Weekly Compliance Brief: Data Privacy & Web Accessibility News – May 11-15, 2026

South Korea raised its privacy penalty cap to 10% of revenue this week, signalling a shift toward prevention-focused enforcement. Australia's OAIC published updated guidance on collecting personal information, with new examples covering AI, facial recognition, and data scraping. On the accessibility front, HHS extended its Section 504 digital accessibility deadline for healthcare organisations by one year, just days before it was due. Here is everything website teams need to know from May 11-15, 2026.

Data privacy law news

Did you know?

US state privacy fines reached $3.425 billion in 2025, more than the prior five years combined. Gartner projects enforcement will accelerate further through 2028 as more state attorneys general build dedicated privacy enforcement teams. (Gartner, 2026)

South Korea raises privacy penalty cap to 10% of revenue: PIPC shifts to prevention-focused enforcement

South Korea's Personal Information Protection Commission (PIPC) announced a Transition Plan on May 12, 2026, shifting the country's privacy enforcement model from reactive penalties toward prevention-first compliance. The penalty surcharge ceiling for serious violations has been raised from 3% to 10% of relevant revenue, with the calculation basis now using the higher of the preceding year or a three-year average. These changes take effect May 19, 2026, and apply to incidents affecting 10 million or more people, or organisations with repeated violations.

For global businesses with operations or users in South Korea, this is a prompt to review your data governance posture before an incident occurs. The broader revenue-based penalty formula means larger organisations now face substantially higher financial exposure. Privacy teams should conduct a gap assessment against South Korean privacy requirements and confirm that prevention controls, not just breach response procedures, are documented and in place.

Read more

Australia's OAIC updates APP 3 guidance: new examples cover AI, facial recognition, and data scraping

The Office of the Australian Information Commissioner (OAIC) released updated guidance for Australian Privacy Principle 3 (APP 3) on May 13, 2026, covering the collection of solicited personal information. The revised chapter adds contemporary examples for AI-driven data collection, facial recognition, data scraping, tracking pixels, and data brokering. A new flowchart helps organisations assess whether their collection practices are lawful and proportionate.

The update also expands guidance on the fair means requirement under APP 3.5 and clarifies third-party collection liability. Organisations subject to the Privacy Act 1988 should treat this as a practical checklist. The inclusion of AI and tracking technology examples signals that the OAIC is scrutinising modern collection methods, and the clearer expectations around data minimisation mean businesses must be able to demonstrate that the data collected was genuinely necessary for the stated purpose.

Read more

IAPP Global Summit 2026: 12 data protection action items for global businesses

At the IAPP Global Privacy Summit 2026, a panel of data protection experts published 12 action items for organisations managing compliance across multiple jurisdictions. The list covers cybersecurity and data flow audits, maintaining up-to-date data processing agreements, operationalising data subject request workflows, and implementing CCPA-compliant opt-out mechanisms for data sales. It also highlights the importance of Data Protection Officer involvement and preparation for breach notification timelines that vary by country: 30 days in California, 72 hours under GDPR, 6 hours in India, and 1 hour in China.

For privacy and compliance teams, the 12 action items serve as a practical self-assessment tool. The divergence in breach notification timelines alone illustrates why a single incident response plan is no longer viable for organisations with international users or operations. Teams that have not recently reviewed their vendor agreements, data subject request processes, or incident response playbooks will find this list a useful starting framework for prioritising gaps.

Read more

New Hampshire and New Jersey advance privacy legislation: sensitive data protections tighten in both states

New Hampshire's HB 1460 passed the Senate as amended this week, with the House adopting the changes on a voice vote. The bill strengthens the state's consumer privacy framework with additional protections around sensitive personal data and tighter opt-out requirements for targeted advertising. In New Jersey, S 4109 was introduced to prohibit all entities from selling sensitive personal data regardless of the number of consumers affected, closing a threshold-based exemption in the current law that has allowed smaller operators to bypass restrictions.

Together, the two bills reflect a continued push by state legislatures to close gaps left by first-generation privacy laws. New Hampshire's amendments bring its framework closer in structure to Connecticut's and Virginia's, while the New Jersey proposal targets a volume exemption that privacy advocates have flagged as a significant loophole. Operators active in both states should update their sensitive data inventories and review whether any sales or disclosures currently relying on size-based exemptions would be covered under the new language.

Read more

California and Oklahoma tighten data breach notification laws: stricter timelines and expanded data categories

Both California and Oklahoma updated their data breach notification statutes in 2026, adding new categories of covered personal data and, in California's case, tightening notification timelines for certain breach types. California's amendments expand the definition of personal information subject to mandatory notification to include additional health-adjacent data types, consistent with the state's ongoing effort to align breach notification with the CCPA's broader definition of sensitive personal information.

Oklahoma's changes extend mandatory notification obligations to entities previously exempt under threshold-based rules. For multi-state operators, these updates are a direct prompt to re-examine breach response plans against the full current map of state notification requirements, particularly for organisations whose incident response playbooks were last reviewed before 2025. The Privacy Rights Clearinghouse's 2026 50-state survey remains the most current reference for mapping active state notification requirements across all jurisdictions.

