Data Privacy News: GDPR, CCPA & Privacy Law Updates

Privacy laws are changing faster than ever. New jurisdictions are enacting comprehensive data protection laws, existing frameworks are being amended, and regulators are stepping up enforcement worldwide.

This page tracks the developments that matter for businesses handling personal data. Updated regularly with regulatory changes, enforcement actions, and new requirements that affect your DSAR processes and data protection obligations.

Bookmark this page. When a new privacy law takes effect or enforcement priorities shift, check here first.

---

March 2026

EDPB targets transparency in 2026 coordinated enforcement

The European Data Protection Board announced on 14 October 2025 that the 2026 coordinated enforcement action will focus on compliance with transparency and information obligations under GDPR Articles 12 to 14. This follows the 2025 coordinated action, which targeted the right to erasure under Article 17.

Data protection authorities across the EU will be scrutinising privacy notices, collection notices, and the information provided to individuals when their data is collected. If your privacy notice is vague, outdated, or missing required information, 2026 is the year that catches up with you.

What to do: Review your privacy notice against GDPR Article 13 and 14 requirements. Ensure you are clearly disclosing purposes of processing, legal bases, retention periods, recipient categories, and all individual rights.

UK DUA Act data protection provisions now in force

The majority of data protection and privacy provisions in Part 5 of the Data Use and Access Act 2025 came into force on 5 February 2026 via the Commencement No. 6 Regulations. This includes changes to recognised legitimate interests, research processing provisions, and amendments to law enforcement data processing rules.

The requirement for controllers to implement a formal data protection complaints-handling process takes effect on 19 June 2026 — twelve months after Royal Assent. Organisations subject to UK GDPR should be building their complaints procedures now.

For the full breakdown, see our DUA Act 2025 DSAR changes guide.

---

January 2026

Three more US states begin privacy law enforcement

Indiana, Kentucky, and Rhode Island consumer privacy laws took effect on 1 January 2026, continuing the wave of US state-level privacy legislation.

All three laws grant consumers rights to access, correct, and delete personal data, and require businesses to respond within 45 days. Each follows the Virginia/Connecticut model with a 30-day cure period for violations.

If you process personal data of residents in any of these states, you need a DSAR response process that can handle requests under their specific requirements. See our US jurisdiction guides for state-by-state details.

CCPA automated decision-making rules take effect

The California Privacy Protection Agency's automated decision-making technology (ADMT) rules became effective on 1 January 2026, with a compliance deadline of 1 January 2027.

Under the new rules, businesses using ADMT must inform consumers about their use of automated decision-making and provide the right to opt out of decisions that produce legal or similarly significant effects. This is the first US regulation to create enforceable rights around automated decision-making, broadly comparable to GDPR Article 22.

See our automated decision-making rights guide for the full requirements.

---

November 2025

India DPDP Rules 2025 notified — phased compliance begins

India's Ministry of Electronics and Information Technology (MeitY) notified the DPDP Rules 2025 on 14 November 2025, operationalising the Digital Personal Data Protection Act 2023. The Data Protection Board of India (DPB) became operational the same month.

Implementation is phased:

• November 2025: DPB and penalty framework activated
• November 2026: Consent Manager registration opens
• May 2027: Full substantive compliance required, including Data Principal rights infrastructure

Organisations processing personal data of individuals in India should be building compliance infrastructure now. See our India DPDP Act guide.

South Africa: Information Regulator ramps up enforcement

The South African Information Regulator held a media briefing on 13 November 2025 outlining enforcement activities under POPIA. Notable actions include a R5 million fine against the Department of Basic Education and fines against Lancet Laboratories and other organisations for security compromise notification failures.

Breach notifications are surging — 1,947 security compromises were reported in the first seven months of the 2025/26 financial year, a 40% increase over the prior period.

Earlier in 2025, the Regulator introduced mandatory breach reporting via an e-Portal (effective 7 April 2025), replacing the previous email-based notification system.

New Zealand Biometric Data Privacy Code takes effect

New Zealand's Biometric Information Privacy Code 2024 came into force on 3 November 2025, with existing processors given until 3 August 2026 to comply. The Code imposes specific requirements on organisations collecting and using biometric information, including fingerprints, facial recognition data, and voiceprints.

---

September 2025

New Zealand Privacy Amendment Act 2025

The Privacy Amendment Act 2025 received Royal Assent on 23 September 2025, introducing a new Information Privacy Principle 3A (IPP 3A). IPP 3A requires agencies to notify individuals when their personal information is collected indirectly — from sources other than the individual themselves. The new principle takes effect on 1 May 2026.

CPPA finalises CCPA automated decision-making rules

The California Privacy Protection Agency approved the ADMT rules on 22 September 2025, following finalisation in July 2025. The rules create new consumer rights around automated decision-making technology and take effect 1 January 2026 (see January 2026 above).

---

June 2025

UK Data Use and Access Act receives Royal Assent

The Data Use and Access Act 2025 received Royal Assent on 19 June 2025, marking the most significant update to UK data protection law since the Data Protection Act 2018.

Key changes include a recognised legitimate interests framework, codified statutory factors for assessing whether DSAR requests are "manifestly unfounded or excessive," new requirements for Senior Responsible Individuals (SRIs) alongside existing DPO requirements, and enhanced powers for the Information Commissioner.

Provisions are being commenced in stages throughout 2025 and 2026. See our DUA Act 2025 guide for the detailed breakdown.

---

Late 2024 — Early 2025

Australia's first tranche of privacy reforms passes

The Privacy and Other Legislation Amendment Act 2024 received Royal Assent on 10 December 2024 — the first major update to Australia's Privacy Act in years. Key changes include a children's privacy code, a statutory tort for serious invasions of privacy, and automated decision-making transparency requirements (commencing 11 December 2026).

The removal of the small business exemption — which currently excludes approximately 2.5 million businesses with annual turnover under AUD 3 million — was not included in this first tranche but remains agreed to in principle by the government. A second tranche of reforms addressing the exemption, updated consent definitions, and a "fair and reasonable" processing test is expected.

See our Australian Privacy Act guide.

GDPR enforcement fines exceed €7 billion cumulative

Cumulative GDPR penalties since 2018 reached approximately €7.1 billion by end of 2025. The year's headline enforcement action was TikTok's €530 million fine from the Irish Data Protection Commission for transferring European users' personal data to servers in China.

The EU's 2025 coordinated enforcement action focused on the right to erasure under Article 17, with data protection authorities across member states conducting joint investigations into how organisations handle deletion requests.

---