close
close
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Data Privacy

What Privacy Leaders Are Saying About AI, Enforcement, and the Limits of Policy

Ian Phippen - June 17, 2026

DataGrail’s recent webinar brought the sharpest minds in privacy together to unpack the implications of the 2026 DataGrail Privacy & AI Trends Report

The numbers alone tell a story: $3.4 billion in state-issued privacy fines in 2025, more than the previous five years combined. A 567% increase in deletion request volume since 2021. And 63.6% of vendors simply aren’t disclosing their third-party AI subprocessors in their legal documentation.

But the numbers only go so far. Rick Arney, co-author of CCPA (Prop 24); Anna Westfelt, partner and data privacy group lead at Gunderson Dettmer; Eric Lovell, Senior Manager of Privacy Legal Counsel at Dexcom; and Daniel Barber, co-founder and CEO at DataGrail uncovered the practical reality behind the data. Here’s what stood out.

The theme of 2026: more pressure

Opening the conversation, Daniel Barber set the frame plainly: “There is more regulation. There is more pressure. There are more DSRs. There are more systems. There’s really more everything.”

“There is more regulation. There is more pressure. There are more DSRs. There are more systems. There's really more everything.” - Daniel Barber

Rick Arney reinforced this from a regulatory standpoint. California now has over 100 active privacy investigations, more than 10,000 consumer complaints, and 500+ registered data brokers. The state recently hired an audit officer to conduct risk assessments and cybersecurity audits. Consumer interest in tools like California’s Data Broker Requests and Opt-Out Platform (DROP) has already drawn over 300,000 sign-ups.

“You’re seeing a lot of intensity,” Arney said, pointing to the breadth of enforcement: consent issues, GPC violations, notification failures, and supplier exposure all showing up in actions.

The catch? Privacy teams aren’t growing at the same pace. ISACA reports that team sizes may have shrunk by up to one-third last year, even as CISCO reports 90% of privacy teams are now involved in or leading AI governance.

The AI subprocessor gap is a real risk

One of the most-discussed findings in the 2026 Trends Report is that 63.6% of vendors are not disclosing their third-party AI subprocessors in their Data Processing Agreements (DPAs). This data was drawn from 2,400 vendors, comparing their DPAs against their API integrations, GitHub activity, and marketing websites.

"“Subprocessor lists are often inaccurate and out of date. This is a pervasive problem, but I find it especially concerning [because it is] such an important part of assessing the risk of using that vendor.” - Anna Westfelt

Anna Westfelt called this consistent with what she sees in practice: “Subprocessor lists are often inaccurate and out of date. This is a pervasive problem, but I find it especially concerning with the lack of disclosure of these AI tools because the subprocessor list is such an important part of assessing the risk of using that vendor.”

She also raised the shadow AI problem: a vendor may willingly disclose every officially contracted AI tool and still not know which AI products their employees are quietly feeding company data into. This is where shadow AI detection becomes essential, not just a nice-to-have.

Her recommendation: don’t rely on legal documentation review alone. Use scanning and detection tools. And ask vendors pointed questions about their internal AI detection capabilities before entrusting them with confidential or sensitive data.

Arney tied this back to the nature of modern privacy compliance, describing a “multi-layered problem” spanning clients, vendors, suppliers, AI tools, and multiple jurisdictions. “Usage of technology to track all of those things is critical,” he said. “How are you gonna know for sure how all this is being used? And you don’t wanna get caught with an ugly surprise.”

Real AI governance is more than a policy

Eric Lovell described what a baseline AI governance program looks like today: internal discussions about what constitutes an AI system, executive direction on AI strategy, responsible use policies, published AI principles, and centralized review committees. Laws like the EU AI Act and EU Data Act have pushed his team beyond personal data into classifying non-personal data, third-party intellectual property, and publicly available training data, all of which carry EU AI Act compliance obligations.

“But those are the human elements of AI governance,” he said. The gap is that these human processes don’t scale to the volume of AI use cases now surfacing across organizations.

