2026 Year in Preview: U.S. Data, Privacy, and Cybersecurity Prediction

As we ring in the new year, we want to make you aware of key issues that we expect lawmakers and regulators to focus on this year. Below are the top U.S. data, privacy, and cybersecurity issues to watch out for in 2026:

1. The Federal Trade Commission (FTC) will aggressively enforce the Children’s Online Privacy Protection Act (COPPA). FTC Chairman Andrew Ferguson has publicly stated that the FTC will prioritize enforcement of COPPA under his leadership. Last year, the FTC finalized significant changes to the COPPA Rule. Notable changes to the COPPA Rule include revised notice requirements and a new requirement that covered operators obtain separate verifiable parental consent for the disclosure of a child’s personal information to third parties unless that disclosure is integral to the website or online service. The FTC actively enforced COPPA last year, bringing actions against companies including robot toy maker Apitor, Sendit anonymous messaging app, and others. We expect aggressive COPPA enforcement to continue in the new year.
2. We will see more legislation and enforcement related to minors’ privacy and online safety. Various state laws governing minors’ privacy and online safety will go into effect in 2026, assuming they are not successfully challenged in court or otherwise preempted. This includes state social media laws, laws concerning minors’ use of AI, and laws governing app stores and app developers that require age assurance and parental consent. Congress will continue to consider the package of minors’ privacy and online safety bills that was advanced by the House Energy and Commerce subcommittee. Absent federal action, we can also expect that other states will consider legislation that mirrors requirements that have survived constitutional challenges. We expect that enforcement related to these issues will continue to increase. As noted above, the FTC will prioritize enforcement of COPPA and will also focus on the privacy and safety of teens more generally. The FTC has shown a strong interest in protecting children online this past year, including, for example, through hearings, studies, and various enforcement actions. At the state level, we also saw various actions involving minors’ privacy this past year. States will continue to bring actions and may coordinate enforcement efforts, both with other states and the federal government, when liability arises in multiple jurisdictions. This trend will not be isolated to the U.S. For a discussion of the trends we expect to see globally, please see our minors’ privacy and online safety predictions alert.
3. New comprehensive state privacy laws, amendments to existing laws, and new regulations will go into effect. Comprehensive state privacy laws in Indiana, Kentucky, and Rhode Island went into effect on January 1, 2026, resulting in a total of 20 states with comprehensive consumer privacy laws. Notably, while we saw a decline in the passage of new state privacy laws last year, a number of amendments to existing laws passed and are set to go into effect in 2026. This includes, for example, major changes to the Connecticut Data Privacy Act (e.g., additional requirements regarding data minimization, children’s privacy, automated profiling, and privacy notices) and the Utah Consumer Privacy Act (providing Utah consumers the right to correct inaccuracies in their personal data). The right to cure certain violations of some existing state privacy laws (including Oregon, Minnesota, and New Jersey) will also expire in 2026. California’s updated CCPA regulations went into effect on January 1, 2026, but businesses will have additional time to comply, particularly with the cybersecurity audit and automated decision-making technology requirements. For more information about the updated CCPA regulations and the effective dates for different requirements, see our client alert here.
4. States will collaborate on enforcement of common requirements across state privacy laws and continue enforcing opt out requirements. We expect state regulators to continue to collaborate to enforce existing state privacy laws. In 2025, a number of state regulators formed the Consortium of Privacy Regulators to share expertise and resources and coordinate efforts to investigate potential violations of applicable laws. We predict that states will come together to enforce common requirements across state privacy laws, such as the right to access, delete, and stop the sale of personal information. We also expect state regulators to continue prioritizing enforcement of consumer opt out rights, with particular focus on compliance with universal opt-out signals, which we previously discussed here.
5. The Trump administration’s approach to cybersecurity regulation remains a developing story, but its national cybersecurity strategy is expected in early 2026, and the following months should bring clarity for critical infrastructure providers, federal contractors, and the health industry. Trump administration officials have thematically emphasized the need to reduce unnecessary regulatory burdens through regulatory harmonization, but to date that has not translated into a broad-brush deregulatory approach to cybersecurity. While a few FCC and SEC regulations were withdrawn, the U.S. Department of Justice’s Data Security Program, the U.S. Department of Defense’s Cybersecurity Maturity Model Certification program, and the U.S. Securities and Exchange Commission’s Regulation S-P incident response regulations all became effective in 2025. A long list of proposed cybersecurity regulations awaits action in 2026, including proposed amendments to the HIPAA Security Rule, proposed cyber incident reporting requirements for federal contractors, a proposed rule for identifying, handling, and reporting incident involving Controlled Unclassified information, multiple rules relating to software and other supply chain security, and the implementing regulations for critical infrastructure providers under the Cyber Incident Reporting for Critical Infrastructure Act.
6. U.S. states will continue to impose more prescriptive cybersecurity regulations and pursue aggressive cybersecurity-related enforcement actions. The trend in 2025 was for states to adopt increasingly rigorous cybersecurity requirements for the financial sector, with North Dakota and Rhode Island enacting laws patterned after the New York Department of Financial Services’ cybersecurity regulation (which became fully effective in 2025), Nevada enacting a law requiring financial services providers to comply with the security standards imposed by the FTC Safeguards Rule, and Missouri adopting its Insurance Data Security Act, which was based on the National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law. We expect other states to follow his trend, especially as cryptocurrency and other fintech businesses become an increasingly important part of the U.S. economy. We expect to see continued tightening of more generally-applicable cybersecurity laws and regulations as well, with California’s CCPA regulations requiring cybersecurity audits to require compliance work in 2026 (ahead of certifications which must be filed in 2027), California’s newly-tightened data breach reporting deadlines effective on January 1, 2026, and other states likely to follow.
7. New state AI laws will go into effect and plaintiffs’ attorneys will continue to go after companies providing AI services. Companies should be prepared to comply with new state AI laws that will come into effect in 2026 and 2027, which we previously covered here and here. We also expect plaintiff’s attorneys to continue bringing actions against businesses developing or deploying AI-powered customer service agents or other AI services that take part in customer communications under the California Invasion of Privacy Act (an example of which we previously reported on here).

Wilson Sonsini Goodrich & Rosati routinely advises clients on data, privacy, and cybersecurity laws and regulations and counsels companies facing enforcement actions. For more information about the developments mentioned above, or any other advice concerning U.S. privacy and cybersecurity regulations, please contact Maneesha Mithal, Chris Olsen, Demian Ahn, or another member of the firm’s Data, Privacy, and Cybersecurity practice.

Kelly Singleton, Rebecca Garcia, Doo Lee, and Colin Black contributed to the preparation of this Alert.