What the FTC's new health-data rule means for your analytics stack

Stack of annotated legal documents on a wooden desk with a fountain pen and reading glasses beside them
GDPR · Article 30Long Read

Records of Processing Activities Are Not a One-Time Exercise

Most DPOs complete their Article 30 register before a certification audit and never open it again. Here is why that approach now carries material enforcement risk under the EDPB's revised inspection methodology.

Miriam OkonkwoFormer ICO Case Officer
February 24, 2026·14 min read

"The Article 30 register is not an administrative artefact. It is the map the supervisory authority will use to trace every data flow you have ever operated."

EDPB Inspection Methodology, January 2026

Three enforcement actions every DPO should have read last quarter

Legal documents on a desk with a laptop open showing regulatory text and a coffee cup in morning light
US Federal · FTCAnalysis

The FTC's Health Breach Notification Rule Now Reaches Your Analytics Stack

If your product touches health-adjacent data — fitness metrics, symptom logs, prescription lookups — the amended HBNR applies to you even if you are not a HIPAA covered entity.

Thomas Adeyemi11 min read
Person reviewing documents at a desk with natural light from a window, hands visible on papers
CCPA · CPRAPractical Guide

Your First DSAR Arrived. Here Is What Happens in the Next 45 Days.

A step-by-step breakdown for founders and counsel who have never processed a California consumer rights request — covering verification, scope decisions, and the one response error that draws automatic CPPA scrutiny.

Priya Rajan9 min read
Live Enforcement Tracker

Who paid the price
last quarter.

Curated enforcement actions across GDPR, UK GDPR, CCPA, and APAC frameworks. Updated within 48 hours of publication.

Full enforcement database →
Feb 18, 2026
DPC Ireland

Meta Platforms Ireland Ltd.

Unlawful basis for behavioural advertising; consent not freely given

€91 million
EU / GDPR
Final
Feb 10, 2026
ICO (UK)

Clearview AI Inc.

Unlawful processing of biometric data; failure to respond to SARs

£7.5 million
UK GDPR
Under appeal
Jan 28, 2026
CNIL (France)

Unnamed B2B Analytics Provider

Inadequate data processing agreement; Article 28 non-compliance

€3.2 million
EU / GDPR
Final
Jan 15, 2026
FTC (US Federal)

Mobilewalla Inc.

Sale of precise location data without adequate consent

$35 million
US / FTC Act
Consent order
Dec 19, 2025
CPPA (California)

DoorDash Inc.

Sharing personal information with a data cooperative without disclosure

$375,000
US / CCPA
Final
Dec 5, 2025
PDPC (Singapore)

Keppel Offshore & Marine

Inadequate protection of employee personal data; phishing-enabled breach

SGD 80,000
APAC / PDPA
Final

€2.1B

GDPR fines issued in 2025

847

Enforcement actions tracked

31

Supervisory authorities covered

48h

Average time to publication

Practitioner Resources

Your role.
Your compliance path.

Whether you are managing a DSAR for the first time or rebuilding consent flows before a CNIL audit, the right checklist starts here.

In-House Counsel

Consent flows, vendor DPAs, and breach response playbooks for SaaS legal teams.

DPO / Privacy Officer

Article 30 templates, DPIA frameworks, and supervisory authority correspondence guides.

Startup Founder

First DSAR, first audit, first breach — plain-English protocols for each.

SaaS Privacy Compliance Checklist

8 items

  • Maintain an Article 30 record of processing activities (RoPA)

    GDPR

  • Appoint a Data Protection Officer if processing at scale or special categories

    GDPR

  • Publish a CCPA-compliant "Do Not Sell or Share My Personal Information" link

    CCPA

  • Respond to verified DSARs within 45 days (extendable once)

    CCPA

  • Execute a Data Processing Agreement with every sub-processor

    GDPR / UK GDPR

  • Complete a Transfer Impact Assessment for SCCs post-Schrems II

    GDPR

  • Document your lawful basis for each processing purpose in the RoPA

    GDPR

  • Notify the supervisory authority of qualifying breaches within 72 hours

    GDPR / UK GDPR

+ 34 additional items in the full PDF — covering GDPR, CCPA, UK GDPR, and APAC frameworks

Free Download

The Complete SaaS Compliance Checklist

42 items across GDPR, CCPA/CPRA, UK GDPR, and APAC. Formatted for legal review and board reporting.

  • Article 30 RoPA template included
  • DSAR response timeline
  • Breach notification decision tree
  • Sub-processor audit log

No spam. Unsubscribe at any time.

About Redact

Written by practitioners.
Read before the deadline.

Redact began as a private reading list — enforcement decisions, supervisory authority opinions, and regulatory guidance that practitioners needed to find, parse, and apply before their counterparts did. The list grew. The annotations grew longer. It became a journal.

Every article is written by someone who has filed the paperwork, argued the interpretation, or sat across the table from a data subject exercising their rights. We do not paraphrase press releases. We read the decisions, trace the reasoning, and tell you what it means for the consent flow you pushed to production last Tuesday.

The editorial standard is simple: if a senior in-house counsel would not cite it in a board memo, it does not appear here.

— The Redact Editorial Board

Contributing Editors
MO

Miriam Okonkwo

Former ICO Case Officer · LLM (Privacy Law, UCL)

GDPR enforcement, supervisory authority procedure

TA

Thomas Adeyemi

Privacy Counsel, SaaS Practice · CIPP/E · CIPP/US

FTC enforcement, US State privacy law, ad-tech compliance

PR

Priya Rajan

In-House Counsel, B2B SaaS · CIPM

CCPA/CPRA, consent management, vendor contracts

Cited in

IAPP Privacy TrackerOneTrust Resource HubDPO Network EULexology