At Dexcom, the focus has shifted toward a structured AI governance platform approach: tools that can detect and surface AI use automatically, make it visible and reviewable, and provide feedback across the full lifecycle: design, procurement, and deployment.

“We need these tools to be able to act as they relate to the design and development of AI, the procurement of AI, and then, at the end of it, the deployment of AI,” Lovell said. “Surfacing what those risks even are, and potentially also the mitigations that a human can review or sign off on.”

GPC compliance still has a long way to go

For three consecutive years, DataGrail has tracked GPC compliance across the top 5,000 global websites. In year one, 75% couldn’t honor the signal. Today, that number is 63%. Progress, but still more than half of the websites consumers visit aren’t running GPC correctly.

Westfelt noted that California now requires companies not just to honor GPC but to actively display that the signal was detected and recognized. She pointed out that GPC compliance is often treated as a front-end toggle in a consent management platform, when what really matters is how the signal propagates through back-end databases and systems.

“The regulators will ask more detailed questions,” she said. “They will really look at how this functions within your organization.”

On the litigation side, Westfelt described a rising volume of demand letters her firm is handling, roughly five to 10 per week, primarily from plaintiffs’ firms scanning websites for common trackers like the Meta Pixel, LinkedIn SDK, and Google Analytics. These letters are now being brought not just under CIPA but increasingly under ECPA and the CDAFA.

“The plaintiffs’ lawyers are very creative,” she said. “They’re applying some of these very antiquated laws, and they are having a lot of success.”

DSR volume has fundamentally changed the math

For a company with five million annual website visitors, the estimated cost of manual data subject request processing runs to approximately $1.5 million per year,. DSR and DSAR automation software exists precisely to close this gap.

Lovell described Dexcom’s experience firsthand. Six years ago, the company processed roughly 1,000 to 2,000 DSRs annually. Today, that number is in the high five figures, representing more than a 20X increase.

“Being able to accommodate at that scale, we really need a partner and a technology vendor that can handle it. We've been able to create dynamic workflows with DataGrail that helped handle 20X the DSR volume we used to face.” - Eric Lovell

Handling that kind of volume required moving well beyond manual workflows. A few years ago, organizations only needed a few different policy types to ensure DSRs were compliant with the submitting data subject’s regulatory authority. 

As regulations multiplied and grew diverse, Dexcom expanded their unique configurations from just 6-8 to 25-30 policy approaches. Dexcom built API connections with DataGrail to automate retrieval across systems, applied DataGrail’s dynamic form logic to route requests by persona and region, and spun up multiple privacy notices to handle new consumer health data requirements. 

Get the full picture

The conversation covered a lot of ground, but the data behind it covers more. The 2026 DataGrail Privacy & AI Trends Report is an interactive report built from primary research across privacy teams, DSR data from real organizations, and analysis of thousands of vendor contracts and websites.

If you’re building out an AI governance platform, evaluating DSAR automation software, or trying to close gaps in your GPC compliance, this report was built for you. DataGrail is the privacy management platform purpose-built to help teams do it all at scale. Vera, DataGrail’s AI agent, automates the workflows that used to require hours of manual work, from honoring opt-outs across backend systems to processing deletion requests en masse. With 2,500+ integrations, patented system detection that finds 50% more apps than manual discovery, and purpose-built AI governance capabilities aligned to the EU AI Act and NIST AI RMF, DataGrail gives privacy, legal, and security teams the visibility and automation they need to stay ahead of enforcement, not react to it. Reach out to learn more about DataGrail

Related Content
What’s New from DataGrail: January 2026
The Delete Act and DROP: What You Need to Know
Integrating the DataGrail MCP into your Privacy AI Strategy
GrailCast Live Ep. 2 Rewind: The Responsible AI Governance Blueprint ft. Lauren Nardoni
Contact Us image

Let’s get started

Ready to level up your privacy program?

We're here to help.

Talk to an expert