Weekly Compliance Brief: Data Privacy & Web Accessibility News – April 27 – May 1, 2026

British Columbia's privacy regulator published new breach notification guidance this week, the EDPB approved its first-ever European data protection seals, and an independent audit of California's most popular websites found 194 advertising services ignoring Global Privacy Control opt-out signals. Connecticut's data broker bill cleared the Senate on a 31-4 vote, and the HHS Section 504 deadline is now 11 days away. Here is everything website teams need to know from April 27 - May 1, 2026.

Data privacy law news

Did you know?

GDPR fines now exceed €7.1 billion in total since enforcement began in May 2018. In 2025 alone, European data protection authorities issued €1.2 billion in penalties, the highest single-year total on record. (Kiteworks, 2026)

BC Breach Guidance:

British Columbia's privacy regulator issued new guidance on designating breach notification representatives. The document clarifies responsibilities and procedural requirements for incident response under PIPA and FOIPPA. Operators should review these updates to ensure accountability is assigned before a data breach occurs.

Read more

First GDPR Seals Approved:

The EDPB has approved the first European Data Protection Seals for demonstrating GDPR compliance and managing international transfers. These Europrivacy certifications now apply to controllers and processors both inside and outside the EU. Organizations should assess these seals as a formally recognized route to legitimize cross-border data flows.

Read more

Connecticut SB 4:

This bill passed the Senate 31:4 and aims to regulate data brokers, geolocation data, and surveillance pricing. It includes a consumer deletion mechanism and adds specific protections for biological and genetic data. If it passes the House by May 6, companies will need to register as data brokers to continue certain operations in the state.

Read more

EDPB Scientific Research Guidelines:

The European Data Protection Board adopted Guidelines 1/2026 to clarify how GDPR applies to personal data used in research. These guidelines cover the definition of scientific research, legal bases for health data, and the use of broad consent for exploratory projects.

This update is critical for sectors like AI training and healthcare, where digital product data is repurposed for study. Public consultation is open until June 25, 2026, offering a window for organizations to flag practical implementation concerns. Organizations should review their existing consent frameworks now to ensure they align with these new clarifications on longitudinal data use.

Read more

Web accessibility news

Did you know?

Accessible websites see an average cart abandonment rate of 23%, compared to 69% for sites that are inaccessible to users with disabilities. For e-commerce operators, the business case for accessibility is as strong as the compliance one. (Tenet)

HHS Section 504 Deadline (8 Days):

Large organizations receiving HHS funding must ensure websites and apps meet WCAG 2.1 Level A and AA by May 11, 2026. This rule covers a wide range of entities, including hospitals, insurers, and health tech companies. Teams without a completed audit should prioritize documenting a remediation roadmap to demonstrate good-faith progress.

Read more

Record-Breaking Lawsuits:

Federal ADA Title III website lawsuits hit 3,948 filings in 2025, a near 24% increase from the previous year. Pro se filings rose by 40% as AI tools lowered the barrier for individuals to draft legal complaints. These figures suggest that the risk of receiving a demand letter is now a standard operational reality for e-commerce and healthcare providers.

Read more

DOJ Rulemaking and WCAG:

While the DOJ extended the ADA’s Title II compliance deadlines, legal analysts note that WCAG 2.1 AA is now formally embedded in federal law. Courts increasingly use this as the de facto standard for the private sector, even without a specific Title III rule. Building to this standard remains the most defensible long-term position for commercial website operators.

Read more

WCAG Embedded in Federal Law:

A legal analysis by Ogletree Deakins notes that, despite the Title II deadline extension, WCAG 2.1 Level AA is now officially a matter of law rather than just guidance. This technical standard serves as a critical reference point for private-sector Title III lawsuits, as courts often look to government regulations for interpretive direction. Building to this standard remains the most defensible long-term position for any commercial website operator. Organizations should treat these requirements as permanent operational standards rather than temporary regulatory hurdles.

Read more

DOJ Signals New Rulemaking:

The DOJ intends to issue a new Notice of Proposed Rulemaking (NPRM) that could revisit the core technical standards and scope of the current Title II rule. This upcoming process will likely set the direction for federal digital accessibility regulation for years to come. While the future framework is unknown, the current WCAG 2.1 Level AA remains the operative standard for compliance programs. Deferring accessibility work now carries significant legal risk since the existing rules have not been rescinded, and litigation continues.

Read more

Until next week

That is your compliance brief for April 27 - May 1, 2026. With the HHS Section 504 deadline now 8 days away, Connecticut's data broker bill advancing through the legislature, and a California audit confirming that GPC non-compliance is widespread and being tracked, the workload for website compliance teams shows no sign of easing. Stay ahead of the changes. The regulatory calendar does not slow down in May.