GDPR transparency and information obligations face renewed focus in 2026

The question

How is the European Data Protection Board (EDPB) using its coordinated enforcement powers to ensure compliance with transparency and information obligations under the General Data Protection Regulation (GDPR)?

The key takeaway

Organisations subject to the GDPR should expect increased scrutiny of how they communicate privacy information to individuals. The EDPB’s fifth coordinated enforcement action, focusing on transparency and information obligations and launching over the course of 2026, signals that this aspect of compliance will be a particular priority for supervisory authorities in the coming year. This will likely translate into closer examination of privacy notices, consent flows, in-product messaging and user interfaces.

The background

The EDPB is an independent European body that helps ensure EU data protection laws are applied consistently across member states and promotes cooperation between national Data Protection Authorities (DPAs). It issues guidelines, recommendations and best practices designed to clarify legal requirements and support effective enforcement.

In October 2020, the EDPB adopted the Coordinated Enforcement Framework (CEF) to provide a structure for DPAs to work together on recurring, coordinated enforcement actions on a pre-defined topic and using a common methodology. Through the CEF, DPAs carry out national investigations on the chosen topic. The results are then aggregated and analysed at EDPB level, typically leading to a public report summarising key findings and recommendations and informing follow-up actions at both national and EU level.

Although EDPB guidance is no longer formally binding in the UK following Brexit, the topics selected for coordinated enforcement are strong indicators of regulatory priorities across Europe. Given the continued similarity between the EU GDPR and the UK GDPR, and the UK’s ongoing adequacy relationship with the EU, EDPB guidance and enforcement trends remain highly relevant for organisations subject to UK data protection laws as well as those operating across the EU.

The development

At its October 2025 plenary, the EDPB selected compliance with transparency and information obligations under the GDPR as the topic of its fifth coordinated enforcement action. This includes organisations’ obligations under Articles 12, 13 and 14 GDPR to provide individuals with clear, concise and accessible information about how their personal data is processed.

Participating national DPAs will join this action on a voluntary basis, and the coordinated work will be rolled out over the course of 2026. The outcomes of the national investigations will be analysed both at national level and across the European Economic Area, and the EDPB is expected to publish a report pooling these findings and highlighting common issues, good practices and areas for further enforcement.

Why is this important?

The initiative reinforces the central role of transparency in EU data protection law and continues the trend towards a more harmonised supervisory approach across the EU and EEA.

For digital platforms and technology companies, transparency obligations are not limited to static privacy policies. Regulators are increasingly interested in:

• how privacy information is presented in user journeys (for example, sign-up flows, cookie banners, app permissions and consent prompts);
• whether layered notices and UI design choices genuinely support user understanding or risk being considered misleading or “dark patterns”; and
• how organisations explain profiling, personalisation, online tracking and data sharing with third parties and partners.

A coordinated focus on transparency means that organisations with cross-border operations could see parallel or aligned supervisory activity from multiple DPAs on these issues.

Any practical tips?

In anticipation of heightened scrutiny in 2026, organisations - particularly those operating digital platforms, apps and online services - should:

• review and update privacy notices so they are tailored to their audiences, written in clear, user-friendly language and accurately reflect current data processing activities;
• check transparency across channels (web, mobile, app stores, in-product notices, connected devices) to ensure information is consistent and easy to access wherever users interact with the service;
• map key user journeys (e.g. registration, cookie choices, account settings, ad personalisation, uninstall/account deletion) and ensure that individuals receive timely, layered information at relevant touchpoints;
• engage legal, product and UX teams together so that privacy information is embedded into product design rather than bolted on at the end;
• keep transparency documentation under regular review, particularly when launching new features, integrating third-party tools (such as analytics, adtech or AI services) or expanding into new jurisdictions.

Failure to meet transparency and information obligations can lead to regulatory investigations, substantial fines, claims from individuals and reputational harm. Taking early steps now will put you in a stronger position as the EDPB’s coordinated enforcement action unfolds during 2026.

 Winter 2025