The EDPB's 2026 Enforcement Target Is Your Privacy Notice

For two years the expensive GDPR question has migrated. First regulators audited whether you had a lawful basis, then whether you deleted data on time. On 19 March 2026 the European Data Protection Board pointed the next sweep at a third target: whether your privacy notice is honest about what you collect.

What the 2026 coordinated action audits

The EDPB's Coordinated Enforcement Framework (CEF) runs one shared theme across the bloc every year. The 2025 action examined the right to erasure. The 2026 action — the fifth — examines transparency and information obligations under Articles 12, 13, and 14 of the GDPR.

Twenty-five data protection authorities are participating. Their announcement is blunt about method: participating DPAs "will soon contact controllers from different sectors across Europe, either through enforcement actions or fact-finding exercises." Findings get pooled into a consolidated EDPB report in the second half of 2026, with "targeted follow-ups on both national and EU levels."

This is not guidance. It is a coordinated request for evidence that the document on your site matches the data in your database.

What Article 13 actually requires you to disclose

The right to be informed is not satisfied by a paragraph saying "we value your privacy." Article 13 — which applies when you collect data directly from the visitor — enumerates what a notice must state at the moment of collection:

• The identity and contact details of the controller.
• The purposes of the processing and the legal basis for each.
• The recipients or categories of recipients of the data.
• Any transfer to a third country and the safeguards for it.
• The retention period, or the criteria used to set it.
• The data subject rights: access, rectification, erasure, restriction, objection, portability.
• The existence of automated decision-making, including profiling, with meaningful information about the logic involved.

Every clause maps to a fact about your stack. A notice is accurate only if each disclosure is true. That is exactly what a fact-finding exercise checks — not whether the notice exists, but whether it describes reality.

Why surveillance analytics makes the notice fragile

Run a typical analytics integration through that list and the disclosures multiply. A behavioral tag with cross-site identifiers means you have recipients to name — the vendor, its ad partners, its measurement network. It usually means a third-country transfer to declare and safeguard. A stable identifier that follows a visitor for months is profiling, which pulls in the automated-decision-making clause. The retention period is whatever the vendor's default is, which you now have to know and state correctly.

Each of those is a sentence that can be wrong. The notice drifts the moment the vendor adds a sub-processor, changes a region, or extends retention — and you rarely find out. Under a transparency audit, a notice that understates recipients or retention is not a typo. It is the violation the CEF is built to surface.

A short notice is the defensible one

The cheapest way to pass a transparency audit is to have little to disclose. That is a data-model property, not a copywriting one.

A cookie-free tracker collapses the analytics section of an Article 13 notice to a few honest lines. There are no third-party recipients because nothing is shared. There is no profiling because no identifier persists. Visitor identity is a one-way daily hash computed in memory at the edge:

visitor_hash = SHA-256(IP | UA | SALT_SECRET | YYYY-MM-DD)

The raw IP and User-Agent are used only to compute that digest and are never written; D1 stores the hash, not the inputs. Because the date is an input, the hash rotates every midnight, so there is no cross-session profile to describe. Retention is a hard, statable bound — pageviews are purged after 730 days — not a vendor default you have to go look up.

The disclosure that results is short because the processing is small. It says: we count aggregate pageviews, derive country and coarse device type at the edge, share with no one, build no profile, and keep the data for at most two years. Every clause is verifiable against the schema.

The Article 30 half of the same exercise

Transparency for the visitor (Articles 12–14) has an internal twin: Article 30 records of processing activities, the document an authority asks for first. It must list purposes, recipients, transfers, and retention — the same facts as the public notice, from the controller's side.

When the two disagree, the gap is the finding. A stack that stores no personal identifier and shares nothing keeps both documents aligned, because there is almost nothing to record on either side.

A privacy notice is a promise about your data model. The 2026 sweep checks whether the promise is true. The least risky promise is the one you can keep without thinking about it — because you never collected the thing you would otherwise have to explain.

Sources

• EDPB launches the Coordinated Enforcement Action for 2026 on transparency and information obligations
• Coordinated Enforcement Framework: EDPB selects topic for 2026
• GDPR Article 13 — Information to be provided where personal data are collected from the data subject
• GDPR Article 30 — Records of processing activities
• ICO — Right to be informed