Weekly Compliance Brief: April 13–20, 2026
10 data privacy + 10 accessibility updates for website teams. New US state laws, GDPR fines, ADA deadline extended, overlay lawsuits rising, and WCAG 2.2 becoming the new baseline.
Weekly Compliance Brief: Data Privacy & Web Accessibility News – April 13–20, 2026
Compliance is accelerating, and the gap between “compliant” and “at risk” is closing fast.
This week brought a new U.S. privacy law, a geolocation data ban, rising enforcement on consent banners, and €10.5B+ in GDPR fines, all alongside continued accessibility pressure despite ADA deadline shifts.
Here’s what matters from April 13–20, 2026.
Data privacy law news
Alabama becomes the 21st US state with a comprehensive privacy law
On April 17, 2026, Governor Kay Ivey signed House Bill 351, the Alabama Personal Data Protection Act, into law, making Alabama the 21st US state to enact a comprehensive consumer privacy framework. The bill passed with unanimous support (104-0 in the House, 34-0 in the Senate) and carries the lowest consumer threshold of any state privacy law to date, at just 25,000 people.
It includes exemptions for small businesses that don't sell data, dedicated protections for children aged 13–15, and an Attorney General-only enforcement model with a 45-day cure window. With the US patchwork now at 21 states and growing, website operators need to reassess their privacy notices and consent flows for yet another jurisdiction.
Virginia bans the sale of precise geolocation data
Virginia Governor Abigail Spanberger signed SB-388 on April 13, 2026, amending the Virginia Consumer Data Protection Act to outright prohibit the sale of consumers' precise geolocation data, defined as data accurate to within a 1,750-foot radius. Previously, selling location data was permissible with consumer consent; the amendment removes that option entirely.
Effective July 1, 2026, Virginia joins Maryland and Oregon in this ban, while California, Connecticut, Massachusetts, and Vermont are all considering similar legislation. Website operators using location-based ad targeting, analytics, or data broker relationships involving Virginia residents need to audit and potentially unwind those data flows before summer.
California ramps up CCPA enforcement with focus on consent banners
California's enforcement activity in early 2026 has focused sharply on websites that tell users they can opt out but fail to honour those choices. A $345,178 fine was issued to Todd Snyder after its cookie consent banner malfunctioned for 40 days undetected. PlayOn Sports was fined for forcing users to click "agree" on a cookie banner before accessing content, without offering an equivalent reject option.
These followed the year's largest CCPA settlement, $2.75 million against Disney and ABC in February. The California Privacy Protection Agency has made GPC signal compliance, opt-out confirmation visibility, and proportionate identity verification its top enforcement priorities for 2026, with per-violation penalties now at $2,663 (and $7,988 for intentional violations or those involving minors).
GDPR cookie enforcement surpasses €10.5 billion in cumulative fines
As of April 2026, total GDPR enforcement has crossed €10.5 billion in cumulative fines across 33 European countries, spanning 3,580 fines, 1,200 court rulings, and 158 rulings from the Court of Justice of the EU. Cookie consent remains one of the most actively enforced areas: France's CNIL issued a €200 million fine against Google in September 2025 for placing advertising cookies during account creation without a clear refusal option, and Shein's Irish subsidiary was fined €150 million for severe cookie consent violations.
European regulators now proactively test websites rather than waiting for complaints, with dark patterns, asymmetric accept/reject buttons, and pre-ticked boxes among the highest-priority enforcement targets in 2026.
US state privacy patchwork now at 20+ laws - with new thresholds and AI requirements
A multistate analysis published this week confirms that more than 20 comprehensive state privacy laws are now in effect or coming into force in 2026, several carrying new thresholds and requirements that will catch businesses previously out of scope. Connecticut's July 1, 2026, amendments lower the applicability threshold from 100,000 to 35,000 consumers and add the first US state-level LLM disclosure obligation.
Maryland's law entered its compliance window on April 1, 2026. Montana now requires businesses to honour Global Privacy Control signals as valid opt-out requests. For website operators, the compounding effect of these laws means that CMP configurations, privacy notices, and opt-out mechanisms that were compliant six months ago may no longer be sufficient across all US jurisdictions.
