Weekly Compliance Brief: May 25-29, 2026
A record DSA fine, the EDPB approving Europrivacy globally, 25 DPAs auditing privacy notices, and whistleblower cover extending to AI Act breaches.
Weekly compliance brief: May 25-29, 2026
Here are the most important data privacy, web accessibility, and whistleblowing updates from the week of May 25 to 29, 2026. The European Commission issued its largest-ever DSA fine, the EDPB approved Europrivacy as a global GDPR certification and data transfer mechanism, and 25 European data protection authorities launched simultaneous audits of how organisations present privacy notices. On the accessibility front, disability advocates challenged the US government's extended compliance deadlines in court, and the EU confirmed that AI Act violations will fall within the scope of whistleblower protections from August 2026.
Data privacy law news
Did you know?
Cumulative GDPR fines have now surpassed 7.1 billion euros since enforcement began in May 2018, and the pace of enforcement is continuing to increase year on year across EU member states.
Temu hit with record €200 million DSA fine over product safety failures
The European Commission fined Temu €200 million under the Digital Services Act (DSA) on May 28, marking the largest DSA penalty issued so far. Regulators found that the platform failed to adequately prevent the sale of dangerous products, including unsafe children’s toys and faulty phone chargers.
The Commission concluded that Temu did not sufficiently mitigate systemic risks as required under Article 35 of the DSA. The company must submit a compliance action plan by August 28 outlining how it will address the identified issues.
The decision sends a strong signal that EU regulators are prepared to use the DSA’s enforcement powers against large online platforms that fail to meet their obligations.
EDPB approves Europrivacy as GDPR certification scheme for international data transfers
The European Data Protection Board (EDPB) approved Europrivacy as a GDPR certification scheme valid across the EU and EEA. In a separate opinion, the EDPB also approved Europrivacy as a safeguard for international data transfers under Article 46 of the GDPR.
This makes Europrivacy the first GDPR certification scheme recognised both as a compliance mechanism and as a legal basis for transferring personal data outside the EEA.
Organisations can now use certification as an additional transfer tool alongside mechanisms such as Standard Contractual Clauses (SCCs), provided the recipient can demonstrate an equivalent level of data protection.
EDPB launches 2026 coordinated enforcement on transparency: 25 DPAs auditing privacy notices
The European Data Protection Board has launched its Coordinated Enforcement Framework (CEF) action for 2026, with 25 data protection authorities across the EU and EEA simultaneously opening audits and investigations into how organisations present transparency information and privacy notices to individuals. The CEF 2026 action focuses on whether privacy notices are clear, accessible, and genuinely informative, examining practices such as layered notices, cookie banners that bury key information, and privacy policies written in legalese that fail to meet the GDPR's plain-language requirement. Organisations under investigation will be asked to demonstrate that their privacy notices fulfil all GDPR Article 13 and 14 obligations and that they are presented in a way individuals can meaningfully understand before consenting to data processing. With 25 authorities acting simultaneously, the coordinated action significantly raises the likelihood that non-compliant practices will result in formal enforcement action rather than guidance letters.
ICO finalizes guidance on cookie consent requirements for UK websites
The UK Information Commissioner’s Office (ICO) has finalized its Storage and Access Technologies guidance, providing updated expectations for how websites and apps obtain consent for cookies and similar tracking technologies.
The guidance confirms that analytics cookies, advertising technologies, and social media pixels generally require prior consent. It also reinforces that users must be able to withdraw consent as easily as they give it.
The ICO has stated that the guidance will serve as a benchmark for future enforcement activities, making it an important reference point for organizations subject to PECR and the UK GDPR.
Minnesota privacy law enforcement begins July 31
The Minnesota Consumer Data Privacy Act (MCDPA) enters full enforcement on July 31, 2026, giving covered businesses less than ten weeks to finalize their privacy compliance efforts.
The law applies to organizations that process large volumes of Minnesota residents’ personal data and grants consumers rights such as access, correction, deletion, portability, and opt-out of targeted advertising and profiling.
Unlike some state privacy laws, the MCDPA does not provide a cure period before enforcement. Businesses that have not yet updated their privacy notices, data inventories, and consumer rights processes should treat the approaching deadline as a priority.
Web accessibility news
Did you know?
Approximately 1.3 billion people globally live with some form of disability, representing around 16% of the world's population, yet over 95% of the top one million websites still have detectable WCAG accessibility failures according to the 2026 WebAIM Million report.
NFB challenges extended US public sector accessibility deadlines
The National Federation of the Blind (NFB) has filed a lawsuit against the US Department of Justice and the Department of Health and Human Services, challenging recent extensions to federal web accessibility compliance deadlines.
