Weekly Compliance Brief: Data Privacy & Web Accessibility News – April 20-24, 2026

A packed week in the compliance world. The FTC's updated COPPA rule hit its compliance deadline, the Supreme Court heard oral arguments on the FCC's landmark location data fines, and Delaware moved to tighten its privacy law.

On the accessibility side, the DOJ formally published its ADA Title II extension in the Federal Register, and disability advocates pushed back hard. Here is everything website teams need to know from April 20–24, 2026.

Data privacy law news

Did you know?

66% of consumers say they trust companies that offer easy-to-manage privacy settings. Yet only 8% actually find them easy to use. The gap between what businesses think they're offering and what users experience is where compliance breaks down. (Thales 2026 Digital Trust Index)

The COPPA compliance deadline has arrived: children's privacy rules are now in full effect

April 22, 2026, marked the compliance deadline for the FTC's amended Children's Online Privacy Protection Act (COPPA) Rule, finalised in January 2025. The updates are substantial: expanded definitions of personal information, stricter rules for "mixed audience" services, enhanced parental notice and consent requirements, tighter data retention obligations, and new security standards. Operators of child-directed websites must now obtain verifiable parental consent before disclosing a child's personal information to any third party, with no exceptions for advertising partners or analytics tools.

For any website that collects data from users under 13, or that could plausibly attract children, this deadline is not a soft target. The FTC has been escalating enforcement in this space, and non-compliance now carries both regulatory and reputational exposure. If you have not audited your data flows, consent mechanisms, and third-party tag behaviour against the updated rule, that work is overdue.

Read more

Delaware moves to tighten its privacy law: threshold drops and new obligations proposed

On April 21, 2026, the Delaware House Technology Committee voted 4-0 to advance HB-380, a bill that would amend the Delaware Personal Data Privacy Act (DPDPA). The most significant proposed change is a reduction in the applicability threshold from 35,000 consumers to 15,000, broadly in line with thresholds in Connecticut and New Jersey. The ACLU of Delaware supported the bill but pushed for stronger data-minimisation standards closer to Maryland's model.

If passed, the amendment would bring a significantly wider range of businesses into scope under Delaware's law. Website operators who previously fell below the threshold should monitor the bill's progress through the House and reassess whether they will be captured under the revised numbers. The 4-0 committee vote suggests strong early momentum.

Read more

12 US states now require websites to honour Global Privacy Control signals

A growing number of US states are now mandating that websites recognise the Global Privacy Control (GPC) browser signal as a valid opt-out request, equivalent to a user clicking "do not sell my data." As of this week, 12 states have this requirement in effect, including California, Colorado, Connecticut, Oregon, Texas, Montana, and Delaware. More states are expected to follow as privacy legislation matures and enforcement agencies make GPC compliance a stated priority.

For website operators, this is a practical and technical requirement, not just a policy one. If a user has GPC enabled in their browser and your site does not recognise and act on it, you are potentially in breach across a dozen jurisdictions simultaneously. Audit your CMP settings and confirm that GPC signals are being detected, logged, and honoured before any data sharing or sale occurs.

Read more

Ofcom opens child safety investigations into Telegram and teen chat sites

On April 21, 2026, the UK's online safety regulator Ofcom launched formal investigations into Telegram, Teen Chat, and Chat Avenue under the Online Safety Act. The Telegram probe was triggered by a tip-off from the Canadian Centre for Child Protection, which alerted Ofcom to evidence of child sexual abuse material being shared on the platform. The investigations into Teen Chat and Chat Avenue focus on whether those sites are taking adequate steps to prevent children from encountering grooming and illegal content. If found in breach of the Act, platforms face fines of up to £18 million or 10% of global annual revenue.

While these investigations target large platforms, the broader signal for any website that allows user-generated content or hosts community features is significant. Ofcom is actively enforcing the Online Safety Act, and the scope of its scrutiny is widening. This week marks its third set of child safety investigations following earlier probes into X and Grok. Website operators with chat functions, forums, or user-generated content sections that could be accessed by minors should review their risk assessment and content moderation obligations under the Act now.

Read more

Europe averaging 443 data breach notifications per day: 22% year-on-year increase

New figures published this week confirm that European data protection authorities are receiving an average of 443 personal data breach notifications per day in 2026, up 22% on the same period in 2025. The volume reflects both an increase in actual incidents and growing awareness among organisations of mandatory breach-notification obligations under the GDPR, which require notification within 72 hours of becoming aware of a qualifying breach.

For website operators, the data underscores two things. First, the threat environment is worsening, and incident response planning is a practical necessity. Second, DPAs are processing a high volume of incoming notifications, which means they are also better positioned to identify patterns, spot under-reporting, and prioritise enforcement. Ensuring your breach detection, internal escalation, and DPA notification processes are documented and rehearsed is no longer optional due diligence.

Read more

Web accessibility news

Did you know?

