A quick overview of global privacy headlines you cannot afford to miss.
January 29, 2026
United States
On January 29, 2026, New York Attorney General Letitia James led a 22-state coalition in formally denouncing the U.S. Department of Justice’s recent demands for sensitive data relating to Minnesota residents. The coalition argues that the federal government's attempt to condition the withdrawal of law enforcement agents on the release of private Medicaid, Supplemental Nutrition Assistance Program (SNAP), and voter information is a pretextual overreach that threatens the constitutional balance of power and state sovereignty.
For private organizations, this signals a period of heightened legal risk as they may find themselves navigating federal data collection mandates and the tightening enforcement of state-level privacy protections.
January 22, 2026
Brazil
Brazil’s National Data Protection Authority (ANPD) has released its implementation report for the second half of the 2025–2026 Regulatory Agenda, noting that several priority items have progressed into active enforcement stages. The report confirms the completion of guidance clarifying “high-risk” and “large-scale” processing, which has now been submitted to the Board of Directors for final approval.
The ANPD also reports significant advances in the regulation of children’s and adolescents’ personal data, with a focus on age-verification mechanisms and parental consent requirements under the “Digital ECA.” The update highlights the Authority’s continued effort to align Brazil’s data protection framework with international standards, including the GDPR.
January 21, 2026
Alberta, Canada
Alberta’s Office of the Information and Privacy Commissioner (OIPC) has issued Order HIA2026-01 following an investigation into a pharmacist’s unauthorized access and disclosure of personal health information. The adjudicator found that the pharmacist accessed a complainant’s radiographic exam results through the provincial Netcare system despite explicit instructions prohibiting such access, and later shared sensitive medical details with a colleague.
The order concludes that this conduct violated multiple provisions of Alberta’s Health Information Act (HIA) and underscores that accessing health records for personal or non-clinical purposes constitutes a serious privacy breach. The enforcement action reinforces the OIPC’s position on strict access controls and accountability for health information custodians.
January 13, 2026
United States
Canada’s Office of the Privacy Commissioner of Canada (OPC) has issued a formal reminder to businesses on their legal obligations to securely erase personal data from electronic devices before resale. The reminder follows an OPC investigation into Staples Canada, which found that personal information remained accessible on returned laptops that were later resold, exposing former customers’ sensitive data.
The OPC reiterates that organizations subject to the Personal Information Protection and Electronic Documents Act (PIPEDA) must ensure personal data is fully and irreversibly wiped before devices leave their control. Recommended measures include performing manufacturer-approved factory resets, issuing standardized and clear data-removal instructions, and ensuring staff are adequately trained to carry out secure deletion. The OPC also stresses that simply deleting files or placing them in “trash” folders is insufficient.
January 1, 2026
Indiana/Kentucky/Rhode Island, United States
Comprehensive privacy laws in Indiana, Kentucky, and Rhode Island have entered into force, expanding consumer rights and compliance obligations. The Indiana Consumer Data Protection Act (ICDPA) and Kentucky Consumer Data Protection Act (KCDPA) grant rights to access, correct, delete, and opt out of targeted advertising and data sales, while requiring data protection impact assessments for high-risk processing.
The Rhode Island Data Transparency and Privacy Protection Act (RIDTPPA) also took effect, standing out for its lower applicability thresholds, no right to cure, and stricter transparency requirements, including disclosure of specific third-party recipients of sold personal data. Organizations must ensure compliance from day one to avoid penalties of up to $10,000 per violation.
January 1, 2026
Oregon, United States
New amendments to the Oregon Consumer Privacy Act took effect on January 1, 2026, introducing stricter limits on the sale and use of sensitive personal data. Controllers are now prohibited from selling precise geolocation data, defined as location information accurate within 1,750 feet, significantly narrowing permissible data commercialization practices.
The amendments also strengthen protections for minors by banning the sale of personal data of consumers under 16 and prohibiting the use of such data for targeted advertising or certain profiling activities. In addition, controllers must now honor consumer opt-out requests submitted through universal opt-out mechanisms, increasing operational obligations for privacy compliance.
