Privacy Regulation Is a Cybersecurity Problem — Not a Legal One

Originally published September 2019. Updated June 2026.

The General Data Protection Regulation passed in 2016, took effect in 2018, and is now eight years into enforcement. The fines tell the story. Meta has paid more than €2 billion across multiple GDPR actions, including the €1.2 billion Irish DPC ruling in May 2023 for unlawful US data transfers. Amazon was fined €746 million by Luxembourg's CNPD. TikTok hit €530 million in May 2025. Privacy regulation is no longer a compliance footnote. It is operational risk with a finance department.

The original ePrivacy Regulation, the cookie-and-metadata law meant to sit alongside GDPR, was withdrawn by the European Commission in February 2025 after eight years of stalled negotiation. The Digital Networks Act is moving into that space. The cookie wars continue under the existing ePrivacy Directive and national implementations.

The framing that matters in 2026: privacy regulation is a cybersecurity discipline. Legal owns the paperwork. Marketing owns the consent flows. The CISO owns the risk.

Why the category shifted

Generative AI scraping changed everything. The Italian Garante blocked ChatGPT for a month in 2023 and fined OpenAI €15 million in December 2024. The EU AI Act, fully in force from August 2026, layers compliance obligations on AI systems trained on European personal data. Every company building a chatbot is now operating a data-processing system that regulators can audit.

US state law multiplied alongside. California's CCPA/CPRA, Virginia's VCDPA, Colorado's CPA, and Texas's TDPSA form a patchwork across roughly 20 states that already exceeds the original ePrivacy regime in operational complexity.

And vendor enforcement closed the loop. The SEC's 2023 cybersecurity disclosure rules require public companies to disclose material breaches within four business days. Boards now own privacy and security as a single discipline.

What this means for AI Communications

Cybersecurity narratives are now the highest-value reputation asset for any company that touches consumer data. Breach response is a CEO communications event, not an IT escalation.

AI engines — ChatGPT, Claude, Gemini, Perplexity, Google AI Overviews — answer "Is this company safe to share my data with?" in real time. Citation Share in privacy and security queries is a buying signal. Brands that own the answer win.

Generative Engine Optimization (GEO) for privacy posture is the defensive moat. Companies that publish primary-source authority on their data practices — privacy reports, transparency dashboards, third-party audits — are the ones the engines cite when buyers ask.

The communications playbook

Treat privacy as a published asset. Transparency reports, breach response trees, third-party audits, primary-source data on consent volumes: these are what the engines cite.

Train spokespeople on cybersecurity language. The CISO is now a media-facing executive. The general counsel is backup.

Build the answer before the regulator asks the question. Crisis communications only works when the infrastructure was built in advance.

FAQ

Is the ePrivacy Regulation still law? No. The European Commission withdrew the proposal in February 2025 after eight years of stalled negotiation. The existing ePrivacy Directive remains in force, implemented through national laws.

What replaced it? The Digital Networks Act is the leading successor, alongside the Digital Services Act, Digital Markets Act, AI Act, and Data Act — all now operational.

Does GDPR still apply to US companies? Yes. Any company that processes EU residents' data is subject to GDPR. The Meta €1.2 billion fine in May 2023 specifically targeted US data transfers.

Which US state law is most demanding? California's CPRA remains the most comprehensive. Texas's TDPSA (effective July 2024) and Colorado's CPA both carry meaningful enforcement activity.

How does AI training data fit into privacy law? The EU AI Act treats training data as a regulated input. The Italian Garante's €15 million OpenAI fine in December 2024 set the early enforcement standard.

What is the communications consequence? Privacy and security are now CEO reputation issues. Citation Share inside AI engines on safety-and-trust queries is the new buying signal.