While the pace of new privacy legislation slowed last year, 2025 marked a significant pivot by regulators toward finalizing demanding regulations and starting aggressive enforcement. For 2026, we recommend businesses shift from “wait and see” to active operational updates, particularly regarding opt-out signals, risky processing, and sensitive data processing.

Critical Risk—Executive Liability 

California is making executives have skin in the game. The state is requiring a member of a business’s executive management team to attest to the accuracy of the business’s risk assessments for certain processing of personal information (PI). This elevates privacy to a governance mandate with personal legal risks for the executive.

Compliance Roadmap

To assist with long-term planning, we summarize the key action items for businesses:

New Compliance Tasks in 2026
 
This year brings a variety of new compliance obligations to consider. The big tasks include:  

• Evaluate uplifts for new and old states. We have Virginia-style laws that took effect in Indiana, Kentucky, and Rhode Island on January 1, while Montana and Connecticut expanded their laws to cover more companies with more demanding requirements on notice, consumer rights, data protection assessments, and more.
• Review HR disclosures. HR data is no longer a “blind spot” for regulators. California announced its first settlement concerning HR data, and Colorado’s BIPA-like obligations regarding biometric data apply to employee data.
• Start risk assessments in California. Businesses must conduct detailed risk assessments before starting certain processing, such as selling personal information or processing sensitive data. For any activity started before 2026, businesses have until December 2027 to complete any required risk assessment.
• Map disclosures to vendors. California now requires new policy disclosures, including what personal information the business provided to contractors or service providers (more generally known as “processors” in other states).
• Update websites for opt-out requests. Businesses must honor opt-out signals in Oregon and Delaware, while California requires a website to display whether it honored that signal and to allow users to verify the status of their opt-out request.
• Scrutinize precise geolocation data. Colorado updated its definition of sensitive data to cover precise geolocation data, and Oregon made it illegal to sell such data.

Enforcement Risks and Trends for 2026

Last year saw state regulators significantly expand enforcement, including the first settlement based on HR data and the first lawsuit alleging violations of a comprehensive privacy law. Expect more action in 2026 because we have more laws, fewer states with cure periods, greater inter-state collaboration, and rising political pressure to make headlines with splashy privacy actions. 

A few considerations to inform your compliance priorities:

• The era of “fix it later if we have to” is largely over. A right to cure is only available in Delaware, Indiana, Iowa, Kentucky, Minnesota (until January 31), Nebraska (until July 1), New Jersey (until July 15), Utah, Tennessee, Texas, and Virginia.
• Publicly viewable issues are prime targets. Regulators frequently have targeted violations that they could spot without a subpoena, such as broken or confusing opt-out processes, noncompliant or inaccurate privacy policies, and excessive data collection from consumers trying to exercise their privacy rights.
• Children’s privacy is a hot topic. Both state and federal regulators have focused on settlements concerning children’s data, and state laws often impose obligations beyond those in the Children’s Online Privacy Protection Act (COPPA).
• Precise geolocation data is in the crosshairs. States are cracking down on the processing of precise geolocation data. Texas and California targeted companies’ processing of that data, while the Oregon and Colorado legislatures added restrictions on how companies can use such data.
• Settlement costs are rising. California reached multiple $1 million+ settlements, which doesn’t even account for the costs associated with the injunctive relief.
• Contracts are not just technicalities. California has repeatedly dinged businesses for not having the necessary data-protection-addendum language.

Missing from the above: federal risk. The risk of federal action is slim for most businesses. Federal legislation is not realistic any time soon. And the primary privacy regulator at the federal level for most businesses, the Federal Trade Commission, is focused on COPPA violations rather than the mushier unfairness cases that dominated prior years. 

Looking to 2027 and Beyond

While you wouldn’t exactly call this year a light uplift, the next few years really lay it on heavy. We recommend peeking ahead and getting a head start on the obligations we know are coming down the pipeline for businesses subject to the California Consumer Privacy Act (CCPA): 

• Evaluate automated decisionmaking. Starting in January 2027, businesses making housing, employment, or other significant decisions without meaningful human involvement must provide consumers notice and the opportunity to opt out.
• Map audit framework against CCPA standards. Starting in April 2028 (or later for smaller businesses), many businesses must complete an annual cybersecurity audit involving granular requirements. We covered the requirements in a prior alert.

Summary

Although we have fewer radical changes than past years, there are a few action items that businesses should keep in mind: 

• Evaluate Program Scope. Assess changes needed based on (1) updates in Connecticut and Montana and (2) new laws in Indiana, Kentucky, and Rhode Island.
• Audit Public Features. Ensure the privacy policy is accurate, consumer choices are clear, opt-out tools operate properly, and identity-verification processes are tailored. 
• Start Risk Assessments. Identify activities triggering a California risk assessment.
• Brief Executives on Personal Liability. Inform designated executive on their personal liability for California risk assessments.