Welcome to August's GrailMail! Weāre back with essential updates, in depth analysis, and actionable insights to help you stay ahead of the curve in the data privacy landscape.
TLDR: This monthās newsletter focuses on modern privacy management, particularly data mapping, and highlights the latest in data privacy news including settlements in healthcare website tracking lawsuits, a data breach at Workday, and a class action lawsuit against Whoop. It also covers recent enforcement actions by the CPPA, upcoming regulation changes, new DataGrail platform updates for AI-powered RoPA, consent banner analytics, and conditional workflows, and features monthly reads on privacy enforcement..
Letās dive in.š
Data Mapping is the foundation of privacy compliance, but for many teams, itās still fragmented, manual and hard to maintain. Relying on siloed exports and periodic scans leaves gaps in visibility, making it nearly impossible to keep pace with todayās evolving data environment.
As privacy becomes more decentralized and deeply embedded across legal, IT, and security teams, maintaining an accurate data map isnāt just best practice, itās business critical. With the average cost of GDPR compliance hitting $1.3 million, incomplete data maps arenāt just inefficient, theyāre a liability.
This week we sat down with Lisa Wang, DataGrail Product Manager, and Elle Bond, DataGrail Product Marketing Manager, as they discussed how to build and maintain an audit-ready RoPA that serves as a rich foundation of information for identifying AI risk across your organization.
š„ Healthcare Organizations Settle Website Tracking Class Action Lawsuits
Settlements have been reached with two healthcare entities to resolve allegations that they used pixels and other tracking tools on their websites, which disclosed sensitive data to third parties without the knowledge or consent of website users. Read more here.
Workday, one of the largest providers of human resources technology, has confirmed a data breach that allowed hackers to steal personal information from one of its third-party customer relationship databases. Read more here.
šāāļø Whoop Facing Class Action Lawsuit for Allegedly Sharing Usersā Fitness Tracker Data Without Permission
A proposed class action lawsuit accuses health and wellness company Whoop, Inc. of unlawfully disclosing to a third party the sensitive personal data of its fitness tracker and app users. Read more here.
Enforcement News CPPA Fines Data Broker for Failing to Register
The CPPA (California Privacy Protection Agency) has fined Washington-based data broker Accurate Append, Inc. $55,400 for failing to register under Californiaās Delete Act. The company missed the January 31, 2024 deadline to register for its 2023 activities and only did so after the CPPA contacted them during its investigation. This action is part of the CPPAās ongoing sweep to ensure data brokers are meeting registration requirements, first announced back in October 2024. Read more here.
CPPA Seeks to Enforce an Investigative Subpoena
The CPPA filed a court action against Tractor Supply Co. to enforce a subpoena issued in January 2025. The subpoena requests records back to January 1, 2020. Tractor Supply had refused to comply with records predating 2023, but CPPA maintains its authority extends to that earlier timeframe. Read more here.
Watch our recent webinarfor a breakdown of upcoming U.S. privacy regulations that took effect this summer in Minnesota and Tennessee.
DataGrail Data Privacy Platform Updates
Create an AI-powered Record of Processing Activities In Record Time - Our AI-driven RoPA approach simplifies the process with a more intuitive, automated experience, designed to help privacy teams work faster and stay audit-ready.
Optimize Your Consent Strategy with Improved Consent Banner Analytics - With our latest update, privacy teams gain actionable visibility into how users interact with consent banners across regions and regulatory frameworks.
Smarter Privacy Request Automation with Conditional Workflows - With Request Manager Automations, you can automatically route requests based on user input, ensuring the right systems and stakeholders are engaged from the start.
In part one of this series, this blog breaks down key 2025 privacy settlements and enforcement actions, what they reveal about regulatorsā priorities, and what lessons privacy teams can take away to stay compliant because in 2025, no organization is too small, too new, or too niche to escape enforcement.
As we move deeper into 2025, the conversation around privacy has fundamentally changed. No longer confined to legal checklists or reactive policies, privacy is now a core business priorityādriven by the twin engines of rapid AI adoption and evolving global data regulations.
This latest Gartner Hype Cycle for Privacy reinforces this shift: privacy is not just about complianceāitās a strategic asset. And organizations that invest in operationalizing privacy in scalable, user-centric ways are positioning themselves for long-term success.
Businesses of virtually every size and industry are feeling the pressure to quickly adopt AI capabilities in hopes of unlocking organizational efficiencies and competitive advantages. After a number of high-profile privacy lawsuits on the topic of AI, itās understandable that many privacy managers are alarmed about AI risk.
The simplest place to start is in procurement. AI adoption is widespread, and if your company doesnāt provision AI tools, employees are likely to deploy their own, leading to risk that is much more difficult to track, measure, and reduce.
AI is acceleratingāwithout a clear owner for governance. As artificial intelligence becomes increasingly central to business operations, so does the urgency of managing its risks, ethics, and oversight. But hereās the problem: thereās no clear owner of AI governance. While privacy, legal, security, and other teams all touch itānone are explicitly accountable for it. And thatās a problem.
Are you passionate about privacy, legal, or security issues? Want to connect with like-minded professionals and stay ahead in a rapidly evolving landscape?
Weāve got everything from privacy law updates to career tips, monthly privacy huddles, and exclusive resources tailored for the privacy community. Donāt miss out on the chance to be part of a vibrant network committed to advancing data privacy.
See you next time! š
Colleen
This was sent to your email. If you do not wish to receive news and product updates in this format, please manage your preferences below.
.png?upscale=true&width=1040&upscale=true&name=Upcoming%20Deadlines%20and%20Regulations%20(1).png)
.jpg?upscale=true&width=1120&upscale=true&name=August%20(1).jpg)
.png?upscale=true&width=1040&upscale=true&name=GrailMail%20Headers%20(2).png)
.png?upscale=true&width=1040&upscale=true&name=GrailMail%20Headers%20(3).png)