New CCPA regulations on automated decision-making technology (ADMT), privacy risk assessments, and cybersecurity audits became applicable at the start of 2026, expanding compliance obligations for businesses. The ADMT rules apply to systems that meaningfully replace human judgment in consequential decisions, requiring opt-out rights and ensuring human reviewers can understand and override system outputs.
The rules also mandate privacy risk assessments for high-risk processing activities, including selling or sharing personal data, processing sensitive information, deploying ADMT, and inferring personal characteristics in employment or education contexts. Cybersecurity provisions clarify when audits are required and shorten breach notification timelines to 30 days for consumers and 15 days for the Attorney General where more than 500 individuals are affected.
Organizations should review their use of ADMT, update risk assessment workflows, and confirm that incident response and audit processes meet the new timelines and thresholds.
January 1, 2026
California, United States
On January 1, 2026, the California Privacy Protection Agency (CPPA) launched the Delete Request and Opt-Out Platform (DROP) pursuant to the California Delete Act. DROP enables California residents to submit a single, authenticated request to delete their personal information from all registered data brokers simultaneously, creating a centralized mechanism for exercising deletion and opt-out rights.
While consumers can begin using the platform immediately, the data broker obligations phase in later. Beginning August 1, 2026, brokers must access DROP at least every 45 days to retrieve and process requests. Non-compliance may result in administrative fines of $200 per request, per day. Critically, DROP introduces a “permanent delete” requirement, obligating brokers to maintain persistent suppression lists to prevent deleted data from being re-acquired or repopulated from third-party sources.
January 26, 2026
The European Commission and Brazil have announced mutual adequacy decisions, enabling the free flow of personal data between the EU and Brazil without the need for additional transfer safeguards. The European Commission adopted an adequacy decision under the General Data Protection Regulation (GDPR), formally recognizing Brazil as providing an equivalent level of personal data protection.
In parallel, Brazil’s National Data Protection Authority (ANPD) issued Decision CD/ANPD Nº 32/2026, granting adequacy status to the EU under Brazil’s Lei Geral de Proteção de Dados (LGPD). The mutual recognition facilitates cross-border data transfers, impacting approximately 670 million individuals across both jurisdictions and removes significant legal friction for international business operations.
January 22, 2026
The European Commission has released version 1.4 of the Data Act FAQs, outlining new developments affecting data sharing and interoperability under the Data Act. Key updates include the launch of a Common Union Repository for harmonized standards, requiring providers to align customer-facing interfaces accordingly, and confirmation that Compensation Guidelines for mandatory data access are expected in Q2–Q3 2026, giving IoT providers time to prepare pricing and cost-allocation models.
The FAQs also reference the forthcoming European Trusted Data Framework for data spaces and include newly published Model Contractual Terms and Standard Contractual Clauses (English). Companies are advised to review data and cloud contracts, assess APIs against EU standards, and document IoT cost structures in advance of the 2026 compensation rules.
January 22, 2026
France
France’s Commission Nationale de l’Informatique et des Libertés (CNIL) has imposed a €3.5 million administrative fine (Decision SAN-2025-015) on a company for unlawfully transmitting loyalty-program member data to a social network for targeted advertising without valid consent. CNIL found that since 2018, the company had shared email addresses and phone numbers of more than 10.5 million individuals, relying on consent that was neither specific nor informed.
The authority also identified broader GDPR compliance failures, including transparency gaps (outdated references to the invalidated Privacy Shield), weak security measures, failure to conduct a mandatory DPIA, and the unlawful placement of non-essential cookies before user consent. The fine was issued for violations of Articles 6, 12, 13, 32, and 35 GDPR, as well as Article 82 of the French Data Protection Act, reinforcing CNIL’s strict stance on consent-based advertising and data sharing with social platforms.
