Plot twist: 2026 is going to be very… transparent.
In October 2025, the European Data Protection Board (EDPB) announced that transparency and information duties under the GDPR will be its top coordinated enforcement topic for 2026.
That’s a clear signal: regulators will be paying extra attention to how you explain your data use to people.
For businesses, that translates to a simple focus: your privacy and cookie policy should be accurate, clear, and easy to find.
If your policies are due for an update, 2026 is the year to stop postponing it. Let’s take a look.
What the year of transparency holds in store
During its October 2025 plenary, the EDPB picked the topic for its fifth coordinated enforcement action: compliance with the GDPR’s transparency and information obligations.
Here’s the core idea: the GDPR says people have the right to be informed about the collection and processing of their data, especially under Articles 12, 13, and 14. This “right to be informed” is one of the GDPR’s foundation stones, because it’s what gives people real control over their data.
If you’re collecting personal data, you must clearly explain that you’re doing it, what data it is, what you do with it, and why.
Coordinated enforcement: what does that mean? 1-The EDPB selects a topic (for 2026, transparency). 2-National Data Protection Authorities (DPAs) choose to participate voluntarily. 3-DPAs run checks or investigations at national level using a shared approach. 4-Results are aggregated and analyzed to spot patterns. 5-If needed, this can lead to targeted follow-up at national and/or EU level. The action will be launched over the course of 2026.
This is what regulators will be looking at:
- Article 12 is your “plain language” rule. Information must be concise, transparent, easy to access and to understand.
- Article 13 covers what you must tell people when you collect data from them (for example: contact forms, checkout, newsletter signup).
- Article 14 covers what you must tell people when you get their data from somewhere else (for example: lead lists, partners, data enrichment, certain advertising scenarios).
Why it matters to your business
If the GDPR applies to you, you must follow transparency requirements.
Most businesses will be affected by the EDPB’s 2026 focus on transparency because it applies whenever you collect or use personal data.
If your website has a contact form, a newsletter signup, account creation, checkout/payments, customer support chat, or even common tools like analytics and marketing pixels, you’re almost certainly processing personal data.
If a DPA looks at your site or app and doesn’t like what it sees, they can ask questions, require changes, order you to stop certain processing, and (in some cases) issue fines.
Who are DPAs? A quick reminder: DPAs (Data Protection Authorities) are the national regulators that enforce data protection law in each EU/EEA country. There’s a French one, an Italian one, and so on.
Beyond the legal obligations, transparency isn’t just a legal checkbox for SMBs. It’s a real business advantage.
When people understand what you’re doing, they’re less suspicious. They’re more likely to sign up, buy, and stick around.
They’re more willing to trust you with their data. Better data means better campaigns and a higher revenue!
Transparency can actually improve conversion and retention, because it reduces friction and surprises.
Make your privacy and cookie policy flawless
For most businesses, the practical translation of these obligations is having a privacy and cookie policy.
The key elements to include in your privacy policy are:
- Who you are: company name, contact details
- What personal data you collect and how: e.g., name, email, billing details, IP address, device info, order history + where it comes from: forms, checkout, cookies/trackers, third-party tools
- Why you use it (purposes): e.g., provide the service, process payments, customer support, analytics, marketing
- Your legal basis: consent, contract, legal obligation, legitimate interests
- Who receives the data: any third parties, like hosting or payment processors, vendors, service providers
- Any international transfers: if data goes outside the EU/EEA, explain where and what safeguards you rely on
- Retention: how long you keep data
- People’s rights: access, deletion, objection, etc., and how to exercise them
- Updates: how you notify users of changes, “last updated”, or effective date
| ✅ Do’s | ❌ Don’ts |
| Article 12 is explicitly about clear and plain language and making information easy to access. Can I understand the main points in under two minutes? | This isn’t about writing longer legal documents. It’s about making sure anyone can quickly find and understand it. |
| Can I find your privacy policy in one click from any page? That’s why you typically see all privacy policies in the footer of the website. | A privacy policy that is technically “published” but buried in a submenu or written like a courtroom script is not the spirit of Article 12. |
| Does your policy match reality? Make sure it is complete and tailored to your business. | Here’s an easy mistake: if a service truly doesn’t involve personal data processing, you generally don’t need to describe it in your privacy policy. Including non-existent processing can be misleading. |
🔎 Take a look at our GDPR privacy policy template for an example!
How iubenda helps you meet 2026 standards
As Giulia Stancampiano, our Director of Legal at iubenda, puts it:
“By focusing on information duties in 2026, the EDPB highlights something simple but often overlooked: data protection begins with explaining things clearly. The real work is translating principles into practical steps that people can understand.”
Transparency can sound like tedious work. It’s writing the policy, but also keeping it accurate as your business changes. Add a new analytics tool, chatbot, ad platform, or payment provider, and last year’s policy no longer reflects what you actually do.
That’s where iubenda helps: we empower SMBs to manage transparency and digital compliance easily, as their business evolves.
Our tools come with pre-drafted clauses that are updated when relevant legal changes occur. We alert you if something’s missing. We offer easy integration options with your site.
A privacy policy powered by iubenda is simple, effective, and meets transparency requirements. Learn more about our Privacy and Cookie Policy Generator.
Ultimately, the EDPB’s 2026 focus reinforces a simple point: compliance starts with clear communication. iubenda’s products are built for simplicity and for maintaining consistent and reliable communication as your business grows.