Web accessibility news
Breaking: DOJ extends ADA Title II web accessibility deadline by one year
In a significant development published on April 20, 2026, the US Department of Justice issued an Interim Final Rule extending both ADA Title II web accessibility compliance deadlines by one year. Larger state and local government entities serving populations of 50,000 or more, which faced a deadline of April 24, 2026, now have until April 26, 2027.
Smaller public entities and special districts have been pushed to April 26, 2028. The extension does not change any of the underlying technical requirements: WCAG 2.1 Level AA remains the standard. However, the DOJ has signalled it may use this window to issue a new NPRM, potentially revisiting the substance of the 2024 rule. For private-sector website operators, the extension does not reduce exposure under Title III, and litigation is continuing regardless.
European Accessibility Act enforcement intensifying across EU member states
With EAA enforcement having launched on June 28, 2025, market surveillance authorities across all 27 EU member states are now actively investigating complaints and demanding conformity documentation. In France, disability advocacy groups issued formal legal notices to four major grocery retailers last year and followed up with emergency injunctions in November 2025 when remediation fell short.
Fines vary by member state, ranging from €5,000 to €500,000, and authorities can order services suspended entirely for persistent non-compliance. Any business with more than 10 employees or €2 million in annual turnover selling products or services to EU customers must comply with EN 301 549 (equivalent to WCAG 2.1 AA). This is active enforcement, not a preparation window.
E-commerce accounts for 69% of all digital accessibility lawsuits in the US
New figures from accessibility litigation trackers confirm that e-commerce and retail websites account for approximately 69% of all digital accessibility lawsuits filed in the US, with more than 5,100 cases filed in 2025 alone, a 20% year-over-year increase. Demand letter settlements typically range from $1,000 to $25,000; out-of-court settlements average around $25,000 and can reach $100,000; class action settlements can exceed $6 million.
The high concentration of e-commerce targets reflects both the sector's user volume and the structural accessibility failures common in product catalogue pages, checkout flows, and account creation forms. For any online retailer, accessibility now carries the same financial risk profile as a data breach.
WCAG 2.2 Is Becoming the De Facto Standard Even Where It Is Not Yet Required
While the DOJ's ADA rule mandates WCAG 2.1 Level AA as the legal baseline, accessibility specialists and analysts report that WCAG 2.2 is now the default expectation in procurement language, RFPs, and third-party accessibility audits in 2026. The additional success criteria introduced in WCAG 2.2, including minimum target size (24x24 pixels), focus appearance, dragging movement alternatives, and consistent help mechanisms, address real usability barriers that WCAG 2.1 did not capture.
Building to WCAG 2.2 now future-proofs against the next round of regulatory updates and signals a genuine commitment to users with disabilities rather than minimum viable compliance.
Automated accessibility scans only catch 13% of WCAG criteria
New research published by Accessible.org this week quantifies a gap that accessibility practitioners have long argued: automated scanning tools reliably detect only 13% of WCAG success criteria. The remaining 87% requires manual testing, including evaluating keyboard navigation logic, reading order, screen reader behaviour, cognitive clarity, and colour contrast in dynamic states.
The finding matters significantly in the current legal climate, where organisations often rely on automated scan reports as evidence of compliance. Courts and DOJ enforcement actions have consistently looked beyond scan results to actual user experience with assistive technologies. A clean automated scan is a starting point, not a defence.
Until next week
Staying on top of data privacy and accessibility is an ongoing commitment, not a one-time project, and this week is a good reminder of how quickly the landscape moves. Whether it is a new state law, a shifted deadline, or a fresh wave of litigation, the organisations that fare best are those that treat compliance as a continuous process rather than a checkbox. We will be back next week with the latest updates to help you stay ahead.
Adam is the Head of Digital Marketing at Clym, where he leverages his diverse expertise in marketing to support businesses with their compliance needs and drive awareness about data privacy and web accessibility. As one of the company’s original team members, Adam has been instrumental in shaping its journey from the very beginning. When he’s not diving into marketing strategies, Adam can be found cheering on his favorite sports teams or enjoying fishing.