What Small Businesses Need to Know About Data Privacy & Compliance Trends in February 2026

Small businesses are now navigating a shifting data privacy and regulatory landscape — and understanding the latest changes can make or break your strategy.

In the past week, updates on US privacy legislation, UK data law developments, and shifts in EU rules have surfaced — each carrying real impact for SMEs. From evolving record‑keeping obligations to relief from reporting burdens, here’s a clear breakdown of what’s changing and how to stay ahead.

US: American Privacy Rights Act Remains Inactive

Although the American Privacy Rights Act was proposed to establish a federal baseline for data privacy — including user data access, deletion rights, and limitations on data collection — it expired in January 2025 and has not been reintroduced since. This means there is currently no comprehensive federal privacy law in the US that supersedes state rules. Businesses must still comply with patchwork state-level regulations and sectoral requirements. 

Why it matters for businesses: - Uncertainty remains high for organisations operating across multiple states.
- SMEs may face uneven obligations depending on where they operate — and must keep pace manually.

Practical recommendations: - Conduct a state-by‑state audit of privacy obligations, especially if operating in states with strong laws like California or new entrants such as Indiana, Kentucky, or Rhode Island.
- Monitor federal developments — the absence of APRA leaves room for new proposals.
- Invest in modular privacy tools that allow you to adjust policies by jurisdiction.

UK: Data (Use and Access) Act 2025 Takes Effect in Stages

The UK’s Data (Use and Access) Act 2025 — updating elements of UK GDPR and the Data Protection Act — received Royal Assent in June 2025 and began implementation in August. Notably, it criminalises non‑consensual generation of intimate AI‑created images, following the Grok AI incident in early 2026. Businesses are required to follow new ICO guidance as the rollout continues. 

Why it matters for businesses: - Firms using or creating AI-generated content must ensure compliance — especially regarding intimate images.
- Digital businesses should track further rollouts affecting data access, biometrics, and privacy notifications.

Practical recommendations: - Check your policies on AI-generated content — avoid using or publishing intimate images without consent.
- Stay alert for further ICO guidance on other sections of the Act, especially around data access and electronic communications.
- Train teams on new offences — legal breaches could carry serious consequences.

EU: GDPR Record‑Keeping Relief Proposal Seeks to Ease the Burden on SMEs

A proposal from the European Commission aiming to simplify GDPR compliance would raise the employee threshold for record‑keeping exemptions from 250 to 750, and limit obligations to only high‑risk processing. The EDPB and EDPS support the easing, although they’ve asked for clarity around public sector exclusions and the logic of the threshold. This could benefit thousands more SMEs if adopted — though the proposal is still under review. 

Why it matters for businesses: - If passed, many SMEs could reduce administrative overhead while staying compliant.
- Focus would shift to managing genuinely risky data instead of blanket log‑keeping.

Practical recommendations: - Keep monitoring EU developments — potential relief may be on the way.
- Continue documenting processing voluntarily — it helps with accountability and risk assessment.
- Prepare for eventual adoption — ensure high‑risk processing is mapped and monitored now.

California: Data Broker “Delete Act” Kicks off in 2026

California’s Delete Act (SB‑362) introduced the DROP platform, enabling consumers to request deletion of their data from registered data brokers. DROP has been active since January 1, 2026; brokers must begin processing requests from August 1 and face audits starting 2028. Small businesses relying on data brokers for marketing may need adjustments soon. 

Why it matters for businesses: - Marketing strategies using third‑party data need review. Requests to delete data may increase.
- Data brokers you rely on must be registered and compliant — or risk audit.

Practical recommendations: - Audit your dependence on data broker services today.
- Confirm brokers are registered with California authorities and have DROP request processes in place.
- Update marketing workflows — respect consumer deletion requests promptly and verify removal.

What This Means For Your Business

With data privacy laws shifting across regions — from the stalled US federal bill to active UK updates, EU simplification efforts, and new California deletion rules — SMEs operating near‑globally face fragmentation, not convergence. Yet, this complex environment also brings opportunity: simplifying obligations where possible, improving trust through proactive policy, and repositioning compliance as a strategic strength.

Here’s what your team can do: - Stay informed: Assign someone to regularly track regulatory updates in your key regions.
- Lean on modular systems: Choose privacy tools and policies that adapt by jurisdiction.
- Train employees: Build awareness around AI risks, deletion requests, and changing obligations.
- Document and audit: Even where relief is coming (like in the EU), having evidence of voluntary record‑keeping or risk assessment can support compliance culture and readiness.

In uncertainty, preparation counts. Managing change today means reducing risk tomorrow — all while building customer confidence in your brand.

Call Webwire on 08 9386 0053 or contact us at enquiries@webwire.com.au.