January 21, 2026
UK
The UK’s Information Commissioner’s Office (ICO) has issued fines totaling £225,000 against Allay Claims Ltd and ZMLUK Limited for breaches of the Privacy and Electronic Communications Regulations (PECR). Allay Claims was fined £120,000 after sending more than 4 million unsolicited marketing texts promoting PPI tax refund services between February 2023 and February 2024, without valid consent or a lawful reliance on the “soft opt-in” exemption.
ZMLUK was fined £105,000 for sending over 67 million marketing emails between January and July 2023 using third-party data, where recipients were not given clear or informed choices about receiving marketing. The ICO found both companies in breach of Regulation 22 PECR, clarifying that senders remain legally responsible for compliance even when acting on behalf of third parties, and that consent mechanisms relying on extensive partner lists do not meet PECR standards.
January 16, 2026
France
France’s Commission Nationale de l’Informatique et des Libertés (CNIL) has issued final recommendations on collecting consent for cookies and trackers across multiple devices where users are authenticated. Consent choices expressed on one device may be applied to others, provided the scope remains identical across devices and users are clearly informed of the cross-device impact.
CNIL requires disclosure at the first layer of the consent interface, reinforced by a notice when a new device is connected, and allows conflicts to be resolved by applying either the most recent user choice or the preferences stored in the account. The authority reiterates that multi-device consent is lawful only where transparency and user information requirements are strictly met.
January 16, 2026
Turkey
Turkey’s Personal Data Protection Authority (KVKK) has issued a public announcement confirming that push notifications sent via mobile apps constitute personal data processing and must comply with the Personal Data Protection Law. The guidance follows complaints where users were required to accept a single bundled consent for both operational and marketing notifications.
KVKK clarified that consent must be freely given and purpose-specific, prohibiting the bundling of marketing alerts with essential service notifications. App providers must enable granular user controls through in-app or device settings and review consent mechanisms to meet the technical and administrative safeguards required under Article 12.
January 15, 2026
United Kingdom
The UK’s Information Commissioner’s Office (ICO) has released updated guidance aimed at simplifying compliance with international data transfer requirements under the UK GDPR. The guidance introduces a three-step test to help organizations identify restricted transfers, defined as situations where personal data is transferred or made accessible to a separate legal entity outside the UK.
The ICO reiterates that restricted transfers must be covered by UK adequacy regulations, appropriate safeguards such as the International Data Transfer Agreement (IDTA), or a valid legal exception. Organizations remain responsible for conducting Transfer Risk Assessments (TRAs) to ensure protections are not weakened once data leaves the UK, emphasizing that transfers must not proceed where no safeguard or exception applies.
January 14, 2026
France
France’s Commission Nationale de l’Informatique et des Libertés (CNIL) has imposed fines totaling €42 million- €27 million on Free Mobile and €15 million on Free, following a major 2024 data breach that exposed personal data from approximately 24 million subscriber contracts, including sensitive IBAN details.
CNIL identified serious compliance failures, including weak remote-access security, inadequate monitoring for abnormal network activity, and the unjustified retention of former subscribers’ data beyond legal limits. The authority also found deficiencies in breach notifications, which failed to clearly explain risks or protective steps for affected individuals. Both companies have been ordered to complete security enhancements and data deletion measures within three to six months.
January 9, 2026
IAB Europe has prevailed in its appeal before the Belgian Market Court, which annulled a January 2023 decision of the Belgian Data Protection Authority (APD) validating corrective measures under the Transparency and Consent Framework (TCF). The court found the decision legally flawed, as it was based on an overly broad interpretation of IAB Europe’s joint controllership.
The ruling aligns with the Market Court’s May 14, 2025 judgment, confirming that IAB Europe’s joint controllership is limited to TC String processing only. The APD must now issue a new decision reflecting this narrower scope and it was also found to have breached IAB Europe’s right to be heard by adopting its 2023 decision without allowing submissions.
January 8, 2026
Finland
Finland’s Supreme Administrative Court has issued a 3-2 ruling confirming that insurance companies may lawfully process sensitive health data during the insurance application stage. The court overturned an earlier interpretation by the Data Protection Ombudsman, which had limited such processing to individuals who were already insured.