The lawsuit seeks to restore the original ADA Title II and Section 504 timelines, arguing that delays in compliance limit access to critical digital services for people with disabilities and unlawfully postpone accessibility obligations.
The case could determine whether public sector organizations receive additional time to meet accessibility requirements or must return to the original implementation schedule.
EAA disproportionate burden exemption requires formal assessment and documentation
Recent legal guidance has highlighted that the European Accessibility Act’s disproportionate burden exemption is not a simple opt-out from accessibility requirements.
Organizations seeking to rely on the exemption must conduct and document a formal assessment, maintain supporting records, and, in some cases, notify regulators in the countries where their products or services are offered. The assessment must also be reviewed periodically and when significant changes are made.
The key takeaway is that the exemption should be treated as a documented compliance process rather than a fallback defense after a complaint or enforcement action.
Mobile app accessibility claims continue to rise
Legal experts are reporting a growing number of accessibility lawsuits targeting mobile applications, reflecting the increasing role apps play as a primary channel for accessing products and services.
Courts have generally applied the same accessibility expectations to mobile apps as they do to websites, meaning organizations may face legal and regulatory scrutiny if their apps create barriers for users with disabilities.
As accessibility programs mature, organizations should ensure audits and remediation efforts cover both websites and mobile applications rather than treating them as separate compliance initiatives.
UK accessibility monitoring finds ongoing compliance gaps
The UK Government Digital Service (GDS) has published updated results from its accessibility monitoring programme, covering more than 1,200 public sector websites and multiple mobile applications.
While most organizations had published accessibility statements, many were found to be outdated, and technical accessibility issues were identified across the majority of websites reviewed. Organizations with identified issues were required to address them within specified timeframes.
The findings reinforce that accessibility is an ongoing process that requires regular review, testing, and remediation rather than a one-time compliance exercise.
Healthcare organizations urged to continue accessibility remediation despite deadline extension
Healthcare organizations covered by HHS Section 504 have received additional time to meet digital accessibility requirements, with compliance deadlines now extending into 2027 and 2028 depending on organization size.
However, legal experts continue to emphasize that the extension does not remove existing obligations to provide accessible digital services or eliminate the risk of complaints and enforcement actions.
Healthcare providers should use the additional time to audit websites and mobile apps, prioritize patient-facing services, and establish a documented accessibility remediation plan.
Whistleblowing news
Did you know?
The EU Whistleblower Protection Directive, which requires all organisations with 50 or more employees to operate internal reporting channels, has now been transposed into national law in all 27 EU member states, with enforcement beginning to pick up momentum as the second anniversary of the implementation deadline passes.
AI Act violations to receive EU whistleblower protections from August 2026
The European Commission has confirmed that reports of AI Act violations will be covered by the protections of the EU Whistleblower Protection Directive beginning August 2, 2026.
Individuals who report potential breaches of the AI Act will be protected against retaliation, bringing AI-related concerns into the same whistleblower framework that already applies to other areas of EU law.
Organizations developing or deploying AI systems in the EU should review their internal reporting channels and whistleblower policies to ensure AI compliance concerns can be reported and managed appropriately.
EU DSA whistleblower tool enables reporting of platform compliance concerns
The European Commission’s Digital Services Act (DSA) whistleblower reporting tool is actively accepting reports related to potential violations by very large online platforms (VLOPs) and very large online search engines (VLOSEs).
Individuals with knowledge of issues such as content moderation failures, systemic risks, transparency shortcomings, or other DSA-related concerns can submit confidential reports directly to the Commission. The information may be used to support ongoing or future enforcement actions.
The tool expands the range of compliance risks facing large platforms and reinforces the importance of effective internal reporting and issue management processes.
Until next week
This week's brief reflects a compliance landscape in which enforcement activity is accelerating across every major regulatory domain. A record DSA fine, a coordinated cookie compliance sweep by 25 European data protection authorities, disability advocates challenging delayed accessibility deadlines in federal court, and an expanding whistleblower protection framework all signal that regulators are moving from guidance to action.
The window to address known compliance gaps continues to narrow: if your organisation has outstanding cookie consent, accessibility remediation, or data transparency work on the backlog, the week of May 25-29 is a timely prompt to reprioritise it before a regulator or plaintiff does it for you.
Adam is the Head of Digital Marketing at Clym, where he leverages his diverse expertise in marketing to support businesses with their compliance needs and drive awareness about data privacy and web accessibility. As one of the company’s original team members, Adam has been instrumental in shaping its journey from the very beginning. When he’s not diving into marketing strategies, Adam can be found cheering on his favorite sports teams or enjoying fishing.
