CEF 2026: EDPB launches coordinated enforcement action on transparency and information obligations under the GDPR

The European Data Protection Board (EDPB) has launched its 2026 Coordinated Enforcement Framework (CEF) action, focusing on the practical application of GDPR transparency and information obligations. This is not a new law, but a coordinated year-long initiative by multiple national supervisory authorities to investigate and enforce existing rules. The action will examine how organizations provide privacy information to data subjects, particularly regarding the clarity, accessibility, and comprehensiveness of such disclosures.

The initiative is broad and will affect data controllers across all sectors. National authorities will select a range of organizations for scrutiny, meaning both public and private entities of various sizes could be subject to inquiries. The focus is on fundamental compliance with Articles 12, 13, and 14 of the GDPR.

Compliance teams should immediately conduct a thorough review of all external-facing privacy information, including privacy policies, layered notices, and real-time consent mechanisms. The priority is to ensure information is concise, transparent, intelligible, easily accessible, and uses clear language. Proactively auditing these materials against GDPR requirements now is essential to prepare for potential regulatory scrutiny.