Articles
Data privacy 101
Who actually enforces privacy laws? Data protection authorities, explained
Data privacy 101
new

Who actually enforces privacy laws? Data protection authorities, explained

Published  

6/2/2026

by 

Francesca DeNisco

7
min read

Published  

June 2, 2026

by 

Francesca DeNisco

10 min read
Summary

Data privacy laws are not abstract regulations handled quietly by legal teams. They directly influence how products are designed, how data flows across systems, and how companies build trust with users. 

Frameworks such as the GDPR in Europe and the CCPA/CPRA in California define what organizations can and cannot do with personal data. The real-world impact of these laws, however, depends less on the text itself and more on who enforces them. Behind every regulation is a network of authorities responsible for interpreting the rules, investigating complaints, issuing fines, and shaping expectations. 

In this article, we cover some of the most notable privacy regulators that you should know about.

Who enforces the GDPR in Europe?

Under the GDPR, enforcement is handled on a national level by national Data Protection Authorities (DPAs). Each has its own priorities and enforcement style, but all have the same compliance responsibilities. They coordinate through the European Data Protection Board (EDPB), which ensures consistent application of the GDPR and issues binding opinions on topics such as international data transfers and emerging technologies.

The following is not a comprehensive list, but includes some of the most notable that need to be on your radar.

CNIL (France)

The Commission nationale de l'informatique et des libertés (CNIL) is widely recognized for its strict approach to consent, cookies, and tracking technologies. Its decisions on consent banners and cookie walls have become reference points across Europe, directly influencing how websites and apps handle user choices.

Check out the CNIL's priorities for 2026 to get a glimpse at the areas the French DPA is focusing on this year.

ICO (United Kingdom)

The Information Commissioner’s Office (ICO) enforces the UK GDPR and other UK privacy laws with an emphasis on accountability, transparency, and the protection of children's data. It has been especially active in adtech and online services, combining detailed technical guidance with high-profile enforcement actions that set expectations for the industry.

Garante (Italy)

Italy’s Garante is active in areas such as employee monitoring, biometric data, and public sector processing. It emphasizes proportionality, pushing organizations to justify the necessity of their data practices, particularly when sensitive data is involved.

BfDI (Germany)

The Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) adopts a strict approach to data governance, with enforcement focused on data minimization, purpose limitation, and robust internal documentation.

Organizations operating in Germany face high expectations around organizational accountability and the quality of their compliance records. Discover data privacy laws in Germany.

DPC (Ireland)

The Irish Data Protection Commission (DPC) holds a uniquely important role in the European enforcement landscape. As the lead supervisory authority for most major technology companies that have established their EU headquarters in Ireland, including Meta, Apple, Google, and LinkedIn, its decisions carry consequences well beyond Irish borders.

Under the GDPR's one-stop-shop mechanism, the DPC handles cross-border cases on behalf of the entire EU, making its rulings among the most closely watched in the world.

AEPD (Spain)

Spain's Agencia Española de Protección de Datos (AEPD) is one of the most active DPAs in Europe in terms of the volume of decisions. It has taken a notably assertive stance on cookies, consent mechanisms, and the use of legitimate interest as a lawful basis, and its rulings are frequently cited as benchmarks by other European authorities.

Organizations with a Spanish digital presence or significant Spanish user base should treat AEPD guidance as a priority signal.

Discover more European DPAs

To see the full list of Data Protection Authorities, visit the European Data Protection Board's website and its interactive DPA map.

Data privacy enforcement in the United States

In contrast to Europe, enforcement in the United States is more fragmented as it is spread across state and federal authorities. There is no single federal privacy law; enforcement relies on a mix of state legislation and federal consumer protection.

Here, we don't present an exhaustive view but highlight three of themain bodes and authorities whose decisions have at times affected the entire country.

CPPA (California)

The California Privacy Protection Agency (CPPA) is the dedicated enforcement agency created by the California Privacy Rights Act (CPRA) to implement and enforce California's privacy laws. Its mandate includes rulemaking, investigations, and proactive audits, which signals a shift toward a more anticipatory enforcement model compared to traditional reactive agencies.

California Attorney General

The California Attorney General retains parallel enforcement authority and played a foundational role in shaping how CCPA obligations apply in practice, through early cases that clarified the law's scope and requirements.

