Enforcement activity saw a significant surge throughout 2025, marked by landmark judgments and multi-million dollar settlements. These actions primarily targeted issues such as analytics, ad tracking, wiretapping, data subject rights, and the collection of sensitive data. As we move into 2026, this aggressive trend shows no signs of slowing. To help your organization navigate these risks, here is a checklist of key issues to consider as you take on the new year.
Litigation / Enforcement
Many companies are surprised to find that the privacy litigation and enforcement trends mentioned above are often triggered by standard activities. This includes the use of online analytics, targeted advertising, real-time chatbots, text messaging, sharing data with service providers, and embedded video content. It is essential to review what defensive strategies your company has implemented to mitigate these common risks.
Opt-Outs
Regulators across multiple states are placing a high priority on opt-out rights. Does your current website architecture honor the Global Privacy Control (GPC)? Have you recently audited your cookie management technology to ensure it is fully operational? Furthermore, you should assess whether you are meeting the specific opt-out requirements mandated by the more than twenty state comprehensive privacy laws now in effect.
AI Tech
If your company utilizes AI technology—for example, to screen potential new hires—you may be subject to a growing web of laws. These often require specific notices, anti-bias assessments, internal governance policies, and change-management measures. Requirements are even more stringent for technology used in “high-stakes” contexts such as financial services, healthcare, education, housing, and insurance.
Contracting
Vendor management remains a critical compliance pillar. Ensure your vendor contracts include up-to-date personal data privacy addenda that reflect current legal requirements. Additionally, review your customer contracts to ensure they allocate compliance risks rationally and that you have a consistent strategy for addressing privacy-related inquiries from clients.
Privacy Notices
With the influx of new state privacy legislation, it is vital to reassess whether your business now falls within the scope of additional comprehensive laws. Regardless of scope changes, website privacy notices should be reviewed and updated annually. In fact, under certain state rules, these notices must be updated at least once every twelve months.
Data Protection Impact Assessments, Risk Assessments, and Cyber Audits
A wide range of laws now mandate the production of specific assessments and audits. Common “triggering” activities include the collection of sensitive information, engagement in data sales, targeted advertising, profiling, and the use of automated decision-making technology. Simply processing a large volume of consumer data can also trigger these requirements. California law is a particular concern.
Children’s Privacy
Compliance in this area has expanded far beyond the federal Children’s Online Privacy Protection Act (COPPA). More than a dozen states have now passed laws targeting the privacy of minors, with a specific emphasis on social media and digital activity. Have you recently assessed how your organization collects and utilizes children’s data under these evolving frameworks?
International Data Transfers
For companies with international affiliates, locations, or subsidiaries, maintaining a valid data transfer mechanism is essential. Whether through intra-company agreements or other legal measures, growing global businesses must continuously evaluate their options to ensure data flows remain compliant with international standards.
Conclusion
This list is intended to be a starting point and is not exhaustive; every business faces unique challenges. It is important to view privacy, security, and AI compliance not as a one-time task, but as a process to be managed over time. Strong governance includes clear accountability, assigned roles, and regular review. Make 2026 the year your company renews its commitment to a robust governance framework.
