right to erasure under Article 17, with data protection authorities across member states conducting joint investigations into how organisations handle deletion requests.


Last updated: June 2026. This page is updated regularly as privacy law developments occur. Bookmark it and check back for the latest changes.