FTC (United States)

The FTC enforces privacy through its consumer protection mandate, targeting unfair or deceptive data practices. Its focus is on companies that fail to live up to their own privacy commitments, making internal consistency between policy and practice a key compliance risk.

Other notable data privacy regulatory bodies 

The regulators covered above are among the most influential in the world, but they are far from the only ones that matter. Privacy enforcement is expanding across every region, and the list of active, consequential authorities grows each year. 

The following is a non-exhaustive selection of bodies that are increasingly relevant for organizations operating beyond Europe and North America.

ANPD (Brazil)

Brazil's Autoridade Nacional de Proteção de Dados (ANPD) is the enforcement authority for the Lei Geral de Proteção de Dados (LGPD), Brazil's comprehensive privacy law. Still relatively young as an institution, the ANPD has been steadily building its regulatory framework, publishing guidance, and initiating its first enforcement actions.

For companies with operations or users in Latin America, it represents a growing compliance consideration that is likely to become more demanding as the agency matures.

OPC (Canada)

The Office of the Privacy Commissioner of Canada (OPC) enforces the Personal Information Protection and Electronic Documents Act (PIPEDA) at the federal level, alongside provincial equivalents in Quebec, Alberta, and British Columbia.

Canada is sometimes underestimated as a jurisdiction by businesses focused on U.S. compliance, but the OPC has been increasingly vocal on issues such as facial recognition, behavioral advertising, and cross-border data transfers. 

PDPC (Singapore)

The Personal Data Protection Commission (PDPC) enforces Singapore's Personal Data Protection Act (PDPA) and has positioned itself as a pragmatic, business-friendly regulator while still maintaining active enforcement. Singapore's role as a regional hub for multinational operations in the Asia-Pacific region makes the PDPC relevant for any organization with a significant presence in the region.

The PDPC is also notable for its detailed advisory guidelines, which are often more operationally specific than those of many other authorities.

How enforcement styles differ

Not all regulators operate the same way, and understanding those differences is as important as knowing the rules themselves. 

Some DPAs, like the CNIL and the ICO, are prolific publishers of guidance: detailed FAQs, recommendations, and position papers that signal enforcement priorities well before any formal action. Others communicate primarily through decisions, leaving companies to infer expectations from the outcomes of investigations. 

Engagement style varies, too. Certain authorities invite dialogue and offer informal channels for clarification, while others keep their distance and let their rulings do the talking. Even fine philosophy differs, as some regulators treat financial penalties as a last resort, issuing corrective orders first and escalating only when those go unheeded, while others use fines as a primary signaling tool. 

And because many decisions are published in full and widely cited across the industry, a ruling from one DPA can set practical expectations far beyond its own jurisdiction.

What do data privacy bodies actually do?

Understanding which authority enforces a law is only part of the picture. The real impact comes from how these regulators interpret, prioritize, and operationalize privacy requirements in practice. 

Let’s look at five of the most essential responsibilities within the remit of privacy bodies.

1. Interpret privacy laws and issue guidance

Privacy laws are intentionally broad and technologically neutral. Regulators fill in the gaps by publishing guidance, recommendations, and FAQs that clarify how the law is used in daily life.

For businesses, this guidance can matter more than the legal text itself. 

2. Investigate complaints and data breaches

Regulators handle complaints from individuals, advocacy groups, and whistleblowers. They also oversee mandatory data breach notifications. Investigations can be triggered by user complaints, security incidents, NGO actions, media reports, and coordinated enforcement sweeps.

Once opened, investigations can be extensive, requiring detailed documentation, internal policies, data protection impact assessments (DPIAs), and technical explanations.

3. Audit organizations 

Authorities conduct audits, particularly in high-risk sectors such as digital advertising, finance, tech, healthcare, large online platforms, and AI-driven services. These audits are more than checking surface-level compliance. Regulators examine governance structures, accountability frameworks, vendor management, and documentation practices.

4. Issue fines and corrective orders

When violations are identified, regulators can issue warnings, corrective orders, processing bans, and fines. Financial penalties are only part of the risk. Public decisions often carry reputational consequences that can outweigh the monetary sanction.

