Data Privacy Frontline Report

Here are key highlights from April 2026 detailing global news and regulatory updates.

US & Canada

• Alabama becomes the 21st U.S. state to enact a comprehensive consumer privacy law by passing the Alabama Personal Data Protection Act, which largely follows the Virginia privacy law model but introduces significant variations.

• California’s privacy law is being widely violated—according to a survey—with many popular websites continuing to track users despite opt‑out signals, indicating large‑scale noncompliance and potential exposure to significant enforcement penalties.

• Canada outlines six pillars for its long‑delayed national AI strategy, but key details and timelines for the full strategy remain unclear after repeated delays.

• Maine lawmakers reject a comprehensive data privacy bill for the second time after strong business opposition, arguing that the proposal’s strict data‑minimization and limits on targeted advertising could harm commerce.

• US House Republicans introduce the SECURE Data Act to establish a preemptive federal privacy framework, aiming to replace state laws with uniform consumer rights while omitting a private right of action and drawing Democratic criticism.

• US Department of Health and Human Services (HHS) releases video to deliver practical guidance to HIPAA covered entities and business associates regarding the HIPAA Security Rule’s risk management requirements.

• US HHS, Office for Civil Rights (OCR) announces settlements with four HIPAA‑regulated entities over ransomware breaches affecting more than 427,000 individuals, imposing $1.165 million in payments and requiring corrective action plans for Security Rule compliance.

• US state privacy fines are estimated to have been $3.425 billion in 2025—exceeding the previous five years combined—with enforcement accelerating and fines expected to continue rising through 2028.

• Virginia governor signs an amendment to the Virginia Consumer Data Protection Act banning the sale of consumers’ precise geolocation data, joining Maryland and Oregon in prohibiting this practice.

EMEA

• EU AI Act reform talks under the proposed Digital Omnibus on AI stall after EU institutions fail to agree on the act's overlap with sectoral regulations, raising uncertainty as the original August 2026 compliance deadline for high‑risk AI systems approaches.

• EU European Data Protection Board (EDPB) marks the 10th anniversary of the GDPR by highlighting its role in strengthening individual rights and shaping Europe’s evolving digital regulatory landscape.

• Kenya’s data protection authority issues draft guidelines for consultation covering cross‑border data transfers.

• Nigeria’s federal government announces plans to strengthen national cybersecurity through a new coordination council, while Nigeria’s data protection authority reviews ecosystem‑wide compliance following alleged data breaches involving payment and banking platforms.

• Qatar’s national cybersecurity agency launches a cloud privacy assessment tool to help organizations assess privacy practices, identify compliance gaps, and strengthen data protection governance in cloud environments under Qatar’s Personal Data Privacy Protection Law.

• UK Biobank sees de‑identified health records from up to 500,000 volunteers briefly listed for sale on a Chinese e-commerce platform, prompting government intervention, removal of the listings, and a temporary pause on researcher access due to security concerns.