Enforcement activity surged in 2025, with landmark judgments and settlements—some reaching eight and nine figures—targeting issues such as ad tracking, analytics, wiretapping, text messaging, data subject rights, and sensitive data collection. This aggressive trend shows no signs of slowing as we move into 2026.
Taft continues to help its clients find the correct answers in their context for addressing these risks. Building on our year-end post, here are some issues you may want to consider as you take on the new year.
Litigation / Enforcement. Your company may be surprised to learn that privacy litigation and enforcement discussed above can be triggered by common activity, such as the use of online analytics, targeted advertising, text messaging, real-time chat or chatbots, sharing personal data with service providers, and embedded video, among others. What defensive strategies has your company implemented?
Opt-Outs. Multiple state privacy regulators are highly focused on opt-out rights. Does your website honor the Global Privacy Control? Have you audited your cookie manager technology to ensure that it is operational? Have you assessed specific opt-outs required under more than 20 state comprehensive privacy laws now in effect?
AI Tech. Do you use AI technology in your company? Perhaps to screen potential new hires? You may be subject to numerous laws requiring multiple notices, anti-bias assessments, internal policies and change-management measures, and other requirements. Obligations may increase in the context of decision-making technology and/or technology used around financial or lending services, education, employment or independent contracting, healthcare, housing, insurance, legal services, or essential government services.
Contracting. Do your vendor contracts include an up-to-date personal data privacy addendum reflecting specific legal requirements? Do your customer contracts allocate compliance risks in a rational manner? Do you have a consistent strategy for addressing customer concerns about privacy?
Privacy Notices. Have you assessed whether you are in scope of the numerous new comprehensive state privacy laws? In any case, website privacy notices should also be updated annually – indeed, under some state rules, must be updated once every 12 months.
Data Protection Impact Assessments, Risk Assessments, and Cyber Audits. Numerous laws now require the production of specific assessments and audits. Triggering activity can include collection of sensitive information, targeted advertising, profiling activities, engagement in data sales, uses of automated processing or automated decision-making technology, and/or simply processing a sufficiently large amount of consumer data if a “business” under California law.
Children’s Privacy. Children’s privacy does not just mean COPPA (the federal Children’s Online Privacy Protection Act) anymore. Over a dozen states have passed laws targeting the privacy of minors, with a particular focus on online/digital and/or social media activity. Have you assessed your collection and use of children’s data under these new laws?
International Data Transfers. If your company has international locations, affiliates, and/or subsidiaries, do you have a data transfer mechanism for the company group? Potential solutions include intra-company agreements and/or other measures but growing global companies must assess these options.
Governance. The list of issues provided here is partial and not intended to be exhaustive. Your business may face other challenges in context. That is why it is important to view privacy, security and AI compliance as a process to be managed over time. Good governance processes will include review and accountability, with assigned roles and responsibilities. Renew your company’s commitment to governance in the new year.
To keep up with the latest in this area, please sign up to receive these posts via email and you can follow Taft Privacy, Security and Artificial Intelligence on LinkedIn for even more. Should you need counsel in any of these areas, Taft’s attorneys are ready to assist.