People with disabilities represent $13 trillion in global purchasing power, yet 73% of them abandon a website if it's difficult to use. (Tenet)

DOJ extension officially published in the Federal Register

On April 20, 2026, the Department of Justice's Interim Final Rule extending the ADA Title II web accessibility deadlines was formally published in the Federal Register. Larger public entities serving populations of 50,000 or more, which faced a deadline of April 24, 2026, now have until April 26, 2027. Smaller public entities and special district governments have been pushed to April 26, 2028. The rule extension is effective immediately and does not change the underlying technical standard: WCAG 2.1 Level AA remains the requirement.

Importantly, the DOJ has signalled it intends to use the extension period to issue a new Notice of Proposed Rulemaking, which could revisit the substance of the 2024 rule, including the reliance on WCAG 2.1, the scope of covered entities, and available exceptions. It is worth noting that the extension only applies to state and local government entities. Private-sector businesses remain fully exposed under Title III of the ADA, the part of the law that covers commercial websites and apps, and lawsuits against private businesses continue to be filed at record rates.

Read more

HHS Section 504 accessibility rule faces threat of rescission just weeks before its deadline

A red alert issued by Converge Accessibility on April 22, 2026, warns that the HHS Section 504 digital accessibility rule, which mandates WCAG 2.1 AA compliance for all organisations receiving federal health and social services funding, may be at risk of rescission. With the compliance deadline for large organisations set for May 11, 2026, there are credible signals that the current administration may publish a notice in the Federal Register to withdraw or substantially weaken the rule before it takes full effect.

If the rule survives, any organisation with 15 or more employees receiving HHS funding, including hospitals, clinics, health insurers, long-term care providers, research institutions, and social service agencies, must comply with WCAG 2.1 Level A and AA by May 11, 2026, with smaller organisations following by May 10, 2027. Website teams in these sectors should follow developments closely and proceed with compliance work regardless, as a rescission is not yet confirmed and the window is extremely tight.

Read more

WCAG 2.2 confirmed as ISO standard, raising the bar for global procurement

WCAG 2.2 was formally approved as an ISO international standard (ISO/IEC 40500:2025) in October 2025, and the implications are now being felt across procurement and vendor selection in 2026. Government bodies, large enterprises, and international organisations that reference ISO standards in their procurement documents now have a formal basis for specifying WCAG 2.2 rather than 2.1, and several are beginning to do so. The standard is fully backward compatible with WCAG 2.1, meaning compliance with 2.2 also satisfies 2.1 requirements.

For website operators and agencies, this shifts the practical question from "do we need to bother with 2.2?" to "when will 2.2 be required in contracts we want to win?" In some cases, it already is. Building to WCAG 2.2 AA is increasingly the difference between being included or excluded in competitive procurement, particularly in the public sector, healthcare, and financial services verticals.

Read more

Pakistan moves to standardise digital accessibility

An editorial published on April 22, 2026, by The Nation examined Pakistan's legislative gap on digital accessibility. Despite constitutional guarantees of equality and multiple federal and provincial disability rights statutes, Pakistan has not yet adopted enforceable technical accessibility standards for digital services. The piece calls for adoption of WCAG-based requirements, mandatory accessibility audits, and transparent remediation timelines, drawing comparisons to the EU's EAA and the US ADA framework.

The story is relevant beyond Pakistan. It illustrates a broader global pattern: countries and jurisdictions that have not yet adopted formal digital accessibility standards are increasingly under domestic pressure to do so, and the WCAG framework is emerging as the global default. For website operators serving international audiences, building to WCAG 2.1 or 2.2 AA now is both a compliance strategy and a future-proofing exercise as more markets adopt enforceable standards.

Read more

Accessibility enforcement in the EU: what the EAA's first active months reveal

With the European Accessibility Act now in its tenth month of active enforcement, the first patterns are emerging from market surveillance authorities across EU member states. Enforcement has been most active in France, where grocery e-commerce platforms faced formal notices and injunctions, and in Germany, where several financial services websites have been the subject of accessibility complaints. Fines issued to date have varied widely, from €5,000 for minor non-conformances to €180,000 for persistent, systemic failures affecting core user journeys.

The data from the first months of EAA enforcement offers useful calibration for businesses still working on compliance. Regulators appear to prioritise cases where barriers affect critical transactional flows, checkout, account creation, and customer support over cosmetic or edge-case issues. Addressing high-impact, high-frequency accessibility barriers first is both the right user experience approach and the one most likely to reduce regulatory exposure in the near term.

Read more

Until next week

Compliance continues to move fast, and this week makes that clear. From COPPA now being fully enforceable to GPC becoming a practical requirement across multiple states, and accessibility timelines shifting while enforcement ramps up, the direction is consistent: expectations are getting more specific, more technical, and more actively enforced.

For website teams, the advantage lies in staying proactive, regularly reviewing data flows, consent mechanisms, and accessibility gaps before they become risks. We will be back next week with the latest updates to help you stay ahead.