Read more

Web accessibility news

Did you know?

The US federal government scored an average of 1.96 out of 5.0 on Section 508 accessibility compliance in the GSA's 2026 annual assessment, and fewer than half of the most-viewed public-facing federal digital services met the legal standard. If the government cannot consistently meet its own accessibility requirements, the scope of the challenge across the broader web is significant. (GSA, 2026)

HHS extends Section 504 deadline by one year: large healthcare organisations now have until May 2027

HHS published an Interim Final Rule on May 7, 2026, extending its Section 504 digital accessibility compliance deadlines. Organisations with 15 or more employees receiving federal financial assistance from HHS now have until May 11, 2027, to bring their web content and mobile applications to conformance with WCAG 2.1 level AA. Smaller organisations have until May 10, 2028. The extension follows widespread reports from community health centres and hospitals that the original May 11, 2026, deadline could not be met.

The extension covers only the technical WCAG 2.1 AA conformance deadlines for web content and mobile apps. The underlying non-discrimination obligation, in effect since July 8, 2024, remains unchanged, meaning organisations are still required to ensure equal access for individuals with disabilities and remain subject to complaints and OCR investigations. Organisations that received the extension should not treat it as permission to pause. A documented, good-faith remediation roadmap remains the most defensible posture if a complaint is filed.

Read more

EAA operators face new disclosure obligations: nonconformity reporting duties across member states

A new analysis published this week sets out the disclosure obligations that apply to EAA operators whose products or services are not fully conformant. Operators who know or have reason to believe their products or services do not meet accessibility requirements must act immediately and notify the competent market surveillance authority in each member state where these are available, without waiting to be contacted by a regulator.

The obligation extends to partial nonconformity and to products placed on the market before the June 28, 2025, deadline, not only to new introductions. For businesses selling into the EU that have not yet completed a conformance assessment or produced an accessibility statement, these active disclosure duties create a direct enforcement risk. Legal counsel in each relevant member state should be consulted before making voluntary disclosure decisions.

Read more

Federal government scores 1.96 out of 5 on Section 508 compliance: GSA annual assessment flags systemic gaps

The General Services Administration published its third annual Section 508 accessibility assessment this year, finding that federal agencies scored an average of 1.96 on a 5-point compliance scale. Fewer than half of the most-viewed public-facing federal technologies met Section 508 requirements, with testing gaps most pronounced for hardware and internal software systems.

The GSA's primary recommendation focuses on federal acquisition as the main lever for improvement: buying rather than building accessible technology, incorporating accessibility into contract renewals, and requiring right-to-repair provisions that maintain it over time. For private-sector suppliers to the federal government, the report signals that accessibility will become an increasingly explicit procurement requirement and that contracts without accessibility testing clauses will face growing scrutiny at renewal.

Read more

AI enables 40% surge in pro se ADA web accessibility lawsuits: individuals filing without legal representation

Federal pro se ADA Title III website accessibility lawsuits increased 40% in 2025 compared to 2024. AI tools, including ChatGPT, Copilot, and Gemini now enable individuals without legal representation to draft, file, and serve accessibility complaints in federal court at significantly lower cost. Of the more than 5,000 digital accessibility lawsuits filed in 2025, a growing share were initiated by individuals acting without an attorney, a trend legal commentators expect to accelerate in 2026.

Pro se plaintiffs are harder to predict, less likely to settle quickly, and less constrained by the economics that govern how law firms manage accessibility caseloads. For website operators who have relied on the assumption that enforcement comes primarily from a small number of specialised plaintiff firms, this data signals that the pool of potential claimants has expanded substantially. A current WCAG 2.1 AA audit and a documented remediation programme remain the most effective risk reduction measures available.

Read more

WCAG 3.0 March 2026 working draft: what the new scoring model means for compliance teams now

The W3C published an updated working draft of WCAG 3.0 in March 2026, introducing a significant structural change. Where WCAG 2.x uses a pass/fail model across three conformance levels (A, AA, AAA), WCAG 3.0 replaces this with a graded scoring framework organised around 12 functional outcome categories. The shift is designed to produce a more nuanced picture of accessibility quality, but it fundamentally changes how audits, reports, and legal conformance claims would be structured.

No regulator requires WCAG 3.0 conformance in 2026, and a final recommendation is not expected until 2028 to 2030. However, compliance teams should begin familiarising themselves with the functional outcome categories now, as these are likely to influence how future testing tools are structured. Work done for WCAG 2.1 and 2.2 is not wasted: the W3C has confirmed that core principles and the majority of success criteria will carry forward into the new standard.

Read more

Until next week

That is your compliance brief for May 11-15, 2026. South Korea and Australia have both updated their privacy enforcement and guidance frameworks this week, and the IAPP's 12 action items offer a practical self-assessment tool for global compliance teams. On the accessibility side, HHS has given healthcare organisations one more year to meet their Section 504 obligations, while rising pro se ADA litigation signals that the pool of potential claimants is broader than ever. Staying current on compliance requirements is no longer optional for any website team.