The court held that the term “insured person” under national law includes applicants for voluntary personal insurance, even before a contract is finalized. As a result, insurers may process health data to assess risk and determine coverage terms, provided the processing complies with General Data Protection Regulation Article 9 requirements.
January 7, 2026
Netherlands
The Dutch Ministry of Economic Affairs, together with the Ministries of Justice and Security and the Interior, has responded to parliamentary concerns regarding the European Commission’s Digital Omnibus Regulation Proposal. While reaffirming support for simplifying EU digital legislation to reduce administrative burdens and boost competitiveness, the government warned that the proposal risks weakening data protection safeguards.
In particular, the Netherlands raised concerns over proposed amendments to the General Data Protection Regulation, including the introduction of Article 88c, which would allow the use of legitimate interest as a legal basis for AI training. The government cautioned that this could undermine existing necessity and proportionality standards, enable broader processing of sensitive data, and lack a proper impact assessment. The Cabinet continues to assess the proposal, with its position expected to feed into advice from the European Data Protection Board and the European Data Protection Supervisor.
January 6, 2026
Germany
The Hamburg Data Protection Commissioner (HmbBfDI) has released a comprehensive Legitimate Interests Assessment (LIA) questionnaire to support organizations in assessing and documenting reliance on legitimate interest under the General Data Protection Regulation (GDPR). Applicable to both public and private sectors, the tool provides a structured, step-by-step framework to evaluate whether legitimate interest can be used as a lawful basis for processing.
The questionnaire guides organizations through identifying a lawful and permissible interest, assessing necessity and data minimization, and balancing organizational needs against individuals’ rights and freedoms. It also emphasizes robust documentation and regular reviews to ensure ongoing compliance as processing activities evolve.
January 1, 2026
France
France’s Commission Nationale de l’Informatique et des Libertés (CNIL) has imposed a €1 million fine on Mobius Solutions Limited, a subcontractor for music streaming service Deezer, following a data breach affecting 46 million users. CNIL found that Mobius failed to comply with core GDPR obligations related to subcontracting and data handling.
The investigation revealed that Mobius unlawfully retained Deezer’s data after its contract expired and reused it to enhance its own advertising services, while also failing to maintain a required record of processing activities. CNIL emphasized that GDPR liability applies directly to processors, noting that despite being based outside the EU, Mobius fell under French jurisdiction due to its monitoring of users in France. The fine reflects the scale of the breach and the absence of basic organizational safeguards.
January 1, 2026
France
France’s Commission Nationale de l’Informatique et des Libertés (CNIL) has imposed a €1.7 million fine on Nexpublica France following serious security failures in its PCRM software used by departmental disability offices (MDPH). In 2022, multiple customers reported breaches after discovering unauthorized access to sensitive third-party documents, including health and disability data.
CNIL’s audits found that Nexpublica had implemented insufficient technical and organizational measures, despite being aware of the vulnerabilities through prior audits and failing to remediate them before the incidents occurred. The authority cited a violation of GDPR Article 32, noting that Nexpublica’s role as an IT specialist handling highly sensitive data aggravated the breach. The fine reflects the severity of the shortcomings, the sensitivity of the data involved, and the company’s financial capacity.
January 22, 2026
China has issued new regulations establishing a detailed classification framework for online content that may affect minors’ physical and mental health. The framework categorizes harmful content into four groups, including material that encourages harmful behavior, negatively influences values, improperly uses minors’ images, or involves the misuse of minors’ personal information. Covered content includes cyberbullying, sexual innuendo, promotion of dangerous activities, substance use, materialism, pseudoscience, and unhealthy relationship portrayals.
Under the regulations, online platforms and content providers must implement preventive and restrictive measures, including prominent warning labels and limits on content visibility. Such content may not appear in high-visibility areas such as homepages, recommendations, trending lists, or pop-ups, and services designed specifically for minors must exclude it entirely. Content creators remain responsible for proper classification and labeling. The measures take effect on March 1, 2026.
