60 Data Privacy Statistics and What They Mean for Your Business in 2026

Data privacy is no longer a niche topic. It’s an everyday concern for businesses, regulators and consumers. For those running businesses, staying on top of the latest data privacy statistics is essential. Understanding the trends helps you make informed decisions about security, consent and compliance.

Below is a deep dive into the most compelling and latest data privacy statistics and what they mean for website owners. We’ve broken the article into digestible sections, each highlighting a different angle of the privacy landscape, so you can jump to what matters most. 

• The average number of GDPR breach notifications per day increased from 335 on 28 January 2024 to 363 on 27 January 2025.  
• From January 28, 2024, to January 27, 2025, the Netherlands (33,471), Germany (27,829), and Poland (14,286) reported the most data breaches.

• The global average breach cost in 2025 is USD 4.44 million.
• 20% of organisations suffer data breaches due to security incidents involving shadow AI.
• The number of organisations planning to invest in security following a breach reduced to 49% in 2025 compared to 63% last year.
• 13% of organisations reported breaches involving AI models or applications.  
• The healthcare industry has the highest average breach cost.
• The average time organisations needed to detect and contain a breach dropped from 287 days in 2021 to 241 days in 2025.
• The average U.S. breach costs surged 9 % to a record USD 10.22 million, while most other regions saw declines.
• Attackers mainly targeted customer PII, making it the most compromised data type in 53 % of incidents.
• 63% of organisations refused to pay ransomware attackers in 2025.

• About 60% of data breaches involve human factors, and 30% involve third parties.
• External actors contribute 81% to data breaches, and only 18% is due to internal factors.

In the UK, 43% of businesses and 30% of charities reported cybersecurity breaches or attacks in the past year.

The average annual number of large healthcare breaches between 2021 and 2024 was 727.

• The health care sector reported the highest number of breaches in Australia in 2024.
• Contact, identity, and financial information were the most compromised personal information in Australia.

• 53 per cent of consumers worldwide are aware of their local privacy laws.
• Among those aware of the country’s privacy law 81% were able to protect their data.

• 73% of Americans are comfortable with a trusted website or app using their personal data to provide relevant advertisements.
• Around 14% of Americans agree to the use of personal data for advertising (2024).
• 73% percent of Americans believe they lack sufficient control over the ways companies utilise their data.

• Seven in one Americans are somewhat concerned about data privacy.
• 78% of Americans trust themselves to make the right decisions to protect their personal information.
• More than half of Americans agree to privacy policies without reading them.

• Over the past five years, the Internet Crime Complaint Center (IC3), operated by the FBI, received 4.2 million complaints.
• A total of 147,127 complaints were reported by consumers aged 60 and over, with losses amounting to nearly $5 billion.

• Around 40% of UK citizens were worried about how organisations use their data.
• 27% of UK citizens use some kind of blockers for online advertisements.

• 65% of Americans see data privacy as the top threat to society.
• 32% US companies have a Data Protection Officer.

56% of American voters favour a federal privacy law.

• 79% of the countries in the world have data privacy legislation in place.
• 98 per cent of countries in Europe have data privacy laws in place.

• As of September 2025, the total sum of GDPR fines stands at €6,714,202,518.
• Ireland’s DPA issued the largest GDPR fine to date, EUR 1.2 billion, in May 2023 for violations related to international data transfers.
• The Spanish Data Protection Authority is the most active in issuing fines.
• The highest number of fines was issued for processing activities that lacked a sufficient legal basis.

In 2024, 2529 data privacy lawsuits were filed in the US.

20 states in the US have data privacy laws in place.

Around 79,010 businesses are covered by the CPRA regulations.

The CCPA is estimated to protect over $12 billion worth of personal information used for advertising in California annually.

• 95% of organisations believe customers won’t purchase from them if they lack data protection.
• When choosing a vendor, external privacy certifications are important for 99% of organisations.
• 91% of professionals believe global providers are better at protecting data compared to local providers.
• 86% of professionals see a positive impact from privacy laws on their organisation.
• Most organisations (53%) saw a 1x to 2x return on investment (ROI) on privacy spending.

• 81% of internet users want to know more about their data being used.
• 70% of internet users worry about online safety.
• 59% of users are concerned about cookie usage, carefully choosing which cookies to accept on their devices.

• 36% of global consumers were reported to have exercised their data subject access rights in 2024.
• 61% of consumers reviewed or updated their privacy settings in 12 months.
• 69% of consumers do not automatically accept all cookies.

• In France, 28% of people always accept cookies, and only 5% never accept cookies.
• 53% of Brazilian adults said ease of using a website or app was a key factor in whether they enable cookies and privacy settings.
  

Most people (57%) see AI as a privacy threat, while only 12% disagree, and 32% are neutral or unaware.

70% of Americans have little to no trust in companies to make responsible decisions about how they use AI in their products.

People in general are more willing to rely on, rather than share information with AI systems.

• 42% of consumers believe GenAI has a significant impact on their personal lives now.
• 63% of consumers have privacy concerns regarding the use of AI

Data‑privacy statistics aren’t just numbers; they’re signposts for what your site should prioritise. Here are actionable insights drawn from the data:

Don’t ignore phishing and social engineering

With phishing accounting for 85 % of UK‑reported incidents, regular staff training and simulated phishing campaigns can drastically reduce your risk. For small websites, investing in automated email filters and employee education is crucial.

Tighten access controls

Human errors are behind 26% of data breaches, and compromised credentials took 186 days to be identified (IBM 2025). 

Enforce strong passwords, enable multi‑factor authentication and review who can access sensitive data.

Invest in cloud governance

Use encryption, logging and proactive monitoring to protect data stored in SaaS or IaaS platforms.

Plan for incident response and recovery

According to the IBM 2025 breach report, only 35 % of organisations fully recovered from breaches by the time. This is triple the 12% last year.

To take precautions, develop and test an incident‑response plan, assign roles and communicate with regulators and customers promptly to minimise damage.

Ensure transparency and consent

Consumers are both privacy‑conscious and cynical; 56 % skip reading privacy policies, yet a lot favour data protection and expect it. 

Clear, concise cookie banners and privacy notices build trust and meet legal requirements. CookieYes’s consent management platform, for example, can help automate this process.