The DPA Problem: Can You Trust Your Vendors?
Have you ever considered the reliability of a data processing agreement (DPA) when evaluating how vendors handle personal data? According to DataGrail’s Privacy and AI Trends Report 2026, released today, you might want to think twice.
DataGrail, a San Francisco-based privacy platform, analyzed 2,400 popular business software providers and made a startling discovery. They found that 63.6% of vendors advertising AI capabilities do not disclose a third-party AI subprocessor in their legal documentation. This means that many companies purchasing AI-enabled software could unknowingly be exposing their customers’ data to AI models and pipelines that were never reviewed or approved.
CEO Daniel Barber explained, “The DPA should be the reliable document that teams use to evaluate AI risk, but based on that number, that’s not enough in 2026.”
The Growing Gap Between AI Vendor Contracts and Reality
DataGrail’s research methodology went beyond reading contracts. They cross-referenced DPA disclosures against various sources, including product documentation, GitHub environments, API connections, and marketing materials. This thorough analysis revealed discrepancies between what vendors disclose in their DPAs and what actually happens in practice.
Barber highlighted the risk of undisclosed AI models processing sensitive data without oversight, potentially violating regulations on automated decision-making in employment.
Regulatory Implications and Privacy Concerns
The report also found that a significant number of AI systems process sensitive data or enable automated decision-making. These activities trigger privacy risk assessments, as required by regulations like CCPA’s new risk assessment requirement effective in 2026.
Privacy teams are urged to engage early with AI projects to prevent compliance issues and ensure safeguards are in place before launch.
Consent Management Challenges and Enforcement Trends
Consent management remains a top privacy challenge, with enforcement actions increasing. The report highlighted the importance of compliance with universal opt-out mechanisms like the Global Privacy Control signal.
Enforcement actions have targeted companies of all sizes, indicating that regulatory scrutiny is not limited to big tech firms.
Data Deletion Requests Surge and Manual Processing Costs Soar
Data subject deletion requests have skyrocketed, leading to significant manual processing costs for organizations. With the average cost of manual DSR management reaching $1.5 million per year, businesses are urged to adopt automated solutions to handle the increasing volume of requests.
State Regulators Increase Privacy Fines and Expand Oversight
State regulators issued $3.4 billion in privacy fines last year, reflecting a trend towards stricter enforcement. Privacy laws are expanding, covering over half of the U.S. population, with more states expected to pass legislation in the coming years.
Privacy Teams Face Challenges as AI Governance Demands Grow
Despite expanding workloads, privacy teams have experienced a 33% reduction in headcount. The adoption of AI in privacy-related tasks is increasing, highlighting the need for automated solutions like DataGrail’s AI agent, Vera.
As organizations navigate the evolving privacy landscape, the report underscores the importance of staying ahead of regulatory changes and implementing robust privacy practices to protect customer data.