January 15, 2026
United States, United Kingdom, Australia, Canada, Germany, Netherlands, New Zealand
The Cybersecurity and Infrastructure Security Agency (CISA), National Cyber Security Centre (NCSC-UK), the Federal Bureau of Investigation (FBI), and international partners have released joint guidance on securing operational technology (OT) connectivity. Led by NCSC-UK, the guidance provides a common framework for organizations operating critical infrastructure.
The document outlines eight core principles, including risk-based connectivity decisions, minimizing OT exposure, strong authentication and encryption, network segmentation, and continuous monitoring. It warns that insecure OT connectivity remains a major attack vector, posing significant safety and national security risks to essential services such as energy, water, and industrial systems.
January 7, 2026
South Korea
South Korea’s Personal Information Protection Commission (PIPC) has issued Amendment Notice No. 2026-04, updating the rules governing personal information protection level assessments under the Personal Information Protection Act (PIPA). The amendment prioritizes oversight of institutions handling large volumes of sensitive data or with a history of repeated data breaches.
The revised framework also expands assessment coverage to include local government-funded entities and formalizes a structured evaluation process, including annual planning, submission of materials, on-site inspections, and public disclosure of results. The changes strengthen supervisory oversight and risk-based enforcement under South Korea’s privacy regime.
January 1, 2026
UAE
The United Arab Emirates has enacted a Federal Decree-Law on Child Digital Safety, establishing a comprehensive framework to protect children from harmful online content and promote age-appropriate use of digital platforms. The law applies to internet service providers and digital platforms operating in the UAE.
The decree also creates a Child Digital Safety Council to coordinate policy development, awareness initiatives, and risk monitoring, and introduces enforcement mechanisms for authorities and caregivers to ensure compliance. The legislation strengthens the UAE’s approach to online child protection and digital safety governance.
January 1, 2026
Brunei
Brunei has approved and published the Personal Data Protection Order 2025 in its official Gazette, establishing the country’s first comprehensive data protection framework. The Order introduces a consent-based processing regime and grants individuals rights to access and correct their personal data.
The law also provides robust enforcement powers, including administrative penalties of up to 10% of annual turnover or BND 1,000,000, as well as criminal sanctions, including fines and imprisonment for certain violations. The Order marks a significant step in strengthening data protection and regulatory oversight in Brunei.
January 1, 2026
Vietnam
Vietnam’s Personal Data Protection Law (PDPL) and Decree 356/2025/ND-CP are now in force, establishing a comprehensive framework for personal data processing by domestic and foreign organizations handling data of individuals in Vietnam. The regime distinguishes between basic and sensitive data and provides limited exemptions for small businesses and start-ups during a five-year transition period.
The decree clarifies obligations around consent, data subject rights, and cross-border transfers, backed by strong enforcement powers. Penalties can reach 10 times the unlawful gains or 5% of the previous year’s revenue, significantly raising compliance and enforcement risks.
January 1, 2026
China
China’s Measures for the Authentication of Personal Information Exported Abroad have entered into force, issued jointly by the Cyberspace Administration of China and the State Administration for Market Regulation. The measures introduce a certification-based mechanism governing cross-border transfers of personal data.
Under the new regime, organizations transferring personal data outside China must meet specific certification and data protection requirements, significantly increasing regulatory oversight and compliance obligations. Failure to comply may result in heightened enforcement and liability for unlawful cross-border data transfers.
January 1, 2026
China
China’s National People’s Congress has brought into force amendments to the Cybersecurity Law, strengthening the country’s cybersecurity governance framework.
The amendments enhance support for foundational research, algorithmic innovation, and critical infrastructure development, while reinforcing ethical governance and cybersecurity risk monitoring. They also improve alignment with China’s Personal Information Protection Law and the Civil Code, contributing to greater regulatory coherence across China’s digital governance regime.
At Securiti, our mission is to enable organizations to safely harness the incredible power of Data & AI.
Copyright © 2026 Securiti · Sitemap · XML Sitemap
info@securiti.ai
Securiti, LLC.
3155 Olsen Drive
Suite 325
San Jose, CA 95117
Type
