Unapproved Data Sharing: Is Your Vendor Sending Your Data to AI Models Without Your Consent?

The fundamental contract that companies rely on to assess how vendors handle personal data, known as the data processing agreement (DPA), is no longer trustworthy at face value. This is the central conclusion of DataGrail’s Privacy and AI Trends Report 2026, which was released recently.

According to the report, 63.6% of popular business software providers that advertise AI capabilities do not disclose a third-party AI subprocessor in their legal documents. This implies that companies purchasing AI-enabled software may unknowingly expose their customers’ data to AI models and pipelines that have not been reviewed, approved, or even acknowledged.

DataGrail’s co-founder and CEO, Daniel Barber, explained that as software vendors transition to becoming AI vendors, the speed of technological advancements is outpacing AI governance. The DPA, which is supposed to be a reliable document for evaluating AI risk, is not sufficient in 2026, as indicated by the findings.

The report reveals that organizations with high levels of shadow AI face average breach costs of $4.63 million, significantly higher than those with low or no shadow AI. Additionally, U.S. states issued $3.425 billion in privacy-related fines in 2025, more than the total fines from the past five years combined, a trend that is expected to continue until 2028.

DataGrail’s methodology for arriving at the 63.6% figure involved cross-referencing DPA disclosures with product documentation, GitHub environments, API connections, and marketing materials of 2,400 vendors. The research team found discrepancies between the disclosed AI subprocessors and the actual AI models used by the vendors.

The report also highlights that 32.8% of AI systems that disclose AI capabilities also engage in high-risk activities such as processing sensitive personal information or automated decision-making. These figures likely underestimate the actual exposure, given that vendors may underreport data access.

The enforcement of privacy laws has intensified, with consent management being a key focus in 2025. Despite this, many websites still fail to comply with universal opt-out mechanisms. California alone reported $4.3 million in CCPA consent settlements, emphasizing the importance of proper consent management.

Data deletion requests have surged by 567% since 2021, representing 87% of all data subject requests. The manual management of deletion requests is estimated to cost organizations around $1.5 million per year, highlighting the need for automated solutions.

State regulators issued $3.4 billion in privacy fines in the previous year, with over 50% of the U.S. population covered by comprehensive state privacy laws. The bipartisan nature of privacy enforcement indicates a shift towards stricter regulatory oversight.

Privacy teams have experienced a 33% reduction in headcount, despite increasing workloads related to AI governance. AI solutions like DataGrail’s Vera aim to automate privacy workflows and address the challenges posed by evolving privacy regulations.

Looking ahead, the report warns about the risks associated with agentic AI workflows, which could spread unvetted data across organizations autonomously. As enterprises navigate these complex privacy challenges, it is crucial to adapt to the evolving regulatory landscape and implement robust privacy measures to protect customer data effectively.