If youâve spent enough time in the data privacy world, you can tell when thereâs been a sea change.
Obviously, the passage of the GDPR ten years ago marked the start of the modern data privacy era. The passage of the CPRA in 2020 was another moment of profound change. Iâd like to propose another date that marked a major shift in the privacy world: 2025. This was the first time that data privacy enforcement felt like a real risk to businesses.
There were enforcement actions before 2025, like Sephoraâs $1.4 million penalty in 2022, but the pace and tenor of privacy enforcement werenât quite as urgent before 2025. Nobody knew if US privacy laws would be an unenforced flash in the pan or a mainstay of US regulatorsâ toolkits. After 2025, it was clear that the case is the latter.
So, what then? If 2025 marks the start of an era of high enforcement activity, what should businesses do?
To help answer that question, the Osano team just published an ebook unpacking the themes and patterns across major US privacy enforcement actions since the start of 2025, as well as priority actions businesses can take to reduce their privacy risk.
Download your copy of the State of Privacy Enforcement, 2026, here. I hope you find it helpful in avoiding the unwanted attention of regulators.
Best,
Arlo
Highlights From OsanoEbook: State of US Privacy Enforcement 2026
For years, businesses in the US have adopted a âwait and seeâ approach to data privacy compliance. But that era is over. Privacy enforcement is a regular occurrence in the US nowadays, and by analyzing these actions, you can learn what regulators are looking for and how to protect your business. Download our Ebook to discover the 8 themes and patterns across recent enforcement actions and 7 priority actions you can take today to protect yourself.
Blog: The Opportunity in the Obligation: Why Data Privacy Is Marketing Strategy
Data privacy compliance and marketing strategy might seem like they have nothing to do with one another, but history tells us otherwise. Our SVP of Marketing, Shane Coker, breaks down how data privacy has intersected with his experience as a marketer and three ways marketing leaders can meet data privacyâs moment.
Checklist: How to Reduce CIPA Risk
2,200 companies were sued under wiretap laws last year. Donât let your company fall into the crosshairs of opportunistic law firms repurposing laws like CIPA for website tracking! Follow our checklist to learn how to reduce your risk.
Case Study: For Fender, Privacy Is a Promise. Osano Helps Them Keep It.
Fenderâs customers wouldnât perform on an out-of-tune guitar; Fender wasnât willing to run their privacy programs on tools that were out of tune either. Thatâs why Fender chose Osano as their partner in this mission, and the result is a privacy program that finally plays in harmony with the pace and complexity of a global consumer brand.
Some of the largest data-collecting companies in the United Statesâincluding major AI vendors, data brokers, defense contractors, and dating appsârely on deceptive methods to keep consumers from opting out of the sale and sharing of their personal information, according to a new study from the digital rights nonprofit Electronic Privacy Information Center.
Covered entities are seeing progress toward long-sought guidance around high-risk artificial intelligence systems under the EU AI Act. After various delays, the European Commission released draft guidelines that bring clarity around the implementation of high-risk requirements while offering examples "to illustrate how the classification should be assessed in different areas and use cases."
As AI systems become more complex, scholars are racing to develop legal frameworks. Depending on the context, AI tools could be viewed as products, services, autonomous agents or entities that may someday warrant some form of legal personhood. The debate is playing out across the globe.
California lawmakers may be backing away from a controversial age-verification requirement bill that alarmed Linux and open-source developers earlier this year, after a new amendment bill proposed exempting most open-source operating systems from the stateâs upcoming Digital Age Assurance Act.
EUobserver sat down for an interview with Wojciech WiewiĂłrowski, the EUâs Data Protection Supervisor. WiewiĂłrowski, from Poland, caused headlines this month with his annual report, highlighting how complaints of data breaches against Europol, the continentâs supra-police force, had soared. He also talks about data concerns over NGOs working in Palestine, sharing information with the US, border control data, and more.
There's more to explore:
We go deeper into additional privacy topics with incredible guests monthly. Available on Spotify or Apple.
Join our official subreddit to stay up to date on the latest news, analysis, guidance, and content from Osano!
The book inspired by this newsletter: Osano CEO, Arlo Gilbert, covers the history of data privacy and how companies can start building a privacy program from the ground up. More details here.
If youâre interested in working at Osano, check out our Careers page!