5. Coordinate with other regulators 

Privacy regulators often collaborate with competition authorities, consumer protection agencies, cybersecurity regulators, and AI oversight bodies. Data protection enforcement is becoming more interconnected. For example, concerns around dark patterns, targeted advertising, or AI transparency often involve multiple regulators at once.

Why does this matter for businesses?

Regulatory enforcement doesn’t happen in isolation. The positions regulators take through guidance, investigations, and public decisions quickly translate into operational expectations for companies, with a direct impact on several levels:

  • Guidance shapes how features are designed. Regulatory interpretations directly influence product decisions, such as how consent banners should be structured, what qualifies as valid consent, how granular user choices need to be, and when legitimate interest is appropriate.
  • Enforcement priorities shift year to year. In recent years, the most scrutiny has fallen on cookies and tracking technologies, adtech ecosystems, children's data, cross-border data transfers, and AI and automated decision-making. What wasn't a priority last year can quickly become one this year, and businesses that monitor these shifts can adapt early rather than react under pressure.
  • Regulators influence industry norms. Over time, public decisions establish practical standards. One high-profile sanction can redefine expectations across an entire industry, and companies that proactively anticipate regulatory direction instead of waiting for enforcement reduce the risk of costly remediation projects later. 

In short, regulators actively shape what good compliance looks like, and treating their output as a signal (not just as a risk) is what separates companies that stay ahead from those that are perpetually catching up.

How regulators affect daily business decisions

Regulatory expectations impact decisions regarding data retention policies, vendor and SaaS due diligence, cross-border data transfer mechanisms, documentation and accountability frameworks, and risk assessments and transparency obligations.

Increasingly, enforcement is focused on governance and demonstrable accountability. Saying you're compliant is no longer enough, something that was highlighted during our last yearly privacy expert roundtable:

This will be the year that U.S. regulatory enforcement really gets into the weeds. Surface-level compliance isn't going to cut it anymore.

Regulators, especially in California, are stressing the importance of implementing consumer privacy rights correctly and exhaustively on the backend, from a technical perspective. This means ensuring GPC signals are honored and opt outs flow across platforms and consumer touch points, as well as having a full and complete understanding of (and proper contractual relationships and opt-out signaling capabilities with) every third party to whom personal information is sold or shared on an ongoing basis.

Regulators will dig deep to understand how data flows work, and they'll expect organizations to be right there with them. So make sure to get your ducks in a row: the hard questions are coming.

- Julie Rubash, General Counsel and Chief Privacy Officer at Sourcepoint by Didomi

You need structured processes, internal ownership, and clear documentation. In practice, regulatory expectations are embedded into product development, procurement, marketing operations, and data architecture decisions long before any investigation occurs.

Understanding regulators as a competitive advantage 

Privacy regulators do more than enforce the law. They define how it is interpreted, prioritized, and operationalized. Their guidance and decisions establish the practical standards businesses are expected to follow. Companies that actively monitor regulatory trends gain a real advantage: they anticipate enforcement priorities, design products with compliance built in, reduce legal and reputational risk, and move faster when new regulations emerge.

Beyond avoiding fines, knowing and understanding the actors behind the scenes who set and enforce the law allows organizations to build resilient data practices, enable compliant innovation, and reinforce user trust.

Most organizations today don't answer to a single regulator, they operate across jurisdictions, each with its own enforcement priorities, guidance, and expectations. Didomi is built for that reality. Our platform helps you meet consent requirements across multiple regulations, stay ahead of enforcement trends, and build the accountability structures regulators expect:

{{discover-multi-reg-cmp}}

The author
The authors
Francesca DeNisco
Content and Communications Intern
Content writer currently focused on data privacy
Access author profile
Francesca DeNisco
Content and Communications Intern
Content writer currently focused on data privacy
Access author profile
Access author profile

Related Articles

Data privacy 101
CMP metrics glossary: Key analytics for consent banner performance
February 24, 2026
Read article
Data privacy 101
The best data privacy resources for 2026
December 30, 2025
Read article
Data privacy 101
Top 10 data privacy webinars for 2026
December 29, 2025
Read article
Data privacy 101
Amazon Consent Signal (ACS): Everything you need to know
October 24, 2025
Read article
Data privacy 101
Privacy enhancing technologies (PETs): What you need to know
September 2, 2025
Read article
Data privacy 101
25 data privacy acronyms you should know
June 4, 2025
Read article